Update OpenSSL 3 compatibility patches.
This is based on origina PR with official patches which landed in [ruby/openssl](https://github.com/ruby/openssl) repository and should reflect the state of OpenSSL 3 support in Ruby 3.1. Resolves: rhbz#1952925
This commit is contained in:
		
							parent
							
								
									fef07c3b45
								
							
						
					
					
						commit
						9b1bf40828
					
				
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										1004
									
								
								ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1004
									
								
								ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										630
									
								
								ruby-3.1.0-Allocate-EVP_PKEY-on-initialize.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										630
									
								
								ruby-3.1.0-Allocate-EVP_PKEY-on-initialize.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,630 @@ | |||||||
|  | From 316cb2a41f154e4663d7e7fead60cfc0bfa86af9 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 12 Apr 2021 13:55:10 +0900 | ||||||
|  | Subject: [PATCH 1/2] pkey: do not check NULL argument in ossl_pkey_new() | ||||||
|  | 
 | ||||||
|  | Passing NULL to ossl_pkey_new() makes no sense in the first place, and | ||||||
|  | in fact it is ensured not to be NULL in all cases. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 6 +----- | ||||||
|  |  ext/openssl/ossl_pkey.h | 1 + | ||||||
|  |  2 files changed, 2 insertions(+), 5 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index f9f5162e..820e4a2c 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -38,12 +38,8 @@ static VALUE
 | ||||||
|  |  pkey_new0(EVP_PKEY *pkey) | ||||||
|  |  { | ||||||
|  |      VALUE klass, obj; | ||||||
|  | -    int type;
 | ||||||
|  |   | ||||||
|  | -    if (!pkey || (type = EVP_PKEY_base_id(pkey)) == EVP_PKEY_NONE)
 | ||||||
|  | -	ossl_raise(rb_eRuntimeError, "pkey is empty");
 | ||||||
|  | -
 | ||||||
|  | -    switch (type) {
 | ||||||
|  | +    switch (EVP_PKEY_base_id(pkey)) {
 | ||||||
|  |  #if !defined(OPENSSL_NO_RSA) | ||||||
|  |        case EVP_PKEY_RSA: klass = cRSA; break; | ||||||
|  |  #endif | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
 | ||||||
|  | index 4beede22..f0476780 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.h
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.h
 | ||||||
|  | @@ -35,6 +35,7 @@ extern const rb_data_type_t ossl_evp_pkey_type;
 | ||||||
|  |      } \ | ||||||
|  |  } while (0) | ||||||
|  |   | ||||||
|  | +/* Takes ownership of the EVP_PKEY */
 | ||||||
|  |  VALUE ossl_pkey_new(EVP_PKEY *); | ||||||
|  |  void ossl_pkey_check_public_key(const EVP_PKEY *); | ||||||
|  |  EVP_PKEY *ossl_pkey_read_generic(BIO *, VALUE); | ||||||
|  | 
 | ||||||
|  | From 74f6c6175688502a5bf27ae35367616858630c0f Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 12 Apr 2021 18:32:40 +0900 | ||||||
|  | Subject: [PATCH 2/2] pkey: allocate EVP_PKEY on #initialize | ||||||
|  | 
 | ||||||
|  | Allocate an EVP_PKEY when the content is ready: when #initialize | ||||||
|  | or #initialize_copy is called, rather than when a T_DATA is allocated. | ||||||
|  | This is more natural because the lower level API has been deprecated | ||||||
|  | and an EVP_PKEY is becoming the minimum unit of handling keys. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c     | 15 ++---- | ||||||
|  |  ext/openssl/ossl_pkey.h     | 15 ++---- | ||||||
|  |  ext/openssl/ossl_pkey_dh.c  | 71 +++++++++++++++++++-------- | ||||||
|  |  ext/openssl/ossl_pkey_dsa.c | 93 ++++++++++++++++++++--------------- | ||||||
|  |  ext/openssl/ossl_pkey_ec.c  | 91 +++++++++++++++++++---------------- | ||||||
|  |  ext/openssl/ossl_pkey_rsa.c | 96 ++++++++++++++++++++++--------------- | ||||||
|  |  6 files changed, 218 insertions(+), 163 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index 820e4a2c..ea75d63f 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -54,8 +54,8 @@ pkey_new0(EVP_PKEY *pkey)
 | ||||||
|  |  #endif | ||||||
|  |        default:           klass = cPKey; break; | ||||||
|  |      } | ||||||
|  | -    obj = NewPKey(klass);
 | ||||||
|  | -    SetPKey(obj, pkey);
 | ||||||
|  | +    obj = rb_obj_alloc(klass);
 | ||||||
|  | +    RTYPEDDATA_DATA(obj) = pkey;
 | ||||||
|  |      return obj; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -511,16 +511,7 @@ DupPKeyPtr(VALUE obj)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_pkey_alloc(VALUE klass) | ||||||
|  |  { | ||||||
|  | -    EVP_PKEY *pkey;
 | ||||||
|  | -    VALUE obj;
 | ||||||
|  | -
 | ||||||
|  | -    obj = NewPKey(klass);
 | ||||||
|  | -    if (!(pkey = EVP_PKEY_new())) {
 | ||||||
|  | -	ossl_raise(ePKeyError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    SetPKey(obj, pkey);
 | ||||||
|  | -
 | ||||||
|  | -    return obj;
 | ||||||
|  | +    return TypedData_Wrap_Struct(klass, &ossl_evp_pkey_type, NULL);
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
 | ||||||
|  | index f0476780..ed18bc69 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.h
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.h
 | ||||||
|  | @@ -15,19 +15,10 @@ extern VALUE cPKey;
 | ||||||
|  |  extern VALUE ePKeyError; | ||||||
|  |  extern const rb_data_type_t ossl_evp_pkey_type; | ||||||
|  |   | ||||||
|  | -#define OSSL_PKEY_SET_PRIVATE(obj) rb_iv_set((obj), "private", Qtrue)
 | ||||||
|  | -#define OSSL_PKEY_SET_PUBLIC(obj)  rb_iv_set((obj), "private", Qfalse)
 | ||||||
|  | -#define OSSL_PKEY_IS_PRIVATE(obj)  (rb_iv_get((obj), "private") == Qtrue)
 | ||||||
|  | +/* For ENGINE */
 | ||||||
|  | +#define OSSL_PKEY_SET_PRIVATE(obj) rb_ivar_set((obj), rb_intern("private"), Qtrue)
 | ||||||
|  | +#define OSSL_PKEY_IS_PRIVATE(obj)  (rb_attr_get((obj), rb_intern("private")) == Qtrue)
 | ||||||
|  |   | ||||||
|  | -#define NewPKey(klass) \
 | ||||||
|  | -    TypedData_Wrap_Struct((klass), &ossl_evp_pkey_type, 0)
 | ||||||
|  | -#define SetPKey(obj, pkey) do { \
 | ||||||
|  | -    if (!(pkey)) { \
 | ||||||
|  | -	rb_raise(rb_eRuntimeError, "PKEY wasn't initialized!"); \
 | ||||||
|  | -    } \
 | ||||||
|  | -    RTYPEDDATA_DATA(obj) = (pkey); \
 | ||||||
|  | -    OSSL_PKEY_SET_PUBLIC(obj); \
 | ||||||
|  | -} while (0)
 | ||||||
|  |  #define GetPKey(obj, pkey) do {\ | ||||||
|  |      TypedData_Get_Struct((obj), EVP_PKEY, &ossl_evp_pkey_type, (pkey)); \ | ||||||
|  |      if (!(pkey)) { \ | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | index ca782bbe..04c11b21 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | @@ -72,34 +72,57 @@ static VALUE
 | ||||||
|  |  ossl_dh_initialize(int argc, VALUE *argv, VALUE self) | ||||||
|  |  { | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  | +    int type;
 | ||||||
|  |      DH *dh; | ||||||
|  | -    BIO *in;
 | ||||||
|  | +    BIO *in = NULL;
 | ||||||
|  |      VALUE arg; | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  | +
 | ||||||
|  |      /* The DH.new(size, generator) form is handled by lib/openssl/pkey.rb */ | ||||||
|  |      if (rb_scan_args(argc, argv, "01", &arg) == 0) { | ||||||
|  |          dh = DH_new(); | ||||||
|  |          if (!dh) | ||||||
|  |              ossl_raise(eDHError, "DH_new"); | ||||||
|  | +        goto legacy;
 | ||||||
|  |      } | ||||||
|  | -    else {
 | ||||||
|  | -	arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | -	in = ossl_obj2bio(&arg);
 | ||||||
|  | -	dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
 | ||||||
|  | -	if (!dh){
 | ||||||
|  | -	    OSSL_BIO_reset(in);
 | ||||||
|  | -	    dh = d2i_DHparams_bio(in, NULL);
 | ||||||
|  | -	}
 | ||||||
|  | -	BIO_free(in);
 | ||||||
|  | -	if (!dh) {
 | ||||||
|  | -	    ossl_raise(eDHError, NULL);
 | ||||||
|  | -	}
 | ||||||
|  | +
 | ||||||
|  | +    arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | +    in = ossl_obj2bio(&arg);
 | ||||||
|  | +
 | ||||||
|  | +    /*
 | ||||||
|  | +     * On OpenSSL <= 1.1.1 and current versions of LibreSSL, the generic
 | ||||||
|  | +     * routine does not support DER-encoded parameters
 | ||||||
|  | +     */
 | ||||||
|  | +    dh = d2i_DHparams_bio(in, NULL);
 | ||||||
|  | +    if (dh)
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    OSSL_BIO_reset(in);
 | ||||||
|  | +
 | ||||||
|  | +    pkey = ossl_pkey_read_generic(in, Qnil);
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    if (!pkey)
 | ||||||
|  | +        ossl_raise(eDHError, "could not parse pkey");
 | ||||||
|  | +
 | ||||||
|  | +    type = EVP_PKEY_base_id(pkey);
 | ||||||
|  | +    if (type != EVP_PKEY_DH) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        rb_raise(eDHError, "incorrect pkey type: %s", OBJ_nid2sn(type));
 | ||||||
|  |      } | ||||||
|  | -    if (!EVP_PKEY_assign_DH(pkey, dh)) {
 | ||||||
|  | -	DH_free(dh);
 | ||||||
|  | -	ossl_raise(eDHError, NULL);
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  | +    return self;
 | ||||||
|  | +
 | ||||||
|  | +  legacy:
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        DH_free(dh);
 | ||||||
|  | +        ossl_raise(eDHError, "EVP_PKEY_assign_DH");
 | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -110,15 +133,14 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
 | ||||||
|  |      DH *dh, *dh_other; | ||||||
|  |      const BIGNUM *pub, *priv; | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | -    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
 | ||||||
|  | -	ossl_raise(eDHError, "DH already initialized");
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |      GetDH(other, dh_other); | ||||||
|  |   | ||||||
|  |      dh = DHparams_dup(dh_other); | ||||||
|  |      if (!dh) | ||||||
|  |  	ossl_raise(eDHError, "DHparams_dup"); | ||||||
|  | -    EVP_PKEY_assign_DH(pkey, dh);
 | ||||||
|  |   | ||||||
|  |      DH_get0_key(dh_other, &pub, &priv); | ||||||
|  |      if (pub) { | ||||||
|  | @@ -133,6 +155,13 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
 | ||||||
|  |  	DH_set0_key(dh, pub2, priv2); | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_DH(pkey, dh) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        DH_free(dh);
 | ||||||
|  | +        ossl_raise(eDHError, "EVP_PKEY_assign_DH");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | index 7af00eeb..15724548 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | @@ -83,50 +83,59 @@ VALUE eDSAError;
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_dsa_initialize(int argc, VALUE *argv, VALUE self) | ||||||
|  |  { | ||||||
|  | -    EVP_PKEY *pkey, *tmp;
 | ||||||
|  | -    DSA *dsa = NULL;
 | ||||||
|  | -    BIO *in;
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  | +    DSA *dsa;
 | ||||||
|  | +    BIO *in = NULL;
 | ||||||
|  |      VALUE arg, pass; | ||||||
|  | +    int type;
 | ||||||
|  | +
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  |      /* The DSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ | ||||||
|  |      rb_scan_args(argc, argv, "02", &arg, &pass); | ||||||
|  |      if (argc == 0) { | ||||||
|  |          dsa = DSA_new(); | ||||||
|  |          if (!dsa) | ||||||
|  |              ossl_raise(eDSAError, "DSA_new"); | ||||||
|  | +        goto legacy;
 | ||||||
|  |      } | ||||||
|  | -    else {
 | ||||||
|  | -	pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | -	arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | -	in = ossl_obj2bio(&arg);
 | ||||||
|  | -
 | ||||||
|  | -        tmp = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | -        if (tmp) {
 | ||||||
|  | -            if (EVP_PKEY_base_id(tmp) != EVP_PKEY_DSA)
 | ||||||
|  | -                rb_raise(eDSAError, "incorrect pkey type: %s",
 | ||||||
|  | -                         OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
 | ||||||
|  | -            dsa = EVP_PKEY_get1_DSA(tmp);
 | ||||||
|  | -            EVP_PKEY_free(tmp);
 | ||||||
|  | -        }
 | ||||||
|  | -	if (!dsa) {
 | ||||||
|  | -	    OSSL_BIO_reset(in);
 | ||||||
|  | -#define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
 | ||||||
|  | -	(d2i_of_void *)d2i_DSAPublicKey, PEM_STRING_DSA_PUBLIC, (bp), (void **)(x), (cb), (u))
 | ||||||
|  | -	    dsa = PEM_read_bio_DSAPublicKey(in, NULL, NULL, NULL);
 | ||||||
|  | -#undef PEM_read_bio_DSAPublicKey
 | ||||||
|  | -	}
 | ||||||
|  | -	BIO_free(in);
 | ||||||
|  | -	if (!dsa) {
 | ||||||
|  | -	    ossl_clear_error();
 | ||||||
|  | -	    ossl_raise(eDSAError, "Neither PUB key nor PRIV key");
 | ||||||
|  | -	}
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!EVP_PKEY_assign_DSA(pkey, dsa)) {
 | ||||||
|  | -	DSA_free(dsa);
 | ||||||
|  | -	ossl_raise(eDSAError, NULL);
 | ||||||
|  | +
 | ||||||
|  | +    pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | +    arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | +    in = ossl_obj2bio(&arg);
 | ||||||
|  | +
 | ||||||
|  | +    /* DER-encoded DSAPublicKey format isn't supported by the generic routine */
 | ||||||
|  | +    dsa = (DSA *)PEM_ASN1_read_bio((d2i_of_void *)d2i_DSAPublicKey,
 | ||||||
|  | +                                   PEM_STRING_DSA_PUBLIC,
 | ||||||
|  | +                                   in, NULL, NULL, NULL);
 | ||||||
|  | +    if (dsa)
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    OSSL_BIO_reset(in);
 | ||||||
|  | +
 | ||||||
|  | +    pkey = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    if (!pkey)
 | ||||||
|  | +        ossl_raise(eDSAError, "Neither PUB key nor PRIV key");
 | ||||||
|  | +
 | ||||||
|  | +    type = EVP_PKEY_base_id(pkey);
 | ||||||
|  | +    if (type != EVP_PKEY_DSA) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
 | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  | +    return self;
 | ||||||
|  |   | ||||||
|  | +  legacy:
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        DSA_free(dsa);
 | ||||||
|  | +        ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -136,16 +145,24 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
 | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  |      DSA *dsa, *dsa_new; | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | -    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
 | ||||||
|  | -	ossl_raise(eDSAError, "DSA already initialized");
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |      GetDSA(other, dsa); | ||||||
|  |   | ||||||
|  | -    dsa_new = ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, (d2i_of_void *)d2i_DSAPrivateKey, (char *)dsa);
 | ||||||
|  | +    dsa_new = (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey,
 | ||||||
|  | +                              (d2i_of_void *)d2i_DSAPrivateKey,
 | ||||||
|  | +                              (char *)dsa);
 | ||||||
|  |      if (!dsa_new) | ||||||
|  |  	ossl_raise(eDSAError, "ASN1_dup"); | ||||||
|  |   | ||||||
|  | -    EVP_PKEY_assign_DSA(pkey, dsa_new);
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_DSA(pkey, dsa_new) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        DSA_free(dsa_new);
 | ||||||
|  | +        ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | index db80d112..71e63969 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | @@ -114,13 +114,16 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
 | ||||||
|  |      VALUE obj; | ||||||
|  |   | ||||||
|  |      obj = rb_obj_alloc(klass); | ||||||
|  | -    GetPKey(obj, pkey);
 | ||||||
|  |   | ||||||
|  |      ec = ec_key_new_from_group(arg); | ||||||
|  | -    if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) {
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  |          EC_KEY_free(ec); | ||||||
|  |          ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(obj) = pkey;
 | ||||||
|  | +
 | ||||||
|  |      if (!EC_KEY_generate_key(ec)) | ||||||
|  |  	ossl_raise(eECError, "EC_KEY_generate_key"); | ||||||
|  |   | ||||||
|  | @@ -141,51 +144,54 @@ ossl_ec_key_s_generate(VALUE klass, VALUE arg)
 | ||||||
|  |  static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self) | ||||||
|  |  { | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  | -    EC_KEY *ec = NULL;
 | ||||||
|  | +    EC_KEY *ec;
 | ||||||
|  | +    BIO *in;
 | ||||||
|  |      VALUE arg, pass; | ||||||
|  | +    int type;
 | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | -    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
 | ||||||
|  | -        ossl_raise(eECError, "EC_KEY already initialized");
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |   | ||||||
|  |      rb_scan_args(argc, argv, "02", &arg, &pass); | ||||||
|  | -
 | ||||||
|  |      if (NIL_P(arg)) { | ||||||
|  |          if (!(ec = EC_KEY_new())) | ||||||
|  | -	    ossl_raise(eECError, NULL);
 | ||||||
|  | -    } else if (rb_obj_is_kind_of(arg, cEC)) {
 | ||||||
|  | -	EC_KEY *other_ec = NULL;
 | ||||||
|  | +            ossl_raise(eECError, "EC_KEY_new");
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    }
 | ||||||
|  | +    else if (rb_obj_is_kind_of(arg, cEC_GROUP)) {
 | ||||||
|  | +        ec = ec_key_new_from_group(arg);
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    }
 | ||||||
|  |   | ||||||
|  | -	GetEC(arg, other_ec);
 | ||||||
|  | -	if (!(ec = EC_KEY_dup(other_ec)))
 | ||||||
|  | -	    ossl_raise(eECError, NULL);
 | ||||||
|  | -    } else if (rb_obj_is_kind_of(arg, cEC_GROUP)) {
 | ||||||
|  | -	ec = ec_key_new_from_group(arg);
 | ||||||
|  | -    } else {
 | ||||||
|  | -        BIO *in = ossl_obj2bio(&arg);
 | ||||||
|  | -        EVP_PKEY *tmp;
 | ||||||
|  | -        pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | -        tmp = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | -        if (tmp) {
 | ||||||
|  | -            if (EVP_PKEY_base_id(tmp) != EVP_PKEY_EC)
 | ||||||
|  | -                rb_raise(eECError, "incorrect pkey type: %s",
 | ||||||
|  | -                         OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
 | ||||||
|  | -            ec = EVP_PKEY_get1_EC_KEY(tmp);
 | ||||||
|  | -            EVP_PKEY_free(tmp);
 | ||||||
|  | -        }
 | ||||||
|  | -	BIO_free(in);
 | ||||||
|  | +    pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | +    arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | +    in = ossl_obj2bio(&arg);
 | ||||||
|  |   | ||||||
|  | -	if (!ec) {
 | ||||||
|  | -	    ossl_clear_error();
 | ||||||
|  | -	    ec = ec_key_new_from_group(arg);
 | ||||||
|  | -	}
 | ||||||
|  | +    pkey = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    if (!pkey) {
 | ||||||
|  | +        ossl_clear_error();
 | ||||||
|  | +        ec = ec_key_new_from_group(arg);
 | ||||||
|  | +        goto legacy;
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -    if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) {
 | ||||||
|  | -	EC_KEY_free(ec);
 | ||||||
|  | -	ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
 | ||||||
|  | +    type = EVP_PKEY_base_id(pkey);
 | ||||||
|  | +    if (type != EVP_PKEY_EC) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        rb_raise(eDSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
 | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  | +    return self;
 | ||||||
|  |   | ||||||
|  | +  legacy:
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        EC_KEY_free(ec);
 | ||||||
|  | +        ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -195,18 +201,21 @@ ossl_ec_key_initialize_copy(VALUE self, VALUE other)
 | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  |      EC_KEY *ec, *ec_new; | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | -    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
 | ||||||
|  | -	ossl_raise(eECError, "EC already initialized");
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |      GetEC(other, ec); | ||||||
|  |   | ||||||
|  |      ec_new = EC_KEY_dup(ec); | ||||||
|  |      if (!ec_new) | ||||||
|  |  	ossl_raise(eECError, "EC_KEY_dup"); | ||||||
|  | -    if (!EVP_PKEY_assign_EC_KEY(pkey, ec_new)) {
 | ||||||
|  | -	EC_KEY_free(ec_new);
 | ||||||
|  | -	ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
 | ||||||
|  | +
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec_new) != 1) {
 | ||||||
|  | +        EC_KEY_free(ec_new);
 | ||||||
|  | +        ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY");
 | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | index 8ebd3ec5..b8dbc0e1 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | @@ -76,51 +76,62 @@ VALUE eRSAError;
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) | ||||||
|  |  { | ||||||
|  | -    EVP_PKEY *pkey, *tmp;
 | ||||||
|  | -    RSA *rsa = NULL;
 | ||||||
|  | -    BIO *in;
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  | +    RSA *rsa;
 | ||||||
|  | +    BIO *in = NULL;
 | ||||||
|  |      VALUE arg, pass; | ||||||
|  | +    int type;
 | ||||||
|  | +
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  |      /* The RSA.new(size, generator) form is handled by lib/openssl/pkey.rb */ | ||||||
|  |      rb_scan_args(argc, argv, "02", &arg, &pass); | ||||||
|  |      if (argc == 0) { | ||||||
|  |  	rsa = RSA_new(); | ||||||
|  |          if (!rsa) | ||||||
|  |              ossl_raise(eRSAError, "RSA_new"); | ||||||
|  | +        goto legacy;
 | ||||||
|  |      } | ||||||
|  | -    else {
 | ||||||
|  | -	pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | -	arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | -	in = ossl_obj2bio(&arg);
 | ||||||
|  | -
 | ||||||
|  | -        tmp = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | -        if (tmp) {
 | ||||||
|  | -            if (EVP_PKEY_base_id(tmp) != EVP_PKEY_RSA)
 | ||||||
|  | -                rb_raise(eRSAError, "incorrect pkey type: %s",
 | ||||||
|  | -                         OBJ_nid2sn(EVP_PKEY_base_id(tmp)));
 | ||||||
|  | -            rsa = EVP_PKEY_get1_RSA(tmp);
 | ||||||
|  | -            EVP_PKEY_free(tmp);
 | ||||||
|  | -        }
 | ||||||
|  | -	if (!rsa) {
 | ||||||
|  | -	    OSSL_BIO_reset(in);
 | ||||||
|  | -	    rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
 | ||||||
|  | -	}
 | ||||||
|  | -	if (!rsa) {
 | ||||||
|  | -	    OSSL_BIO_reset(in);
 | ||||||
|  | -	    rsa = d2i_RSAPublicKey_bio(in, NULL);
 | ||||||
|  | -	}
 | ||||||
|  | -	BIO_free(in);
 | ||||||
|  | -	if (!rsa) {
 | ||||||
|  | -            ossl_clear_error();
 | ||||||
|  | -	    ossl_raise(eRSAError, "Neither PUB key nor PRIV key");
 | ||||||
|  | -	}
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!EVP_PKEY_assign_RSA(pkey, rsa)) {
 | ||||||
|  | -	RSA_free(rsa);
 | ||||||
|  | -	ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
 | ||||||
|  | +
 | ||||||
|  | +    pass = ossl_pem_passwd_value(pass);
 | ||||||
|  | +    arg = ossl_to_der_if_possible(arg);
 | ||||||
|  | +    in = ossl_obj2bio(&arg);
 | ||||||
|  | +
 | ||||||
|  | +    /* First try RSAPublicKey format */
 | ||||||
|  | +    rsa = d2i_RSAPublicKey_bio(in, NULL);
 | ||||||
|  | +    if (rsa)
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    OSSL_BIO_reset(in);
 | ||||||
|  | +    rsa = PEM_read_bio_RSAPublicKey(in, NULL, NULL, NULL);
 | ||||||
|  | +    if (rsa)
 | ||||||
|  | +        goto legacy;
 | ||||||
|  | +    OSSL_BIO_reset(in);
 | ||||||
|  | +
 | ||||||
|  | +    /* Use the generic routine */
 | ||||||
|  | +    pkey = ossl_pkey_read_generic(in, pass);
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    if (!pkey)
 | ||||||
|  | +        ossl_raise(eRSAError, "Neither PUB key nor PRIV key");
 | ||||||
|  | +
 | ||||||
|  | +    type = EVP_PKEY_base_id(pkey);
 | ||||||
|  | +    if (type != EVP_PKEY_RSA) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        rb_raise(eRSAError, "incorrect pkey type: %s", OBJ_nid2sn(type));
 | ||||||
|  |      } | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  | +    return self;
 | ||||||
|  |   | ||||||
|  | +  legacy:
 | ||||||
|  | +    BIO_free(in);
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        RSA_free(rsa);
 | ||||||
|  | +        ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -130,16 +141,23 @@ ossl_rsa_initialize_copy(VALUE self, VALUE other)
 | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  |      RSA *rsa, *rsa_new; | ||||||
|  |   | ||||||
|  | -    GetPKey(self, pkey);
 | ||||||
|  | -    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_NONE)
 | ||||||
|  | -	ossl_raise(eRSAError, "RSA already initialized");
 | ||||||
|  | +    TypedData_Get_Struct(self, EVP_PKEY, &ossl_evp_pkey_type, pkey);
 | ||||||
|  | +    if (pkey)
 | ||||||
|  | +        rb_raise(rb_eTypeError, "pkey already initialized");
 | ||||||
|  |      GetRSA(other, rsa); | ||||||
|  |   | ||||||
|  | -    rsa_new = ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey, (d2i_of_void *)d2i_RSAPrivateKey, (char *)rsa);
 | ||||||
|  | +    rsa_new = (RSA *)ASN1_dup((i2d_of_void *)i2d_RSAPrivateKey,
 | ||||||
|  | +                              (d2i_of_void *)d2i_RSAPrivateKey,
 | ||||||
|  | +                              (char *)rsa);
 | ||||||
|  |      if (!rsa_new) | ||||||
|  |  	ossl_raise(eRSAError, "ASN1_dup"); | ||||||
|  |   | ||||||
|  | -    EVP_PKEY_assign_RSA(pkey, rsa_new);
 | ||||||
|  | +    pkey = EVP_PKEY_new();
 | ||||||
|  | +    if (!pkey || EVP_PKEY_assign_RSA(pkey, rsa_new) != 1) {
 | ||||||
|  | +        RSA_free(rsa_new);
 | ||||||
|  | +        ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
 | ||||||
|  | +    }
 | ||||||
|  | +    RTYPEDDATA_DATA(self) = pkey;
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  | 
 | ||||||
| @ -0,0 +1,358 @@ | |||||||
|  | From f2cf3afc6fa1e13e960f732c0bc658ad408ee219 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 12 Jun 2020 14:12:59 +0900 | ||||||
|  | Subject: [PATCH 1/3] pkey: fix potential memory leak in PKey#sign | ||||||
|  | 
 | ||||||
|  | Fix potential leak of EVP_MD_CTX object in an error path. This path is | ||||||
|  | normally unreachable, since the size of a signature generated by any | ||||||
|  | supported algorithms would not be larger than LONG_MAX. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 8 ++++++-- | ||||||
|  |  1 file changed, 6 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index df8b425a0f..7488190e0e 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -777,8 +777,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
 | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  |          ossl_raise(ePKeyError, "EVP_DigestSign"); | ||||||
|  |      } | ||||||
|  | -    if (siglen > LONG_MAX)
 | ||||||
|  | +    if (siglen > LONG_MAX) {
 | ||||||
|  | +        EVP_MD_CTX_free(ctx);
 | ||||||
|  |          rb_raise(ePKeyError, "signature would be too large"); | ||||||
|  | +    }
 | ||||||
|  |      sig = ossl_str_new(NULL, (long)siglen, &state); | ||||||
|  |      if (state) { | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  | @@ -799,8 +801,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
 | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  |          ossl_raise(ePKeyError, "EVP_DigestSignFinal"); | ||||||
|  |      } | ||||||
|  | -    if (siglen > LONG_MAX)
 | ||||||
|  | +    if (siglen > LONG_MAX) {
 | ||||||
|  | +        EVP_MD_CTX_free(ctx);
 | ||||||
|  |          rb_raise(ePKeyError, "signature would be too large"); | ||||||
|  | +    }
 | ||||||
|  |      sig = ossl_str_new(NULL, (long)siglen, &state); | ||||||
|  |      if (state) { | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 8b30ce20eb9e03180c28288e29a96308e594f860 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 2 Apr 2021 23:58:48 +0900 | ||||||
|  | Subject: [PATCH 2/3] pkey: prepare pkey_ctx_apply_options() for usage by other | ||||||
|  |  operations | ||||||
|  | 
 | ||||||
|  | The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used | ||||||
|  | by key generation, but it is useful for other operations too. Let's | ||||||
|  | change it to a slightly more generic name. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 22 ++++++++++++++-------- | ||||||
|  |  1 file changed, 14 insertions(+), 8 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index 7488190e0e..fed4a2b81f 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -198,7 +198,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  static VALUE | ||||||
|  | -pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
 | ||||||
|  | +pkey_ctx_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
 | ||||||
|  |  { | ||||||
|  |      VALUE key = rb_ary_entry(i, 0), value = rb_ary_entry(i, 1); | ||||||
|  |      EVP_PKEY_CTX *ctx = (EVP_PKEY_CTX *)ctx_v; | ||||||
|  | @@ -214,15 +214,25 @@ pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  static VALUE | ||||||
|  | -pkey_gen_apply_options0(VALUE args_v)
 | ||||||
|  | +pkey_ctx_apply_options0(VALUE args_v)
 | ||||||
|  |  { | ||||||
|  |      VALUE *args = (VALUE *)args_v; | ||||||
|  |   | ||||||
|  |      rb_block_call(args[1], rb_intern("each"), 0, NULL, | ||||||
|  | -                  pkey_gen_apply_options_i, args[0]);
 | ||||||
|  | +                  pkey_ctx_apply_options_i, args[0]);
 | ||||||
|  |      return Qnil; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static void
 | ||||||
|  | +pkey_ctx_apply_options(EVP_PKEY_CTX *ctx, VALUE options, int *state)
 | ||||||
|  | +{
 | ||||||
|  | +    VALUE args[2];
 | ||||||
|  | +    args[0] = (VALUE)ctx;
 | ||||||
|  | +    args[1] = options;
 | ||||||
|  | +
 | ||||||
|  | +    rb_protect(pkey_ctx_apply_options0, (VALUE)args, state);
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  struct pkey_blocking_generate_arg { | ||||||
|  |      EVP_PKEY_CTX *ctx; | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  | @@ -330,11 +340,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      if (!NIL_P(options)) { | ||||||
|  | -        VALUE args[2];
 | ||||||
|  | -
 | ||||||
|  | -        args[0] = (VALUE)ctx;
 | ||||||
|  | -        args[1] = options;
 | ||||||
|  | -        rb_protect(pkey_gen_apply_options0, (VALUE)args, &state);
 | ||||||
|  | +        pkey_ctx_apply_options(ctx, options, &state);
 | ||||||
|  |          if (state) { | ||||||
|  |              EVP_PKEY_CTX_free(ctx); | ||||||
|  |              rb_jump_tag(state); | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 4c7b0f91da666961d11908b94520db4e09ce4e67 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 18 Jul 2020 20:40:39 +0900 | ||||||
|  | Subject: [PATCH 3/3] pkey: allow setting algorithm-specific options in #sign | ||||||
|  |  and #verify | ||||||
|  | 
 | ||||||
|  | Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let | ||||||
|  | OpenSSL::PKey::PKey#sign and #verify take an optional parameter for | ||||||
|  | specifying control strings for EVP_PKEY_CTX_ctrl_str(). | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c       | 113 ++++++++++++++++++++++------------ | ||||||
|  |  test/openssl/test_pkey_rsa.rb |  34 +++++----- | ||||||
|  |  2 files changed, 89 insertions(+), 58 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index fed4a2b81f..22e9f19982 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -739,33 +739,51 @@ ossl_pkey_public_to_pem(VALUE self)
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *      pkey.sign(digest, data) -> String
 | ||||||
|  | + * call-seq:
 | ||||||
|  | + *    pkey.sign(digest, data [, options]) -> string
 | ||||||
|  |   * | ||||||
|  | - * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must
 | ||||||
|  | - * be provided. The return value is again a String containing the signature.
 | ||||||
|  | - * A PKeyError is raised should errors occur.
 | ||||||
|  | - * Any previous state of the Digest instance is irrelevant to the signature
 | ||||||
|  | - * outcome, the digest instance is reset to its initial state during the
 | ||||||
|  | - * operation.
 | ||||||
|  | + * Hashes and signs the +data+ using a message digest algorithm +digest+ and
 | ||||||
|  | + * a private key +pkey+.
 | ||||||
|  |   * | ||||||
|  | - * == Example
 | ||||||
|  | - *   data = 'Sign me!'
 | ||||||
|  | - *   digest = OpenSSL::Digest.new('SHA256')
 | ||||||
|  | - *   pkey = OpenSSL::PKey::RSA.new(2048)
 | ||||||
|  | - *   signature = pkey.sign(digest, data)
 | ||||||
|  | + * See #verify for the verification operation.
 | ||||||
|  | + *
 | ||||||
|  | + * See also the man page EVP_DigestSign(3).
 | ||||||
|  | + *
 | ||||||
|  | + * +digest+::
 | ||||||
|  | + *   A String that represents the message digest algorithm name, or +nil+
 | ||||||
|  | + *   if the PKey type requires no digest algorithm.
 | ||||||
|  | + *   For backwards compatibility, this can be an instance of OpenSSL::Digest.
 | ||||||
|  | + *   Its state will not affect the signature.
 | ||||||
|  | + * +data+::
 | ||||||
|  | + *   A String. The data to be hashed and signed.
 | ||||||
|  | + * +options+::
 | ||||||
|  | + *   A Hash that contains algorithm specific control operations to \OpenSSL.
 | ||||||
|  | + *   See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details.
 | ||||||
|  | + *   +options+ parameter was added in version 2.3.
 | ||||||
|  | + *
 | ||||||
|  | + * Example:
 | ||||||
|  | + *   data = "Sign me!"
 | ||||||
|  | + *   pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
 | ||||||
|  | + *   signopts = { rsa_padding_mode: "pss" }
 | ||||||
|  | + *   signature = pkey.sign("SHA256", data, signopts)
 | ||||||
|  | + *
 | ||||||
|  | + *   # Creates a copy of the RSA key pkey, but without the private components
 | ||||||
|  | + *   pub_key = pkey.public_key
 | ||||||
|  | + *   puts pub_key.verify("SHA256", signature, data, signopts) # => true
 | ||||||
|  |   */ | ||||||
|  |  static VALUE | ||||||
|  | -ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
 | ||||||
|  | +ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |  { | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  | +    VALUE digest, data, options, sig;
 | ||||||
|  |      const EVP_MD *md = NULL; | ||||||
|  |      EVP_MD_CTX *ctx; | ||||||
|  | +    EVP_PKEY_CTX *pctx;
 | ||||||
|  |      size_t siglen; | ||||||
|  |      int state; | ||||||
|  | -    VALUE sig;
 | ||||||
|  |   | ||||||
|  |      pkey = GetPrivPKeyPtr(self); | ||||||
|  | +    rb_scan_args(argc, argv, "21", &digest, &data, &options);
 | ||||||
|  |      if (!NIL_P(digest)) | ||||||
|  |          md = ossl_evp_get_digestbyname(digest); | ||||||
|  |      StringValue(data); | ||||||
|  | @@ -773,10 +791,17 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
 | ||||||
|  |      ctx = EVP_MD_CTX_new(); | ||||||
|  |      if (!ctx) | ||||||
|  |          ossl_raise(ePKeyError, "EVP_MD_CTX_new"); | ||||||
|  | -    if (EVP_DigestSignInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
 | ||||||
|  | +    if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
 | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  |          ossl_raise(ePKeyError, "EVP_DigestSignInit"); | ||||||
|  |      } | ||||||
|  | +    if (!NIL_P(options)) {
 | ||||||
|  | +        pkey_ctx_apply_options(pctx, options, &state);
 | ||||||
|  | +        if (state) {
 | ||||||
|  | +            EVP_MD_CTX_free(ctx);
 | ||||||
|  | +            rb_jump_tag(state);
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  |  #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) | ||||||
|  |      if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), | ||||||
|  |                         RSTRING_LEN(data)) < 1) { | ||||||
|  | @@ -828,35 +853,40 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *      pkey.verify(digest, signature, data) -> String
 | ||||||
|  | + * call-seq:
 | ||||||
|  | + *    pkey.verify(digest, signature, data [, options]) -> true or false
 | ||||||
|  |   * | ||||||
|  | - * To verify the String _signature_, _digest_, an instance of
 | ||||||
|  | - * OpenSSL::Digest, must be provided to re-compute the message digest of the
 | ||||||
|  | - * original _data_, also a String. The return value is +true+ if the
 | ||||||
|  | - * signature is valid, +false+ otherwise. A PKeyError is raised should errors
 | ||||||
|  | - * occur.
 | ||||||
|  | - * Any previous state of the Digest instance is irrelevant to the validation
 | ||||||
|  | - * outcome, the digest instance is reset to its initial state during the
 | ||||||
|  | - * operation.
 | ||||||
|  | + * Verifies the +signature+ for the +data+ using a message digest algorithm
 | ||||||
|  | + * +digest+ and a public key +pkey+.
 | ||||||
|  |   * | ||||||
|  | - * == Example
 | ||||||
|  | - *   data = 'Sign me!'
 | ||||||
|  | - *   digest = OpenSSL::Digest.new('SHA256')
 | ||||||
|  | - *   pkey = OpenSSL::PKey::RSA.new(2048)
 | ||||||
|  | - *   signature = pkey.sign(digest, data)
 | ||||||
|  | - *   pub_key = pkey.public_key
 | ||||||
|  | - *   puts pub_key.verify(digest, signature, data) # => true
 | ||||||
|  | + * Returns +true+ if the signature is successfully verified, +false+ otherwise.
 | ||||||
|  | + * The caller must check the return value.
 | ||||||
|  | + *
 | ||||||
|  | + * See #sign for the signing operation and an example.
 | ||||||
|  | + *
 | ||||||
|  | + * See also the man page EVP_DigestVerify(3).
 | ||||||
|  | + *
 | ||||||
|  | + * +digest+::
 | ||||||
|  | + *   See #sign.
 | ||||||
|  | + * +signature+::
 | ||||||
|  | + *   A String containing the signature to be verified.
 | ||||||
|  | + * +data+::
 | ||||||
|  | + *   See #sign.
 | ||||||
|  | + * +options+::
 | ||||||
|  | + *   See #sign. +options+ parameter was added in version 2.3.
 | ||||||
|  |   */ | ||||||
|  |  static VALUE | ||||||
|  | -ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
 | ||||||
|  | +ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |  { | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  | +    VALUE digest, sig, data, options;
 | ||||||
|  |      const EVP_MD *md = NULL; | ||||||
|  |      EVP_MD_CTX *ctx; | ||||||
|  | -    int ret;
 | ||||||
|  | +    EVP_PKEY_CTX *pctx;
 | ||||||
|  | +    int state, ret;
 | ||||||
|  |   | ||||||
|  |      GetPKey(self, pkey); | ||||||
|  | +    rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options);
 | ||||||
|  |      ossl_pkey_check_public_key(pkey); | ||||||
|  |      if (!NIL_P(digest)) | ||||||
|  |          md = ossl_evp_get_digestbyname(digest); | ||||||
|  | @@ -866,10 +896,17 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
 | ||||||
|  |      ctx = EVP_MD_CTX_new(); | ||||||
|  |      if (!ctx) | ||||||
|  |          ossl_raise(ePKeyError, "EVP_MD_CTX_new"); | ||||||
|  | -    if (EVP_DigestVerifyInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {
 | ||||||
|  | +    if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {
 | ||||||
|  |          EVP_MD_CTX_free(ctx); | ||||||
|  |          ossl_raise(ePKeyError, "EVP_DigestVerifyInit"); | ||||||
|  |      } | ||||||
|  | +    if (!NIL_P(options)) {
 | ||||||
|  | +        pkey_ctx_apply_options(pctx, options, &state);
 | ||||||
|  | +        if (state) {
 | ||||||
|  | +            EVP_MD_CTX_free(ctx);
 | ||||||
|  | +            rb_jump_tag(state);
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  |  #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) | ||||||
|  |      ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), | ||||||
|  |                             RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), | ||||||
|  | @@ -1042,8 +1079,8 @@ Init_ossl_pkey(void)
 | ||||||
|  |      rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0); | ||||||
|  |      rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0); | ||||||
|  |   | ||||||
|  | -    rb_define_method(cPKey, "sign", ossl_pkey_sign, 2);
 | ||||||
|  | -    rb_define_method(cPKey, "verify", ossl_pkey_verify, 3);
 | ||||||
|  | +    rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);
 | ||||||
|  | +    rb_define_method(cPKey, "verify", ossl_pkey_verify, -1);
 | ||||||
|  |      rb_define_method(cPKey, "derive", ossl_pkey_derive, -1); | ||||||
|  |   | ||||||
|  |      id_private_q = rb_intern("private?"); | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index 88164c3b52..d1e68dbc9f 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -117,27 +117,21 @@ def test_sign_verify
 | ||||||
|  |      assert_equal false, rsa1024.verify("SHA256", signature1, data) | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | -  def test_digest_state_irrelevant_sign
 | ||||||
|  | +  def test_sign_verify_options
 | ||||||
|  |      key = Fixtures.pkey("rsa1024") | ||||||
|  | -    digest1 = OpenSSL::Digest.new('SHA1')
 | ||||||
|  | -    digest2 = OpenSSL::Digest.new('SHA1')
 | ||||||
|  | -    data = 'Sign me!'
 | ||||||
|  | -    digest1 << 'Change state of digest1'
 | ||||||
|  | -    sig1 = key.sign(digest1, data)
 | ||||||
|  | -    sig2 = key.sign(digest2, data)
 | ||||||
|  | -    assert_equal(sig1, sig2)
 | ||||||
|  | -  end
 | ||||||
|  | -
 | ||||||
|  | -  def test_digest_state_irrelevant_verify
 | ||||||
|  | -    key = Fixtures.pkey("rsa1024")
 | ||||||
|  | -    digest1 = OpenSSL::Digest.new('SHA1')
 | ||||||
|  | -    digest2 = OpenSSL::Digest.new('SHA1')
 | ||||||
|  | -    data = 'Sign me!'
 | ||||||
|  | -    sig = key.sign(digest1, data)
 | ||||||
|  | -    digest1.reset
 | ||||||
|  | -    digest1 << 'Change state of digest1'
 | ||||||
|  | -    assert(key.verify(digest1, sig, data))
 | ||||||
|  | -    assert(key.verify(digest2, sig, data))
 | ||||||
|  | +    data = "Sign me!"
 | ||||||
|  | +    pssopts = {
 | ||||||
|  | +      "rsa_padding_mode" => "pss",
 | ||||||
|  | +      "rsa_pss_saltlen" => 20,
 | ||||||
|  | +      "rsa_mgf1_md" => "SHA1"
 | ||||||
|  | +    }
 | ||||||
|  | +    sig_pss = key.sign("SHA256", data, pssopts)
 | ||||||
|  | +    assert_equal 128, sig_pss.bytesize
 | ||||||
|  | +    assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)
 | ||||||
|  | +    assert_equal true, key.verify_pss("SHA256", sig_pss, data,
 | ||||||
|  | +                                      salt_length: 20, mgf1_hash: "SHA1")
 | ||||||
|  | +    # Defaults to PKCS #1 v1.5 padding => verification failure
 | ||||||
|  | +    assert_equal false, key.verify("SHA256", sig_pss, data)
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_verify_empty_rsa | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
							
								
								
									
										719
									
								
								ruby-3.1.0-Deprecate-PKey-set_-and-PKey-DH-EC-generate_key.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										719
									
								
								ruby-3.1.0-Deprecate-PKey-set_-and-PKey-DH-EC-generate_key.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,719 @@ | |||||||
|  | From 46ca47060ca8ef3419ec36c2326a81b442d9b43b Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sun, 12 Dec 2021 01:25:20 +0900 | ||||||
|  | Subject: [PATCH 1/5] pkey/dh: avoid using DH#set_key in DH#compute_key | ||||||
|  | 
 | ||||||
|  | DH#set_key will not work on OpenSSL 3.0 because keys are immutable. | ||||||
|  | For now, let's reimplement DH#compute_key by manually constructing a | ||||||
|  | DER-encoded SubjectPublicKeyInfo structure and feeding it to | ||||||
|  | OpenSSL::PKey.read. | ||||||
|  | 
 | ||||||
|  | Eventually, we should implement a new method around EVP_PKEY_fromdata() | ||||||
|  | and use it instead. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/lib/openssl/pkey.rb | 16 +++++++++++++--- | ||||||
|  |  1 file changed, 13 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | index f6bf5892..5864faa9 100644
 | ||||||
|  | --- a/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | +++ b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | @@ -47,9 +47,19 @@ def public_key
 | ||||||
|  |      # * _pub_bn_ is a OpenSSL::BN, *not* the DH instance returned by | ||||||
|  |      #   DH#public_key as that contains the DH parameters only. | ||||||
|  |      def compute_key(pub_bn) | ||||||
|  | -      peer = dup
 | ||||||
|  | -      peer.set_key(pub_bn, nil)
 | ||||||
|  | -      derive(peer)
 | ||||||
|  | +      # FIXME: This is constructing an X.509 SubjectPublicKeyInfo and is very
 | ||||||
|  | +      # inefficient
 | ||||||
|  | +      obj = OpenSSL::ASN1.Sequence([
 | ||||||
|  | +        OpenSSL::ASN1.Sequence([
 | ||||||
|  | +          OpenSSL::ASN1.ObjectId("dhKeyAgreement"),
 | ||||||
|  | +          OpenSSL::ASN1.Sequence([
 | ||||||
|  | +            OpenSSL::ASN1.Integer(p),
 | ||||||
|  | +            OpenSSL::ASN1.Integer(g),
 | ||||||
|  | +          ]),
 | ||||||
|  | +        ]),
 | ||||||
|  | +        OpenSSL::ASN1.BitString(OpenSSL::ASN1.Integer(pub_bn).to_der),
 | ||||||
|  | +      ])
 | ||||||
|  | +      derive(OpenSSL::PKey.read(obj.to_der))
 | ||||||
|  |      end | ||||||
|  |   | ||||||
|  |      # :call-seq: | ||||||
|  | 
 | ||||||
|  | From fc9aabc18df3c189cc6a76a1470ca908c4f16480 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 17 Dec 2021 02:22:25 +0900 | ||||||
|  | Subject: [PATCH 2/5] pkey/ec: avoid using EC#public_key= in EC#dh_compute_key | ||||||
|  | 
 | ||||||
|  | Similarly to DH#compute_key, work around it by constructing a | ||||||
|  | SubjectPublicKeyInfo. This should be considered as a temporary | ||||||
|  | implementation. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/lib/openssl/pkey.rb | 11 ++++++++--- | ||||||
|  |  1 file changed, 8 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | index 5864faa9..ba04cf4b 100644
 | ||||||
|  | --- a/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | +++ b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | @@ -259,9 +259,14 @@ def dsa_verify_asn1(data, sig)
 | ||||||
|  |      # This method is provided for backwards compatibility, and calls #derive | ||||||
|  |      # internally. | ||||||
|  |      def dh_compute_key(pubkey) | ||||||
|  | -      peer = OpenSSL::PKey::EC.new(group)
 | ||||||
|  | -      peer.public_key = pubkey
 | ||||||
|  | -      derive(peer)
 | ||||||
|  | +      obj = OpenSSL::ASN1.Sequence([
 | ||||||
|  | +        OpenSSL::ASN1.Sequence([
 | ||||||
|  | +          OpenSSL::ASN1.ObjectId("id-ecPublicKey"),
 | ||||||
|  | +          group.to_der,
 | ||||||
|  | +        ]),
 | ||||||
|  | +        OpenSSL::ASN1.BitString(pubkey.to_octet_string(:uncompressed)),
 | ||||||
|  | +      ])
 | ||||||
|  | +      derive(OpenSSL::PKey.read(obj.to_der))
 | ||||||
|  |      end | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | 
 | ||||||
|  | From 8ee6a582c7e4614eec4f5ca5ab59898fbcb50d2a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 22 Oct 2021 16:24:07 +0900 | ||||||
|  | Subject: [PATCH 3/5] pkey/dh: deprecate OpenSSL::PKey::DH#generate_key! | ||||||
|  | 
 | ||||||
|  | OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because | ||||||
|  | keys are made immutable. Users should use OpenSSL::PKey.generate_key | ||||||
|  | instead. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/lib/openssl/pkey.rb | 23 +++++++++++++++++++---- | ||||||
|  |  ext/openssl/ossl_pkey_dh.c      |  9 +++++---- | ||||||
|  |  test/openssl/test_pkey_dh.rb    | 18 ++++++++++-------- | ||||||
|  |  3 files changed, 34 insertions(+), 16 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | index ba04cf4b..c3e06290 100644
 | ||||||
|  | --- a/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | +++ b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | @@ -71,14 +71,29 @@ def compute_key(pub_bn)
 | ||||||
|  |      # called first in order to generate the per-session keys before performing | ||||||
|  |      # the actual key exchange. | ||||||
|  |      # | ||||||
|  | +    # <b>Deprecated in version 3.0</b>. This method is incompatible with
 | ||||||
|  | +    # OpenSSL 3.0.0 or later.
 | ||||||
|  | +    #
 | ||||||
|  |      # See also OpenSSL::PKey.generate_key. | ||||||
|  |      # | ||||||
|  |      # Example: | ||||||
|  | -    #   dh = OpenSSL::PKey::DH.new(2048)
 | ||||||
|  | -    #   public_key = dh.public_key #contains no private/public key yet
 | ||||||
|  | -    #   public_key.generate_key!
 | ||||||
|  | -    #   puts public_key.private? # => true
 | ||||||
|  | +    #   # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
 | ||||||
|  | +    #   dh0 = OpenSSL::PKey::DH.new(2048)
 | ||||||
|  | +    #   dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
 | ||||||
|  | +    #   dh.generate_key!
 | ||||||
|  | +    #   puts dh.private? # => true
 | ||||||
|  | +    #   puts dh0.pub_key == dh.pub_key #=> false
 | ||||||
|  | +    #
 | ||||||
|  | +    #   # With OpenSSL::PKey.generate_key
 | ||||||
|  | +    #   dh0 = OpenSSL::PKey::DH.new(2048)
 | ||||||
|  | +    #   dh = OpenSSL::PKey.generate_key(dh0)
 | ||||||
|  | +    #   puts dh0.pub_key == dh.pub_key #=> false
 | ||||||
|  |      def generate_key! | ||||||
|  | +      if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x30000000
 | ||||||
|  | +        raise DHError, "OpenSSL::PKey::DH is immutable on OpenSSL 3.0; " \
 | ||||||
|  | +        "use OpenSSL::PKey.generate_key instead"
 | ||||||
|  | +      end
 | ||||||
|  | +
 | ||||||
|  |        unless priv_key | ||||||
|  |          tmp = OpenSSL::PKey.generate_key(self) | ||||||
|  |          set_key(tmp.pub_key, tmp.priv_key) | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | index 04c11b2157..e70d60ed19 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | @@ -58,15 +58,16 @@ VALUE eDHError;
 | ||||||
|  |   * | ||||||
|  |   * Examples: | ||||||
|  |   *   # Creating an instance from scratch | ||||||
|  | - *   dh = DH.new
 | ||||||
|  | + *   # Note that this is deprecated and will not work on OpenSSL 3.0 or later.
 | ||||||
|  | + *   dh = OpenSSL::PKey::DH.new
 | ||||||
|  |   *   dh.set_pqg(bn_p, nil, bn_g) | ||||||
|  |   * | ||||||
|  |   *   # Generating a parameters and a key pair | ||||||
|  | - *   dh = DH.new(2048) # An alias of DH.generate(2048)
 | ||||||
|  | + *   dh = OpenSSL::PKey::DH.new(2048) # An alias of OpenSSL::PKey::DH.generate(2048)
 | ||||||
|  |   * | ||||||
|  |   *   # Reading DH parameters | ||||||
|  | - *   dh = DH.new(File.read('parameters.pem')) # -> dh, but no public/private key yet
 | ||||||
|  | - *   dh.generate_key! # -> dh with public and private key
 | ||||||
|  | + *   dh_params = OpenSSL::PKey::DH.new(File.read('parameters.pem')) # loads parameters only
 | ||||||
|  | + *   dh = OpenSSL::PKey.generate_key(dh_params) # generates a key pair
 | ||||||
|  |   */ | ||||||
|  |  static VALUE | ||||||
|  |  ossl_dh_initialize(int argc, VALUE *argv, VALUE self) | ||||||
|  | diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | index 757704ca..ac11af38 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dh.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | @@ -26,14 +26,19 @@ def test_new_break
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_derive_key | ||||||
|  | -    dh1 = Fixtures.pkey("dh1024").generate_key!
 | ||||||
|  | -    dh2 = Fixtures.pkey("dh1024").generate_key!
 | ||||||
|  | +    params = Fixtures.pkey("dh1024")
 | ||||||
|  | +    dh1 = OpenSSL::PKey.generate_key(params)
 | ||||||
|  | +    dh2 = OpenSSL::PKey.generate_key(params)
 | ||||||
|  |      dh1_pub = OpenSSL::PKey.read(dh1.public_to_der) | ||||||
|  |      dh2_pub = OpenSSL::PKey.read(dh2.public_to_der) | ||||||
|  | +
 | ||||||
|  |      z = dh1.g.mod_exp(dh1.priv_key, dh1.p).mod_exp(dh2.priv_key, dh1.p).to_s(2) | ||||||
|  |      assert_equal z, dh1.derive(dh2_pub) | ||||||
|  |      assert_equal z, dh2.derive(dh1_pub) | ||||||
|  |   | ||||||
|  | +    assert_raise(OpenSSL::PKey::PKeyError) { params.derive(dh1_pub) }
 | ||||||
|  | +    assert_raise(OpenSSL::PKey::PKeyError) { dh1_pub.derive(params) }
 | ||||||
|  | +
 | ||||||
|  |      assert_equal z, dh1.compute_key(dh2.pub_key) | ||||||
|  |      assert_equal z, dh2.compute_key(dh1.pub_key) | ||||||
|  |    end | ||||||
|  | @@ -74,19 +79,16 @@ def test_public_key
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_generate_key | ||||||
|  | -    dh = Fixtures.pkey("dh1024").public_key # creates a copy
 | ||||||
|  | +    # Deprecated in v3.0.0; incompatible with OpenSSL 3.0
 | ||||||
|  | +    dh = Fixtures.pkey("dh1024").public_key # creates a copy with params only
 | ||||||
|  |      assert_no_key(dh) | ||||||
|  |      dh.generate_key! | ||||||
|  |      assert_key(dh) | ||||||
|  | -  end
 | ||||||
|  |   | ||||||
|  | -  def test_key_exchange
 | ||||||
|  | -    dh = Fixtures.pkey("dh1024")
 | ||||||
|  |      dh2 = dh.public_key | ||||||
|  | -    dh.generate_key!
 | ||||||
|  |      dh2.generate_key! | ||||||
|  |      assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key)) | ||||||
|  | -  end
 | ||||||
|  | +  end if !openssl?(3, 0, 0)
 | ||||||
|  |   | ||||||
|  |    def test_params_ok? | ||||||
|  |      dh0 = Fixtures.pkey("dh1024") | ||||||
|  | 
 | ||||||
|  | From 5e2e66cce870ea86001dbb0eaa3092badfd37994 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 17 Dec 2021 02:21:42 +0900 | ||||||
|  | Subject: [PATCH 4/5] pkey/ec: deprecate OpenSSL::PKey::EC#generate_key! | ||||||
|  | 
 | ||||||
|  | OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because | ||||||
|  | keys are made immutable. Users should use OpenSSL::PKey.generate_key | ||||||
|  | instead. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey_ec.c   |  4 ++++ | ||||||
|  |  test/openssl/test_pkey_ec.rb | 21 +++++++++++++-------- | ||||||
|  |  2 files changed, 17 insertions(+), 8 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | index db80d112..398a550a 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | @@ -442,6 +442,9 @@ ossl_ec_key_to_der(VALUE self)
 | ||||||
|  |   */ | ||||||
|  |  static VALUE ossl_ec_key_generate_key(VALUE self) | ||||||
|  |  { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +    rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
 | ||||||
|  | +#else
 | ||||||
|  |      EC_KEY *ec; | ||||||
|  |   | ||||||
|  |      GetEC(self, ec); | ||||||
|  | @@ -449,6 +452,7 @@ static VALUE ossl_ec_key_generate_key(VALUE self)
 | ||||||
|  |  	ossl_raise(eECError, "EC_KEY_generate_key"); | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  | +#endif
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | index 3f5958af..33f78a4c 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_ec.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | @@ -13,15 +13,13 @@ def test_ec_key
 | ||||||
|  |        # FIPS-selftest failure on some environment, so skip for now. | ||||||
|  |        next if ["Oakley", "X25519"].any? { |n| curve_name.start_with?(n) } | ||||||
|  |   | ||||||
|  | -      key = OpenSSL::PKey::EC.new(curve_name)
 | ||||||
|  | -      key.generate_key!
 | ||||||
|  | -
 | ||||||
|  | +      key = OpenSSL::PKey::EC.generate(curve_name)
 | ||||||
|  |        assert_predicate key, :private? | ||||||
|  |        assert_predicate key, :public? | ||||||
|  |        assert_nothing_raised { key.check_key } | ||||||
|  |      end | ||||||
|  |   | ||||||
|  | -    key1 = OpenSSL::PKey::EC.new("prime256v1").generate_key!
 | ||||||
|  | +    key1 = OpenSSL::PKey::EC.generate("prime256v1")
 | ||||||
|  |   | ||||||
|  |      key2 = OpenSSL::PKey::EC.new | ||||||
|  |      key2.group = key1.group | ||||||
|  | @@ -52,6 +50,13 @@ def test_generate
 | ||||||
|  |      assert_equal(true, ec.private?) | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | +  def test_generate_key
 | ||||||
|  | +    ec = OpenSSL::PKey::EC.new("prime256v1")
 | ||||||
|  | +    assert_equal false, ec.private?
 | ||||||
|  | +    ec.generate_key!
 | ||||||
|  | +    assert_equal true, ec.private?
 | ||||||
|  | +  end if !openssl?(3, 0, 0)
 | ||||||
|  | +
 | ||||||
|  |    def test_marshal | ||||||
|  |      key = Fixtures.pkey("p256") | ||||||
|  |      deserialized = Marshal.load(Marshal.dump(key)) | ||||||
|  | @@ -136,7 +141,7 @@ def test_sign_verify_raw
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_dsa_sign_asn1_FIPS186_3 | ||||||
|  | -    key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
 | ||||||
|  | +    key = OpenSSL::PKey::EC.generate("prime256v1")
 | ||||||
|  |      size = key.group.order.num_bits / 8 + 1 | ||||||
|  |      dgst = (1..size).to_a.pack('C*') | ||||||
|  |      sig = key.dsa_sign_asn1(dgst) | ||||||
|  | @@ -145,8 +150,8 @@ def test_dsa_sign_asn1_FIPS186_3
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_dh_compute_key | ||||||
|  | -    key_a = OpenSSL::PKey::EC.new("prime256v1").generate_key!
 | ||||||
|  | -    key_b = OpenSSL::PKey::EC.new(key_a.group).generate_key!
 | ||||||
|  | +    key_a = OpenSSL::PKey::EC.generate("prime256v1")
 | ||||||
|  | +    key_b = OpenSSL::PKey::EC.generate(key_a.group)
 | ||||||
|  |   | ||||||
|  |      pub_a = key_a.public_key | ||||||
|  |      pub_b = key_b.public_key | ||||||
|  | @@ -276,7 +281,7 @@ def test_ec_group
 | ||||||
|  |   | ||||||
|  |    def test_ec_point | ||||||
|  |      group = OpenSSL::PKey::EC::Group.new("prime256v1") | ||||||
|  | -    key = OpenSSL::PKey::EC.new(group).generate_key!
 | ||||||
|  | +    key = OpenSSL::PKey::EC.generate(group)
 | ||||||
|  |      point = key.public_key | ||||||
|  |   | ||||||
|  |      point2 = OpenSSL::PKey::EC::Point.new(group, point.to_bn) | ||||||
|  | 
 | ||||||
|  | From 6848d2d969d90e6a400d89848ecec21076b87888 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Tue, 21 Sep 2021 18:29:59 +0900 | ||||||
|  | Subject: [PATCH 5/5] pkey: deprecate PKey#set_* methods | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const | ||||||
|  | pointer of the low level struct and the following methods can no longer | ||||||
|  | be provided when linked against OpenSSL 3.0: | ||||||
|  | 
 | ||||||
|  |  - OpenSSL::PKey::RSA#set_key | ||||||
|  |  - OpenSSL::PKey::RSA#set_factors | ||||||
|  |  - OpenSSL::PKey::RSA#set_crt_params | ||||||
|  |  - OpenSSL::PKey::DSA#set_pqg | ||||||
|  |  - OpenSSL::PKey::DSA#set_key | ||||||
|  |  - OpenSSL::PKey::DH#set_pqg | ||||||
|  |  - OpenSSL::PKey::DH#set_key | ||||||
|  |  - OpenSSL::PKey::EC#group= | ||||||
|  |  - OpenSSL::PKey::EC#private_key= | ||||||
|  |  - OpenSSL::PKey::EC#public_key= | ||||||
|  | 
 | ||||||
|  | There is no direct replacement for this functionality at the moment. | ||||||
|  | I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes | ||||||
|  | all key components at once to construct an EVP_PKEY. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.h       | 16 +++++++ | ||||||
|  |  ext/openssl/ossl_pkey_ec.c    | 12 +++++ | ||||||
|  |  test/openssl/test_pkey_dh.rb  | 38 +++++++++++----- | ||||||
|  |  test/openssl/test_pkey_dsa.rb |  8 +++- | ||||||
|  |  test/openssl/test_pkey_ec.rb  | 58 ++++++++++++++---------- | ||||||
|  |  test/openssl/test_pkey_rsa.rb | 85 ++++++++++++++++++++++------------- | ||||||
|  |  6 files changed, 149 insertions(+), 68 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
 | ||||||
|  | index 4beede22..4536e58e 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.h
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.h
 | ||||||
|  | @@ -116,6 +116,7 @@ static VALUE ossl_##_keytype##_get_##_name(VALUE self)			\
 | ||||||
|  |  	OSSL_PKEY_BN_DEF_GETTER0(_keytype, _type, a2,			\ | ||||||
|  |  		_type##_get0_##_group(obj, NULL, &bn)) | ||||||
|  |   | ||||||
|  | +#if !OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  |  #define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3)	\ | ||||||
|  |  /*									\ | ||||||
|  |   *  call-seq:								\ | ||||||
|  | @@ -173,6 +174,21 @@ static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \
 | ||||||
|  |  	}								\ | ||||||
|  |  	return self;							\ | ||||||
|  |  } | ||||||
|  | +#else
 | ||||||
|  | +#define OSSL_PKEY_BN_DEF_SETTER3(_keytype, _type, _group, a1, a2, a3)	\
 | ||||||
|  | +static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2, VALUE v3) \
 | ||||||
|  | +{									\
 | ||||||
|  | +        rb_raise(ePKeyError,						\
 | ||||||
|  | +                 #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +#define OSSL_PKEY_BN_DEF_SETTER2(_keytype, _type, _group, a1, a2)	\
 | ||||||
|  | +static VALUE ossl_##_keytype##_set_##_group(VALUE self, VALUE v1, VALUE v2) \
 | ||||||
|  | +{									\
 | ||||||
|  | +        rb_raise(ePKeyError,						\
 | ||||||
|  | +                 #_keytype"#set_"#_group"= is incompatible with OpenSSL 3.0"); \
 | ||||||
|  | +}
 | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |  #define OSSL_PKEY_BN_DEF_SETTER_OLD(_keytype, _type, _group, _name)	\ | ||||||
|  |  /*									\ | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | index 398a550a..7a6ed1c9 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | @@ -251,6 +251,9 @@ ossl_ec_key_get_group(VALUE self)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_ec_key_set_group(VALUE self, VALUE group_v) | ||||||
|  |  { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +    rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
 | ||||||
|  | +#else
 | ||||||
|  |      EC_KEY *ec; | ||||||
|  |      EC_GROUP *group; | ||||||
|  |   | ||||||
|  | @@ -261,6 +264,7 @@ ossl_ec_key_set_group(VALUE self, VALUE group_v)
 | ||||||
|  |          ossl_raise(eECError, "EC_KEY_set_group"); | ||||||
|  |   | ||||||
|  |      return group_v; | ||||||
|  | +#endif
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | @@ -289,6 +293,9 @@ static VALUE ossl_ec_key_get_private_key(VALUE self)
 | ||||||
|  |   */ | ||||||
|  |  static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key) | ||||||
|  |  { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +    rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
 | ||||||
|  | +#else
 | ||||||
|  |      EC_KEY *ec; | ||||||
|  |      BIGNUM *bn = NULL; | ||||||
|  |   | ||||||
|  | @@ -307,6 +314,7 @@ static VALUE ossl_ec_key_set_private_key(VALUE self, VALUE private_key)
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      return private_key; | ||||||
|  | +#endif
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | @@ -335,6 +343,9 @@ static VALUE ossl_ec_key_get_public_key(VALUE self)
 | ||||||
|  |   */ | ||||||
|  |  static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key) | ||||||
|  |  { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +    rb_raise(ePKeyError, "pkeys are immutable on OpenSSL 3.0");
 | ||||||
|  | +#else
 | ||||||
|  |      EC_KEY *ec; | ||||||
|  |      EC_POINT *point = NULL; | ||||||
|  |   | ||||||
|  | @@ -353,6 +364,7 @@ static VALUE ossl_ec_key_set_public_key(VALUE self, VALUE public_key)
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      return public_key; | ||||||
|  | +#endif
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | index ac11af38..161af189 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dh.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | @@ -107,13 +107,32 @@ def test_params_ok?
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_dup | ||||||
|  | -    dh = Fixtures.pkey("dh1024")
 | ||||||
|  | -    dh2 = dh.dup
 | ||||||
|  | -    assert_equal dh.to_der, dh2.to_der # params
 | ||||||
|  | -    assert_equal_params dh, dh2 # keys
 | ||||||
|  | -    dh2.set_pqg(dh2.p + 1, nil, dh2.g)
 | ||||||
|  | -    assert_not_equal dh2.p, dh.p
 | ||||||
|  | -    assert_equal dh2.g, dh.g
 | ||||||
|  | +    # Parameters only
 | ||||||
|  | +    dh1 = Fixtures.pkey("dh1024")
 | ||||||
|  | +    dh2 = dh1.dup
 | ||||||
|  | +    assert_equal dh1.to_der, dh2.to_der
 | ||||||
|  | +    assert_not_equal nil, dh1.p
 | ||||||
|  | +    assert_not_equal nil, dh1.g
 | ||||||
|  | +    assert_equal [dh1.p, dh1.g], [dh2.p, dh2.g]
 | ||||||
|  | +    assert_equal nil, dh1.pub_key
 | ||||||
|  | +    assert_equal nil, dh1.priv_key
 | ||||||
|  | +    assert_equal [dh1.pub_key, dh1.priv_key], [dh2.pub_key, dh2.priv_key]
 | ||||||
|  | +
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      dh2.set_pqg(dh2.p + 1, nil, dh2.g)
 | ||||||
|  | +      assert_not_equal dh2.p, dh1.p
 | ||||||
|  | +    end
 | ||||||
|  | +
 | ||||||
|  | +    # With a key pair
 | ||||||
|  | +    dh3 = OpenSSL::PKey.generate_key(Fixtures.pkey("dh1024"))
 | ||||||
|  | +    dh4 = dh3.dup
 | ||||||
|  | +    assert_equal dh3.to_der, dh4.to_der
 | ||||||
|  | +    assert_equal dh1.to_der, dh4.to_der # encodes parameters only
 | ||||||
|  | +    assert_equal [dh1.p, dh1.g], [dh4.p, dh4.g]
 | ||||||
|  | +    assert_not_equal nil, dh3.pub_key
 | ||||||
|  | +    assert_not_equal nil, dh3.priv_key
 | ||||||
|  | +    assert_equal [dh3.pub_key, dh3.priv_key], [dh4.pub_key, dh4.priv_key]
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_marshal | ||||||
|  | @@ -125,11 +144,6 @@ def test_marshal
 | ||||||
|  |   | ||||||
|  |    private | ||||||
|  |   | ||||||
|  | -  def assert_equal_params(dh1, dh2)
 | ||||||
|  | -    assert_equal(dh1.g, dh2.g)
 | ||||||
|  | -    assert_equal(dh1.p, dh2.p)
 | ||||||
|  | -  end
 | ||||||
|  | -
 | ||||||
|  |    def assert_no_key(dh) | ||||||
|  |      assert_equal(false, dh.public?) | ||||||
|  |      assert_equal(false, dh.private?) | ||||||
|  | diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | index 0994607f..726b7dbf 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | @@ -208,8 +208,12 @@ def test_dup
 | ||||||
|  |      key = Fixtures.pkey("dsa1024") | ||||||
|  |      key2 = key.dup | ||||||
|  |      assert_equal key.params, key2.params | ||||||
|  | -    key2.set_pqg(key2.p + 1, key2.q, key2.g)
 | ||||||
|  | -    assert_not_equal key.params, key2.params
 | ||||||
|  | +
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key2.set_pqg(key2.p + 1, key2.q, key2.g)
 | ||||||
|  | +      assert_not_equal key.params, key2.params
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_marshal | ||||||
|  | diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | index 33f78a4c..ffe5a94e 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_ec.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | @@ -21,11 +21,15 @@ def test_ec_key
 | ||||||
|  |   | ||||||
|  |      key1 = OpenSSL::PKey::EC.generate("prime256v1") | ||||||
|  |   | ||||||
|  | -    key2 = OpenSSL::PKey::EC.new
 | ||||||
|  | -    key2.group = key1.group
 | ||||||
|  | -    key2.private_key = key1.private_key
 | ||||||
|  | -    key2.public_key = key1.public_key
 | ||||||
|  | -    assert_equal key1.to_der, key2.to_der
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0; constructing an empty EC object is
 | ||||||
|  | +    # deprecated
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key2 = OpenSSL::PKey::EC.new
 | ||||||
|  | +      key2.group = key1.group
 | ||||||
|  | +      key2.private_key = key1.private_key
 | ||||||
|  | +      key2.public_key = key1.public_key
 | ||||||
|  | +      assert_equal key1.to_der, key2.to_der
 | ||||||
|  | +    end
 | ||||||
|  |   | ||||||
|  |      key3 = OpenSSL::PKey::EC.new(key1) | ||||||
|  |      assert_equal key1.to_der, key3.to_der | ||||||
|  | @@ -35,10 +39,14 @@ def test_ec_key
 | ||||||
|  |   | ||||||
|  |      key5 = key1.dup | ||||||
|  |      assert_equal key1.to_der, key5.to_der | ||||||
|  | -    key_tmp = OpenSSL::PKey::EC.new("prime256v1").generate_key!
 | ||||||
|  | -    key5.private_key = key_tmp.private_key
 | ||||||
|  | -    key5.public_key = key_tmp.public_key
 | ||||||
|  | -    assert_not_equal key1.to_der, key5.to_der
 | ||||||
|  | +
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0; EC object should not be modified
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key_tmp = OpenSSL::PKey::EC.generate("prime256v1")
 | ||||||
|  | +      key5.private_key = key_tmp.private_key
 | ||||||
|  | +      key5.public_key = key_tmp.public_key
 | ||||||
|  | +      assert_not_equal key1.to_der, key5.to_der
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_generate | ||||||
|  | @@ -65,22 +73,26 @@ def test_marshal
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_check_key | ||||||
|  | -    key = OpenSSL::PKey::EC.new("prime256v1").generate_key!
 | ||||||
|  | -    assert_equal(true, key.check_key)
 | ||||||
|  | -    assert_equal(true, key.private?)
 | ||||||
|  | -    assert_equal(true, key.public?)
 | ||||||
|  | -    key2 = OpenSSL::PKey::EC.new(key.group)
 | ||||||
|  | -    assert_equal(false, key2.private?)
 | ||||||
|  | -    assert_equal(false, key2.public?)
 | ||||||
|  | -    key2.public_key = key.public_key
 | ||||||
|  | -    assert_equal(false, key2.private?)
 | ||||||
|  | -    assert_equal(true, key2.public?)
 | ||||||
|  | -    key2.private_key = key.private_key
 | ||||||
|  | +    key0 = Fixtures.pkey("p256")
 | ||||||
|  | +    assert_equal(true, key0.check_key)
 | ||||||
|  | +    assert_equal(true, key0.private?)
 | ||||||
|  | +    assert_equal(true, key0.public?)
 | ||||||
|  | +
 | ||||||
|  | +    key1 = OpenSSL::PKey.read(key0.public_to_der)
 | ||||||
|  | +    assert_equal(true, key1.check_key)
 | ||||||
|  | +    assert_equal(false, key1.private?)
 | ||||||
|  | +    assert_equal(true, key1.public?)
 | ||||||
|  | +
 | ||||||
|  | +    key2 = OpenSSL::PKey.read(key0.private_to_der)
 | ||||||
|  |      assert_equal(true, key2.private?) | ||||||
|  |      assert_equal(true, key2.public?) | ||||||
|  |      assert_equal(true, key2.check_key) | ||||||
|  | -    key2.private_key += 1
 | ||||||
|  | -    assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
 | ||||||
|  | +
 | ||||||
|  | +    # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key2.private_key += 1
 | ||||||
|  | +      assert_raise(OpenSSL::PKey::ECError) { key2.check_key }
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_sign_verify | ||||||
|  | @@ -112,7 +124,7 @@ def test_derive_key
 | ||||||
|  |      assert_equal [zIUT].pack("H*"), a.derive(b) | ||||||
|  |   | ||||||
|  |      assert_equal a.derive(b), a.dh_compute_key(b.public_key) | ||||||
|  | -  end
 | ||||||
|  | +  end if !openssl?(3, 0, 0) # TODO: Test it without using #private_key=
 | ||||||
|  |   | ||||||
|  |    def test_sign_verify_raw | ||||||
|  |      key = Fixtures.pkey("p256") | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index dbe87ba4..1c7f9ccf 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -31,15 +31,18 @@ def test_private
 | ||||||
|  |      assert(!key4.private?) | ||||||
|  |      rsa1024 = Fixtures.pkey("rsa1024") | ||||||
|  |   | ||||||
|  | -    # Generated by RSA#set_key
 | ||||||
|  | -    key5 = OpenSSL::PKey::RSA.new
 | ||||||
|  | -    key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | -    assert(key5.private?)
 | ||||||
|  | -
 | ||||||
|  | -    # Generated by RSA#set_key, without d
 | ||||||
|  | -    key6 = OpenSSL::PKey::RSA.new
 | ||||||
|  | -    key6.set_key(rsa1024.n, rsa1024.e, nil)
 | ||||||
|  | -    assert(!key6.private?)
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key = OpenSSL::PKey::RSA.new
 | ||||||
|  | +      # Generated by RSA#set_key
 | ||||||
|  | +      key5 = OpenSSL::PKey::RSA.new
 | ||||||
|  | +      key5.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | +      assert(key5.private?)
 | ||||||
|  | +
 | ||||||
|  | +      # Generated by RSA#set_key, without d
 | ||||||
|  | +      key6 = OpenSSL::PKey::RSA.new
 | ||||||
|  | +      key6.set_key(rsa1024.n, rsa1024.e, nil)
 | ||||||
|  | +      assert(!key6.private?)
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_new | ||||||
|  | @@ -235,36 +238,52 @@ def test_encrypt_decrypt_legacy
 | ||||||
|  |   | ||||||
|  |    def test_export | ||||||
|  |      rsa1024 = Fixtures.pkey("rsa1024") | ||||||
|  | -    key = OpenSSL::PKey::RSA.new
 | ||||||
|  |   | ||||||
|  | -    # key has only n, e and d
 | ||||||
|  | -    key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | -    assert_equal rsa1024.public_key.export, key.export
 | ||||||
|  | +    pub = OpenSSL::PKey.read(rsa1024.public_to_der)
 | ||||||
|  | +    assert_not_equal rsa1024.export, pub.export
 | ||||||
|  | +    assert_equal rsa1024.public_to_pem, pub.export
 | ||||||
|  | +
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key = OpenSSL::PKey::RSA.new
 | ||||||
|  |   | ||||||
|  | -    # key has only n, e, d, p and q
 | ||||||
|  | -    key.set_factors(rsa1024.p, rsa1024.q)
 | ||||||
|  | -    assert_equal rsa1024.public_key.export, key.export
 | ||||||
|  | +      # key has only n, e and d
 | ||||||
|  | +      key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | +      assert_equal rsa1024.public_key.export, key.export
 | ||||||
|  |   | ||||||
|  | -    # key has n, e, d, p, q, dmp1, dmq1 and iqmp
 | ||||||
|  | -    key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
 | ||||||
|  | -    assert_equal rsa1024.export, key.export
 | ||||||
|  | +      # key has only n, e, d, p and q
 | ||||||
|  | +      key.set_factors(rsa1024.p, rsa1024.q)
 | ||||||
|  | +      assert_equal rsa1024.public_key.export, key.export
 | ||||||
|  | +
 | ||||||
|  | +      # key has n, e, d, p, q, dmp1, dmq1 and iqmp
 | ||||||
|  | +      key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
 | ||||||
|  | +      assert_equal rsa1024.export, key.export
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_to_der | ||||||
|  |      rsa1024 = Fixtures.pkey("rsa1024") | ||||||
|  | -    key = OpenSSL::PKey::RSA.new
 | ||||||
|  |   | ||||||
|  | -    # key has only n, e and d
 | ||||||
|  | -    key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | -    assert_equal rsa1024.public_key.to_der, key.to_der
 | ||||||
|  | +    pub = OpenSSL::PKey.read(rsa1024.public_to_der)
 | ||||||
|  | +    assert_not_equal rsa1024.to_der, pub.to_der
 | ||||||
|  | +    assert_equal rsa1024.public_to_der, pub.to_der
 | ||||||
|  |   | ||||||
|  | -    # key has only n, e, d, p and q
 | ||||||
|  | -    key.set_factors(rsa1024.p, rsa1024.q)
 | ||||||
|  | -    assert_equal rsa1024.public_key.to_der, key.to_der
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key = OpenSSL::PKey::RSA.new
 | ||||||
|  |   | ||||||
|  | -    # key has n, e, d, p, q, dmp1, dmq1 and iqmp
 | ||||||
|  | -    key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
 | ||||||
|  | -    assert_equal rsa1024.to_der, key.to_der
 | ||||||
|  | +      # key has only n, e and d
 | ||||||
|  | +      key.set_key(rsa1024.n, rsa1024.e, rsa1024.d)
 | ||||||
|  | +      assert_equal rsa1024.public_key.to_der, key.to_der
 | ||||||
|  | +
 | ||||||
|  | +      # key has only n, e, d, p and q
 | ||||||
|  | +      key.set_factors(rsa1024.p, rsa1024.q)
 | ||||||
|  | +      assert_equal rsa1024.public_key.to_der, key.to_der
 | ||||||
|  | +
 | ||||||
|  | +      # key has n, e, d, p, q, dmp1, dmq1 and iqmp
 | ||||||
|  | +      key.set_crt_params(rsa1024.dmp1, rsa1024.dmq1, rsa1024.iqmp)
 | ||||||
|  | +      assert_equal rsa1024.to_der, key.to_der
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_RSAPrivateKey | ||||||
|  | @@ -501,8 +520,12 @@ def test_dup
 | ||||||
|  |      key = Fixtures.pkey("rsa1024") | ||||||
|  |      key2 = key.dup | ||||||
|  |      assert_equal key.params, key2.params | ||||||
|  | -    key2.set_key(key2.n, 3, key2.d)
 | ||||||
|  | -    assert_not_equal key.params, key2.params
 | ||||||
|  | +
 | ||||||
|  | +    # PKey is immutable in OpenSSL >= 3.0
 | ||||||
|  | +    if !openssl?(3, 0, 0)
 | ||||||
|  | +      key2.set_key(key2.n, 3, key2.d)
 | ||||||
|  | +      assert_not_equal key.params, key2.params
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_marshal | ||||||
							
								
								
									
										27
									
								
								ruby-3.1.0-Disable-test_no_private_exp-on-OpenSSL-3.0.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								ruby-3.1.0-Disable-test_no_private_exp-on-OpenSSL-3.0.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,27 @@ | |||||||
|  | From 47975ece4096cdab16b3f200f93ea2377dfb41ac Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 31 May 2021 14:17:21 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/test_pkey_rsa: disable test_no_private_exp on | ||||||
|  |  OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | OpenSSL::PKey::RSA#set_key does not exist when built with OpenSSL 3.0, | ||||||
|  | so it is not possible to create an RSA object with incomplete state. | ||||||
|  | 
 | ||||||
|  | https://github.com/ruby/openssl/commit/ca03c9c070 | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_pkey_rsa.rb | 2 +- | ||||||
|  |  1 file changed, 1 insertion(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index 4548bdb2cfa6..dbe87ba4c1b0 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -11,7 +11,7 @@ def test_no_private_exp
 | ||||||
|  |      key.set_factors(rsa.p, rsa.q) | ||||||
|  |      assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt("foo") } | ||||||
|  |      assert_raise(OpenSSL::PKey::RSAError){ key.private_decrypt("foo") } | ||||||
|  | -  end
 | ||||||
|  | +  end if !openssl?(3, 0, 0) # Impossible state in OpenSSL 3.0
 | ||||||
|  |   | ||||||
|  |    def test_private | ||||||
|  |      # Generated by key size and public exponent | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -0,0 +1,523 @@ | |||||||
|  | From 8253d7c9cea16c2aa009b59db4f5d93afb74c6eb Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Tue, 30 Jun 2020 14:27:13 +0900 | ||||||
|  | Subject: [PATCH 1/2] hmac: add a test case for OpenSSL::HMAC singleton methods | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_hmac.rb | 9 +++++++++ | ||||||
|  |  1 file changed, 9 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
 | ||||||
|  | index 9cb3c5a86..7202a5902 100644
 | ||||||
|  | --- a/test/openssl/test_hmac.rb
 | ||||||
|  | +++ b/test/openssl/test_hmac.rb
 | ||||||
|  | @@ -49,6 +49,15 @@ def test_eq
 | ||||||
|  |      refute_equal h1, h2.digest | ||||||
|  |      refute_equal h1, h3 | ||||||
|  |    end | ||||||
|  | +
 | ||||||
|  | +  def test_singleton_methods
 | ||||||
|  | +    # RFC 2202 2. Test Cases for HMAC-MD5
 | ||||||
|  | +    key = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
 | ||||||
|  | +    digest = OpenSSL::HMAC.digest("MD5", key, "Hi There")
 | ||||||
|  | +    assert_equal ["9294727a3638bb1c13f48ef8158bfc9d"].pack("H*"), digest
 | ||||||
|  | +    hexdigest = OpenSSL::HMAC.hexdigest("MD5", key, "Hi There")
 | ||||||
|  | +    assert_equal "9294727a3638bb1c13f48ef8158bfc9d", hexdigest
 | ||||||
|  | +  end
 | ||||||
|  |  end | ||||||
|  |   | ||||||
|  |  end | ||||||
|  | 
 | ||||||
|  | From 0317e2fc028be40a7d64d0e4337d3e21539613ce Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 18 May 2020 16:15:07 +0900 | ||||||
|  | Subject: [PATCH 2/2] hmac: migrate from the low-level HMAC API to the EVP API | ||||||
|  | 
 | ||||||
|  | Use the EVP API instead of the low-level HMAC API. Use of the HMAC API | ||||||
|  | has been discouraged and is being marked as deprecated starting from | ||||||
|  | OpenSSL 3.0.0. | ||||||
|  | 
 | ||||||
|  | The two singleton methods OpenSSL::HMAC, HMAC.digest and HMAC.hexdigest | ||||||
|  | are now in lib/openssl/hmac.rb. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/extconf.rb          |   3 +- | ||||||
|  |  ext/openssl/lib/openssl/hmac.rb |  40 +++++++ | ||||||
|  |  ext/openssl/openssl_missing.c   |  26 ----- | ||||||
|  |  ext/openssl/openssl_missing.h   |  10 +- | ||||||
|  |  ext/openssl/ossl.h              |   1 - | ||||||
|  |  ext/openssl/ossl_hmac.c         | 179 ++++++++------------------------ | ||||||
|  |  6 files changed, 89 insertions(+), 170 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 | ||||||
|  | index 693e55cd9..063498a76 100644
 | ||||||
|  | --- a/ext/openssl/extconf.rb
 | ||||||
|  | +++ b/ext/openssl/extconf.rb
 | ||||||
|  | @@ -141,8 +141,7 @@ def find_openssl_library
 | ||||||
|  |  have_func("BN_GENCB_get_arg") | ||||||
|  |  have_func("EVP_MD_CTX_new") | ||||||
|  |  have_func("EVP_MD_CTX_free") | ||||||
|  | -have_func("HMAC_CTX_new")
 | ||||||
|  | -have_func("HMAC_CTX_free")
 | ||||||
|  | +have_func("EVP_MD_CTX_pkey_ctx")
 | ||||||
|  |  have_func("X509_STORE_get_ex_data") | ||||||
|  |  have_func("X509_STORE_set_ex_data") | ||||||
|  |  have_func("X509_STORE_get_ex_new_index") | ||||||
|  | diff --git a/ext/openssl/lib/openssl/hmac.rb b/ext/openssl/lib/openssl/hmac.rb
 | ||||||
|  | index 3d4427611d..9bc8bc8df3 100644
 | ||||||
|  | --- a/ext/openssl/lib/openssl/hmac.rb
 | ||||||
|  | +++ b/ext/openssl/lib/openssl/hmac.rb
 | ||||||
|  | @@ -9,5 +9,45 @@ def ==(other)
 | ||||||
|  |   | ||||||
|  |        OpenSSL.fixed_length_secure_compare(self.digest, other.digest) | ||||||
|  |      end | ||||||
|  | +
 | ||||||
|  | +    class << self
 | ||||||
|  | +      # :call-seq:
 | ||||||
|  | +      #    HMAC.digest(digest, key, data) -> aString
 | ||||||
|  | +      #
 | ||||||
|  | +      # Returns the authentication code as a binary string. The _digest_ parameter
 | ||||||
|  | +      # specifies the digest algorithm to use. This may be a String representing
 | ||||||
|  | +      # the algorithm name or an instance of OpenSSL::Digest.
 | ||||||
|  | +      #
 | ||||||
|  | +      # === Example
 | ||||||
|  | +      #  key = 'key'
 | ||||||
|  | +      #  data = 'The quick brown fox jumps over the lazy dog'
 | ||||||
|  | +      #
 | ||||||
|  | +      #  hmac = OpenSSL::HMAC.digest('SHA1', key, data)
 | ||||||
|  | +      #  #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
 | ||||||
|  | +      def digest(digest, key, data)
 | ||||||
|  | +        hmac = new(key, digest)
 | ||||||
|  | +        hmac << data
 | ||||||
|  | +        hmac.digest
 | ||||||
|  | +      end
 | ||||||
|  | +
 | ||||||
|  | +      # :call-seq:
 | ||||||
|  | +      #    HMAC.hexdigest(digest, key, data) -> aString
 | ||||||
|  | +      #
 | ||||||
|  | +      # Returns the authentication code as a hex-encoded string. The _digest_
 | ||||||
|  | +      # parameter specifies the digest algorithm to use. This may be a String
 | ||||||
|  | +      # representing the algorithm name or an instance of OpenSSL::Digest.
 | ||||||
|  | +      #
 | ||||||
|  | +      # === Example
 | ||||||
|  | +      #  key = 'key'
 | ||||||
|  | +      #  data = 'The quick brown fox jumps over the lazy dog'
 | ||||||
|  | +      #
 | ||||||
|  | +      #  hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
 | ||||||
|  | +      #  #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
 | ||||||
|  | +      def hexdigest(digest, key, data)
 | ||||||
|  | +        hmac = new(key, digest)
 | ||||||
|  | +        hmac << data
 | ||||||
|  | +        hmac.hexdigest
 | ||||||
|  | +      end
 | ||||||
|  | +    end
 | ||||||
|  |    end | ||||||
|  |  end | ||||||
|  | diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
 | ||||||
|  | index b36ef0288..010c158dc 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.c
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.c
 | ||||||
|  | @@ -13,9 +13,6 @@
 | ||||||
|  |  #if !defined(OPENSSL_NO_ENGINE) | ||||||
|  |  # include <openssl/engine.h> | ||||||
|  |  #endif | ||||||
|  | -#if !defined(OPENSSL_NO_HMAC)
 | ||||||
|  | -# include <openssl/hmac.h>
 | ||||||
|  | -#endif
 | ||||||
|  |  #include <openssl/x509_vfy.h> | ||||||
|  |   | ||||||
|  |  #include "openssl_missing.h" | ||||||
|  | @@ -58,29 +55,6 @@ ossl_EC_curve_nist2nid(const char *name)
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  |  /*** added in 1.1.0 ***/ | ||||||
|  | -#if !defined(HAVE_HMAC_CTX_NEW)
 | ||||||
|  | -HMAC_CTX *
 | ||||||
|  | -ossl_HMAC_CTX_new(void)
 | ||||||
|  | -{
 | ||||||
|  | -    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
 | ||||||
|  | -    if (!ctx)
 | ||||||
|  | -	return NULL;
 | ||||||
|  | -    HMAC_CTX_init(ctx);
 | ||||||
|  | -    return ctx;
 | ||||||
|  | -}
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  | -#if !defined(HAVE_HMAC_CTX_FREE)
 | ||||||
|  | -void
 | ||||||
|  | -ossl_HMAC_CTX_free(HMAC_CTX *ctx)
 | ||||||
|  | -{
 | ||||||
|  | -    if (ctx) {
 | ||||||
|  | -	HMAC_CTX_cleanup(ctx);
 | ||||||
|  | -	OPENSSL_free(ctx);
 | ||||||
|  | -    }
 | ||||||
|  | -}
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  #if !defined(HAVE_X509_CRL_GET0_SIGNATURE) | ||||||
|  |  void | ||||||
|  |  ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, | ||||||
|  | diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
 | ||||||
|  | index 7d218f86f..06d2a9082 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.h
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.h
 | ||||||
|  | @@ -54,14 +54,8 @@ int ossl_EC_curve_nist2nid(const char *);
 | ||||||
|  |  #  define EVP_MD_CTX_free EVP_MD_CTX_destroy | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | -#if !defined(HAVE_HMAC_CTX_NEW)
 | ||||||
|  | -HMAC_CTX *ossl_HMAC_CTX_new(void);
 | ||||||
|  | -#  define HMAC_CTX_new ossl_HMAC_CTX_new
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  | -#if !defined(HAVE_HMAC_CTX_FREE)
 | ||||||
|  | -void ossl_HMAC_CTX_free(HMAC_CTX *);
 | ||||||
|  | -#  define HMAC_CTX_free ossl_HMAC_CTX_free
 | ||||||
|  | +#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX)
 | ||||||
|  | +#  define EVP_MD_CTX_pkey_ctx(x) (x)->pctx
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  |  #if !defined(HAVE_X509_STORE_GET_EX_DATA) | ||||||
|  | diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
 | ||||||
|  | index c20f506bd..577eb6d6b 100644
 | ||||||
|  | --- a/ext/openssl/ossl.h
 | ||||||
|  | +++ b/ext/openssl/ossl.h
 | ||||||
|  | @@ -24,7 +24,6 @@
 | ||||||
|  |  #include <openssl/ssl.h> | ||||||
|  |  #include <openssl/pkcs12.h> | ||||||
|  |  #include <openssl/pkcs7.h> | ||||||
|  | -#include <openssl/hmac.h>
 | ||||||
|  |  #include <openssl/rand.h> | ||||||
|  |  #include <openssl/conf.h> | ||||||
|  |  #ifndef OPENSSL_NO_TS | ||||||
|  | diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
 | ||||||
|  | index 70e9fb819..a21db6c48 100644
 | ||||||
|  | --- a/ext/openssl/ossl_hmac.c
 | ||||||
|  | +++ b/ext/openssl/ossl_hmac.c
 | ||||||
|  | @@ -7,14 +7,12 @@
 | ||||||
|  |   * This program is licensed under the same licence as Ruby. | ||||||
|  |   * (See the file 'LICENCE'.) | ||||||
|  |   */ | ||||||
|  | -#if !defined(OPENSSL_NO_HMAC)
 | ||||||
|  | -
 | ||||||
|  |  #include "ossl.h" | ||||||
|  |   | ||||||
|  |  #define NewHMAC(klass) \ | ||||||
|  |      TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0) | ||||||
|  |  #define GetHMAC(obj, ctx) do { \ | ||||||
|  | -    TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
 | ||||||
|  | +    TypedData_Get_Struct((obj), EVP_MD_CTX, &ossl_hmac_type, (ctx)); \
 | ||||||
|  |      if (!(ctx)) { \ | ||||||
|  |  	ossl_raise(rb_eRuntimeError, "HMAC wasn't initialized"); \ | ||||||
|  |      } \ | ||||||
|  | @@ -36,7 +34,7 @@ VALUE eHMACError;
 | ||||||
|  |  static void | ||||||
|  |  ossl_hmac_free(void *ctx) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX_free(ctx);
 | ||||||
|  | +    EVP_MD_CTX_free(ctx);
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  static const rb_data_type_t ossl_hmac_type = { | ||||||
|  | @@ -51,12 +49,12 @@ static VALUE
 | ||||||
|  |  ossl_hmac_alloc(VALUE klass) | ||||||
|  |  { | ||||||
|  |      VALUE obj; | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  |   | ||||||
|  |      obj = NewHMAC(klass); | ||||||
|  | -    ctx = HMAC_CTX_new();
 | ||||||
|  | +    ctx = EVP_MD_CTX_new();
 | ||||||
|  |      if (!ctx) | ||||||
|  | -	ossl_raise(eHMACError, NULL);
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_MD_CTX");
 | ||||||
|  |      RTYPEDDATA_DATA(obj) = ctx; | ||||||
|  |   | ||||||
|  |      return obj; | ||||||
|  | @@ -76,8 +74,7 @@ ossl_hmac_alloc(VALUE klass)
 | ||||||
|  |   * === Example | ||||||
|  |   * | ||||||
|  |   *	key = 'key' | ||||||
|  | - * 	digest = OpenSSL::Digest.new('sha1')
 | ||||||
|  | - * 	instance = OpenSSL::HMAC.new(key, digest)
 | ||||||
|  | + * 	instance = OpenSSL::HMAC.new(key, 'SHA1')
 | ||||||
|  |   * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f | ||||||
|  |   * 	instance.class | ||||||
|  |   * 	#=> OpenSSL::HMAC | ||||||
|  | @@ -86,7 +83,7 @@ ossl_hmac_alloc(VALUE klass)
 | ||||||
|  |   * | ||||||
|  |   * Two instances can be securely compared with #== in constant time: | ||||||
|  |   * | ||||||
|  | - *	other_instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
 | ||||||
|  | + *	other_instance = OpenSSL::HMAC.new('key', 'SHA1')
 | ||||||
|  |   *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f | ||||||
|  |   *  instance == other_instance | ||||||
|  |   *  #=> true | ||||||
|  | @@ -95,12 +92,23 @@ ossl_hmac_alloc(VALUE klass)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  |   | ||||||
|  | -    StringValue(key);
 | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | -    HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
 | ||||||
|  | -		 ossl_evp_get_digestbyname(digest), NULL);
 | ||||||
|  | +    StringValue(key);
 | ||||||
|  | +    pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
 | ||||||
|  | +                                (unsigned char *)RSTRING_PTR(key),
 | ||||||
|  | +                                RSTRING_LENINT(key));
 | ||||||
|  | +    if (!pkey)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
 | ||||||
|  | +    if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
 | ||||||
|  | +                           NULL, pkey) != 1) {
 | ||||||
|  | +        EVP_PKEY_free(pkey);
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_DigestSignInit");
 | ||||||
|  | +    }
 | ||||||
|  | +    /* Decrement reference counter; EVP_MD_CTX still keeps it */
 | ||||||
|  | +    EVP_PKEY_free(pkey);
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  | @@ -108,16 +116,15 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_copy(VALUE self, VALUE other) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx1, *ctx2;
 | ||||||
|  | +    EVP_MD_CTX *ctx1, *ctx2;
 | ||||||
|  |   | ||||||
|  |      rb_check_frozen(self); | ||||||
|  |      if (self == other) return self; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx1); | ||||||
|  |      GetHMAC(other, ctx2); | ||||||
|  | -
 | ||||||
|  | -    if (!HMAC_CTX_copy(ctx1, ctx2))
 | ||||||
|  | -	ossl_raise(eHMACError, "HMAC_CTX_copy");
 | ||||||
|  | +    if (EVP_MD_CTX_copy(ctx1, ctx2) != 1)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_MD_CTX_copy");
 | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -142,33 +149,16 @@ ossl_hmac_copy(VALUE self, VALUE other)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_update(VALUE self, VALUE data) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  |   | ||||||
|  |      StringValue(data); | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | -    HMAC_Update(ctx, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data));
 | ||||||
|  | +    if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_DigestSignUpdate");
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -static void
 | ||||||
|  | -hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
 | ||||||
|  | -{
 | ||||||
|  | -    HMAC_CTX *final;
 | ||||||
|  | -
 | ||||||
|  | -    final = HMAC_CTX_new();
 | ||||||
|  | -    if (!final)
 | ||||||
|  | -	ossl_raise(eHMACError, "HMAC_CTX_new");
 | ||||||
|  | -
 | ||||||
|  | -    if (!HMAC_CTX_copy(final, ctx)) {
 | ||||||
|  | -	HMAC_CTX_free(final);
 | ||||||
|  | -	ossl_raise(eHMACError, "HMAC_CTX_copy");
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  | -    HMAC_Final(final, buf, buf_len);
 | ||||||
|  | -    HMAC_CTX_free(final);
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *     hmac.digest -> string | ||||||
|  | @@ -176,7 +166,7 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
 | ||||||
|  |   * Returns the authentication code an instance represents as a binary string. | ||||||
|  |   * | ||||||
|  |   * === Example | ||||||
|  | - *  instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
 | ||||||
|  | + *  instance = OpenSSL::HMAC.new('key', 'SHA1')
 | ||||||
|  |   *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f | ||||||
|  |   *  instance.digest | ||||||
|  |   *  #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?" | ||||||
|  | @@ -184,15 +174,16 @@ hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_digest(VALUE self) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | -    unsigned int buf_len;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  | +    size_t buf_len;
 | ||||||
|  |      VALUE ret; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  |      ret = rb_str_new(NULL, EVP_MAX_MD_SIZE); | ||||||
|  | -    hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
 | ||||||
|  | -    assert(buf_len <= EVP_MAX_MD_SIZE);
 | ||||||
|  | -    rb_str_set_len(ret, buf_len);
 | ||||||
|  | +    if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret),
 | ||||||
|  | +                            &buf_len) != 1)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_DigestSignFinal");
 | ||||||
|  | +    rb_str_set_len(ret, (long)buf_len);
 | ||||||
|  |   | ||||||
|  |      return ret; | ||||||
|  |  } | ||||||
|  | @@ -207,13 +198,14 @@ ossl_hmac_digest(VALUE self)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_hexdigest(VALUE self) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  |      unsigned char buf[EVP_MAX_MD_SIZE]; | ||||||
|  | -    unsigned int buf_len;
 | ||||||
|  | +    size_t buf_len;
 | ||||||
|  |      VALUE ret; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | -    hmac_final(ctx, buf, &buf_len);
 | ||||||
|  | +    if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_DigestSignFinal");
 | ||||||
|  |      ret = rb_str_new(NULL, buf_len * 2); | ||||||
|  |      ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len); | ||||||
|  |   | ||||||
|  | @@ -230,7 +222,7 @@ ossl_hmac_hexdigest(VALUE self)
 | ||||||
|  |   * === Example | ||||||
|  |   * | ||||||
|  |   *	data = "The quick brown fox jumps over the lazy dog" | ||||||
|  | - * 	instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
 | ||||||
|  | + * 	instance = OpenSSL::HMAC.new('key', 'SHA1')
 | ||||||
|  |   * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f | ||||||
|  |   * | ||||||
|  |   * 	instance.update(data) | ||||||
|  | @@ -242,84 +234,17 @@ ossl_hmac_hexdigest(VALUE self)
 | ||||||
|  |  static VALUE | ||||||
|  |  ossl_hmac_reset(VALUE self) | ||||||
|  |  { | ||||||
|  | -    HMAC_CTX *ctx;
 | ||||||
|  | +    EVP_MD_CTX *ctx;
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | -    HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
 | ||||||
|  | +    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
 | ||||||
|  | +    if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1)
 | ||||||
|  | +        ossl_raise(eHMACError, "EVP_DigestSignInit");
 | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     HMAC.digest(digest, key, data) -> aString
 | ||||||
|  | - *
 | ||||||
|  | - * Returns the authentication code as a binary string. The _digest_ parameter
 | ||||||
|  | - * specifies the digest algorithm to use. This may be a String representing
 | ||||||
|  | - * the algorithm name or an instance of OpenSSL::Digest.
 | ||||||
|  | - *
 | ||||||
|  | - * === Example
 | ||||||
|  | - *
 | ||||||
|  | - *	key = 'key'
 | ||||||
|  | - * 	data = 'The quick brown fox jumps over the lazy dog'
 | ||||||
|  | - *
 | ||||||
|  | - * 	hmac = OpenSSL::HMAC.digest('sha1', key, data)
 | ||||||
|  | - * 	#=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
 | ||||||
|  | - *
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
 | ||||||
|  | -{
 | ||||||
|  | -    unsigned char *buf;
 | ||||||
|  | -    unsigned int buf_len;
 | ||||||
|  | -
 | ||||||
|  | -    StringValue(key);
 | ||||||
|  | -    StringValue(data);
 | ||||||
|  | -    buf = HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
 | ||||||
|  | -	       RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
 | ||||||
|  | -	       RSTRING_LEN(data), NULL, &buf_len);
 | ||||||
|  | -
 | ||||||
|  | -    return rb_str_new((const char *)buf, buf_len);
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     HMAC.hexdigest(digest, key, data) -> aString
 | ||||||
|  | - *
 | ||||||
|  | - * Returns the authentication code as a hex-encoded string. The _digest_
 | ||||||
|  | - * parameter specifies the digest algorithm to use. This may be a String
 | ||||||
|  | - * representing the algorithm name or an instance of OpenSSL::Digest.
 | ||||||
|  | - *
 | ||||||
|  | - * === Example
 | ||||||
|  | - *
 | ||||||
|  | - *	key = 'key'
 | ||||||
|  | - * 	data = 'The quick brown fox jumps over the lazy dog'
 | ||||||
|  | - *
 | ||||||
|  | - * 	hmac = OpenSSL::HMAC.hexdigest('sha1', key, data)
 | ||||||
|  | - * 	#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
 | ||||||
|  | - *
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
 | ||||||
|  | -{
 | ||||||
|  | -    unsigned char buf[EVP_MAX_MD_SIZE];
 | ||||||
|  | -    unsigned int buf_len;
 | ||||||
|  | -    VALUE ret;
 | ||||||
|  | -
 | ||||||
|  | -    StringValue(key);
 | ||||||
|  | -    StringValue(data);
 | ||||||
|  | -
 | ||||||
|  | -    if (!HMAC(ossl_evp_get_digestbyname(digest), RSTRING_PTR(key),
 | ||||||
|  | -	      RSTRING_LENINT(key), (unsigned char *)RSTRING_PTR(data),
 | ||||||
|  | -	      RSTRING_LEN(data), buf, &buf_len))
 | ||||||
|  | -	ossl_raise(eHMACError, "HMAC");
 | ||||||
|  | -
 | ||||||
|  | -    ret = rb_str_new(NULL, buf_len * 2);
 | ||||||
|  | -    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
 | ||||||
|  | -
 | ||||||
|  | -    return ret;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   * INIT | ||||||
|  |   */ | ||||||
|  | @@ -353,8 +278,7 @@ Init_ossl_hmac(void)
 | ||||||
|  |       *   data1 = File.read("file1") | ||||||
|  |       *   data2 = File.read("file2") | ||||||
|  |       *   key = "key" | ||||||
|  | -     *   digest = OpenSSL::Digest.new('SHA256')
 | ||||||
|  | -     *   hmac = OpenSSL::HMAC.new(key, digest)
 | ||||||
|  | +     *   hmac = OpenSSL::HMAC.new(key, 'SHA256')
 | ||||||
|  |       *   hmac << data1 | ||||||
|  |       *   hmac << data2 | ||||||
|  |       *   mac = hmac.digest | ||||||
|  | @@ -364,8 +288,6 @@ Init_ossl_hmac(void)
 | ||||||
|  |      cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject); | ||||||
|  |   | ||||||
|  |      rb_define_alloc_func(cHMAC, ossl_hmac_alloc); | ||||||
|  | -    rb_define_singleton_method(cHMAC, "digest", ossl_hmac_s_digest, 3);
 | ||||||
|  | -    rb_define_singleton_method(cHMAC, "hexdigest", ossl_hmac_s_hexdigest, 3);
 | ||||||
|  |   | ||||||
|  |      rb_define_method(cHMAC, "initialize", ossl_hmac_initialize, 2); | ||||||
|  |      rb_define_method(cHMAC, "initialize_copy", ossl_hmac_copy, 1); | ||||||
|  | @@ -378,12 +300,3 @@ Init_ossl_hmac(void)
 | ||||||
|  |      rb_define_alias(cHMAC, "inspect", "hexdigest"); | ||||||
|  |      rb_define_alias(cHMAC, "to_s", "hexdigest"); | ||||||
|  |  } | ||||||
|  | -
 | ||||||
|  | -#else /* NO_HMAC */
 | ||||||
|  | -#  warning >>> OpenSSL is compiled without HMAC support <<<
 | ||||||
|  | -void
 | ||||||
|  | -Init_ossl_hmac(void)
 | ||||||
|  | -{
 | ||||||
|  | -    rb_warning("HMAC is not available: OpenSSL is compiled without HMAC.");
 | ||||||
|  | -}
 | ||||||
|  | -#endif /* NO_HMAC */
 | ||||||
|  | -- 
 | ||||||
|  | 2.34.1 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,458 @@ | |||||||
|  | From 91d04f991f8b9910efea7bbe5aecb0fea2bbd5fa Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sun, 24 Oct 2021 17:50:18 +0900 | ||||||
|  | Subject: [PATCH 1/8] cipher: update test_ciphers | ||||||
|  | 
 | ||||||
|  | Do not attempt to actually use all algorithms. Not all algorithms listed | ||||||
|  | in OpenSSL::Cipher.ciphers are always available. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_cipher.rb | 13 +++++-------- | ||||||
|  |  1 file changed, 5 insertions(+), 8 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
 | ||||||
|  | index 6d18c0c8..b5fdf0b3 100644
 | ||||||
|  | --- a/test/openssl/test_cipher.rb
 | ||||||
|  | +++ b/test/openssl/test_cipher.rb
 | ||||||
|  | @@ -135,14 +135,11 @@ def test_ctr_if_exists
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_ciphers | ||||||
|  | -    OpenSSL::Cipher.ciphers.each{|name|
 | ||||||
|  | -      next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name
 | ||||||
|  | -      begin
 | ||||||
|  | -        assert_kind_of(OpenSSL::Cipher, OpenSSL::Cipher.new(name))
 | ||||||
|  | -      rescue OpenSSL::Cipher::CipherError => e
 | ||||||
|  | -        raise unless /wrap/ =~ name and /wrap mode not allowed/ =~ e.message
 | ||||||
|  | -      end
 | ||||||
|  | -    }
 | ||||||
|  | +    ciphers = OpenSSL::Cipher.ciphers
 | ||||||
|  | +    assert_kind_of Array, ciphers
 | ||||||
|  | +    assert_include ciphers, "aes-128-cbc"
 | ||||||
|  | +    assert_include ciphers, "aes128" # alias of aes-128-cbc
 | ||||||
|  | +    assert_include ciphers, "aes-128-gcm"
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_AES | ||||||
|  | 
 | ||||||
|  | From 6a60c7b2e7b6afe8b8c98d864ef2740094d86e1d Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 11 Dec 2021 16:27:42 +0900 | ||||||
|  | Subject: [PATCH 2/8] hmac: fix wrong usage of EVP_DigestSignFinal() | ||||||
|  | 
 | ||||||
|  | According to the manpage, the "siglen" parameter must be initialized | ||||||
|  | beforehand. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_hmac.c | 4 ++-- | ||||||
|  |  1 file changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
 | ||||||
|  | index f89ff2f9..bfe3a74b 100644
 | ||||||
|  | --- a/ext/openssl/ossl_hmac.c
 | ||||||
|  | +++ b/ext/openssl/ossl_hmac.c
 | ||||||
|  | @@ -175,7 +175,7 @@ static VALUE
 | ||||||
|  |  ossl_hmac_digest(VALUE self) | ||||||
|  |  { | ||||||
|  |      EVP_MD_CTX *ctx; | ||||||
|  | -    size_t buf_len;
 | ||||||
|  | +    size_t buf_len = EVP_MAX_MD_SIZE;
 | ||||||
|  |      VALUE ret; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | @@ -200,7 +200,7 @@ ossl_hmac_hexdigest(VALUE self)
 | ||||||
|  |  { | ||||||
|  |      EVP_MD_CTX *ctx; | ||||||
|  |      unsigned char buf[EVP_MAX_MD_SIZE]; | ||||||
|  | -    size_t buf_len;
 | ||||||
|  | +    size_t buf_len = EVP_MAX_MD_SIZE;
 | ||||||
|  |      VALUE ret; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | 
 | ||||||
|  | From 46995816392a79d037df5550b2fb226652c06f42 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 11 Dec 2021 16:30:30 +0900 | ||||||
|  | Subject: [PATCH 3/8] hmac: skip test_dup on OpenSSL 3.0 for now | ||||||
|  | 
 | ||||||
|  | EVP_MD_CTX_copy() doesn't seem to work as intended on HMAC EVP_MD_CTX | ||||||
|  | on OpenSSL 3.0.0 and causes a double free. I haven't found the root | ||||||
|  | problem yet, but let's skip the test case for now. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_hmac.rb | 1 + | ||||||
|  |  1 file changed, 1 insertion(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb
 | ||||||
|  | index 2f53a813..47cb3718 100644
 | ||||||
|  | --- a/test/openssl/test_hmac.rb
 | ||||||
|  | +++ b/test/openssl/test_hmac.rb
 | ||||||
|  | @@ -19,6 +19,7 @@ def test_hmac
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_dup | ||||||
|  | +    pend "HMAC#initialize_copy is currently broken on OpenSSL 3.0.0" if openssl?(3, 0, 0)
 | ||||||
|  |      h1 = OpenSSL::HMAC.new("KEY", "MD5") | ||||||
|  |      h1.update("DATA") | ||||||
|  |      h = h1.dup | ||||||
|  | 
 | ||||||
|  | From 69a27d8de4bd291cb4eb21a4d715b197e7da5a06 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Thu, 15 Apr 2021 00:51:58 +0900 | ||||||
|  | Subject: [PATCH 4/8] engine: disable OpenSSL::Engine on OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | The entire ENGINE API is deprecated in OpenSSL 3.0 in favor of the new | ||||||
|  | "Provider" concept. | ||||||
|  | 
 | ||||||
|  | OpenSSL::Engine will not be defined when compiled with OpenSSL 3.0. | ||||||
|  | We would need a way to interact with providers from Ruby programs, but | ||||||
|  | since the concept is completely different from the ENGINE API, it will | ||||||
|  | not be through the current OpenSSL::Engine interface. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/openssl_missing.c | 3 --- | ||||||
|  |  ext/openssl/ossl.h            | 8 +++++--- | ||||||
|  |  ext/openssl/ossl_engine.c     | 3 ++- | ||||||
|  |  ext/openssl/ossl_pkey.c       | 4 ++++ | ||||||
|  |  4 files changed, 11 insertions(+), 7 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
 | ||||||
|  | index 8b93cba6..4415703d 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.c
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.c
 | ||||||
|  | @@ -10,9 +10,6 @@
 | ||||||
|  |  #include RUBY_EXTCONF_H | ||||||
|  |   | ||||||
|  |  #include <string.h> /* memcpy() */ | ||||||
|  | -#if !defined(OPENSSL_NO_ENGINE)
 | ||||||
|  | -# include <openssl/engine.h>
 | ||||||
|  | -#endif
 | ||||||
|  |  #include <openssl/x509_vfy.h> | ||||||
|  |   | ||||||
|  |  #include "openssl_missing.h" | ||||||
|  | diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
 | ||||||
|  | index 3a0ab1e5..4b512689 100644
 | ||||||
|  | --- a/ext/openssl/ossl.h
 | ||||||
|  | +++ b/ext/openssl/ossl.h
 | ||||||
|  | @@ -18,6 +18,7 @@
 | ||||||
|  |  #include <ruby/io.h> | ||||||
|  |  #include <ruby/thread.h> | ||||||
|  |  #include <openssl/opensslv.h> | ||||||
|  | +
 | ||||||
|  |  #include <openssl/err.h> | ||||||
|  |  #include <openssl/asn1.h> | ||||||
|  |  #include <openssl/x509v3.h> | ||||||
|  | @@ -30,9 +31,6 @@
 | ||||||
|  |    #include <openssl/ts.h> | ||||||
|  |  #endif | ||||||
|  |  #include <openssl/crypto.h> | ||||||
|  | -#if !defined(OPENSSL_NO_ENGINE)
 | ||||||
|  | -#  include <openssl/engine.h>
 | ||||||
|  | -#endif
 | ||||||
|  |  #if !defined(OPENSSL_NO_OCSP) | ||||||
|  |  #  include <openssl/ocsp.h> | ||||||
|  |  #endif | ||||||
|  | @@ -54,6 +52,10 @@
 | ||||||
|  |        (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12)) | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +#if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +# define OSSL_USE_ENGINE
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * Common Module | ||||||
|  |   */ | ||||||
|  | diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
 | ||||||
|  | index 661a1368..1abde7f7 100644
 | ||||||
|  | --- a/ext/openssl/ossl_engine.c
 | ||||||
|  | +++ b/ext/openssl/ossl_engine.c
 | ||||||
|  | @@ -9,7 +9,8 @@
 | ||||||
|  |   */ | ||||||
|  |  #include "ossl.h" | ||||||
|  |   | ||||||
|  | -#if !defined(OPENSSL_NO_ENGINE)
 | ||||||
|  | +#ifdef OSSL_USE_ENGINE
 | ||||||
|  | +# include <openssl/engine.h>
 | ||||||
|  |   | ||||||
|  |  #define NewEngine(klass) \ | ||||||
|  |      TypedData_Wrap_Struct((klass), &ossl_engine_type, 0) | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index 7030be3c..94760d32 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -9,6 +9,10 @@
 | ||||||
|  |   */ | ||||||
|  |  #include "ossl.h" | ||||||
|  |   | ||||||
|  | +#ifdef OSSL_USE_ENGINE
 | ||||||
|  | +# include <openssl/engine.h>
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * Classes | ||||||
|  |   */ | ||||||
|  | 
 | ||||||
|  | From b1ee2f23b28c2d0b14fd9b4b9fef13e870370746 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Wed, 17 Nov 2021 11:39:06 +0900 | ||||||
|  | Subject: [PATCH 5/8] ssl: add constants for new SSL_OP_* flags | ||||||
|  | 
 | ||||||
|  | Add all SSL_OP_* constants defined in OpenSSL 3.0.0 which are not | ||||||
|  | specific to DTLS. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_ssl.c | 35 +++++++++++++++++++++++++++++------ | ||||||
|  |  1 file changed, 29 insertions(+), 6 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
 | ||||||
|  | index 3b425ca7..9a0682a7 100644
 | ||||||
|  | --- a/ext/openssl/ossl_ssl.c
 | ||||||
|  | +++ b/ext/openssl/ossl_ssl.c
 | ||||||
|  | @@ -2941,13 +2941,28 @@ Init_ossl_ssl(void)
 | ||||||
|  |      rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE)); | ||||||
|  |   | ||||||
|  |      rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL)); | ||||||
|  | +#ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
 | ||||||
|  | +#endif
 | ||||||
|  |      rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)); | ||||||
|  | +#ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
 | ||||||
|  | +#endif
 | ||||||
|  |  #ifdef SSL_OP_TLSEXT_PADDING /* OpenSSL 1.0.1h and OpenSSL 1.0.2 */ | ||||||
|  |      rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING)); | ||||||
|  |  #endif | ||||||
|  |  #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG /* OpenSSL 1.0.1f and OpenSSL 1.0.2 */ | ||||||
|  |      rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)); | ||||||
|  |  #endif | ||||||
|  | +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
 | ||||||
|  | +#endif
 | ||||||
|  | +#ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
 | ||||||
|  | +#endif
 | ||||||
|  | +#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
 | ||||||
|  | +#endif
 | ||||||
|  |  #ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */ | ||||||
|  |      rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); | ||||||
|  |  #endif | ||||||
|  | @@ -2959,13 +2974,15 @@ Init_ossl_ssl(void)
 | ||||||
|  |  #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */ | ||||||
|  |      rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)); | ||||||
|  |  #endif | ||||||
|  | -    rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
 | ||||||
|  | -    rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
 | ||||||
|  | -#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
 | ||||||
|  | -    rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
 | ||||||
|  | +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
 | ||||||
|  | +#endif
 | ||||||
|  | +#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
 | ||||||
|  | +#endif
 | ||||||
|  | +#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
 | ||||||
|  |  #endif | ||||||
|  | -    rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
 | ||||||
|  | -
 | ||||||
|  |      rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3)); | ||||||
|  |      rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1)); | ||||||
|  |      rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1)); | ||||||
|  | @@ -2973,6 +2990,12 @@ Init_ossl_ssl(void)
 | ||||||
|  |  #ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */ | ||||||
|  |      rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3)); | ||||||
|  |  #endif | ||||||
|  | +    rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
 | ||||||
|  | +    rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
 | ||||||
|  | +#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
 | ||||||
|  | +    rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
 | ||||||
|  | +#endif
 | ||||||
|  | +    rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
 | ||||||
|  |   | ||||||
|  |      /* SSL_OP_* flags for DTLS */ | ||||||
|  |  #if 0 | ||||||
|  | 
 | ||||||
|  | From e168df0f3570709bfb38e9a39838bd0a7e78164c Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sun, 12 Dec 2021 00:47:35 +0900 | ||||||
|  | Subject: [PATCH 6/8] ssl: update test_options_disable_versions | ||||||
|  | 
 | ||||||
|  | Use the combination of TLS 1.2 and TLS 1.3 instead of TLS 1.1 and TLS | ||||||
|  | 1.2 so that will the test case will be run on latest platforms. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_ssl.rb | 75 +++++++++++++++++++++------------------- | ||||||
|  |  1 file changed, 40 insertions(+), 35 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
 | ||||||
|  | index 22691292..2abade06 100644
 | ||||||
|  | --- a/test/openssl/test_ssl.rb
 | ||||||
|  | +++ b/test/openssl/test_ssl.rb
 | ||||||
|  | @@ -1180,46 +1180,51 @@ def test_minmax_version
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_options_disable_versions | ||||||
|  | -    # Note: Use of these OP_* flags has been deprecated since OpenSSL 1.1.0.
 | ||||||
|  | +    # It's recommended to use SSLContext#{min,max}_version= instead in real
 | ||||||
|  | +    # applications. The purpose of this test case is to check that SSL options
 | ||||||
|  | +    # are properly propagated to OpenSSL library.
 | ||||||
|  |      supported = check_supported_protocol_versions | ||||||
|  | +    if !defined?(OpenSSL::SSL::TLS1_3_VERSION) ||
 | ||||||
|  | +        !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
 | ||||||
|  | +        !supported.include?(OpenSSL::SSL::TLS1_3_VERSION) ||
 | ||||||
|  | +        !defined?(OpenSSL::SSL::OP_NO_TLSv1_3) # LibreSSL < 3.4
 | ||||||
|  | +      pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
 | ||||||
|  | +        "and enabled by default"
 | ||||||
|  | +    end
 | ||||||
|  |   | ||||||
|  | -    if supported.include?(OpenSSL::SSL::TLS1_1_VERSION) &&
 | ||||||
|  | -        supported.include?(OpenSSL::SSL::TLS1_2_VERSION)
 | ||||||
|  | -      # Server disables ~ TLS 1.1
 | ||||||
|  | -      ctx_proc = proc { |ctx|
 | ||||||
|  | -        ctx.options |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 |
 | ||||||
|  | -          OpenSSL::SSL::OP_NO_TLSv1 | OpenSSL::SSL::OP_NO_TLSv1_1
 | ||||||
|  | -      }
 | ||||||
|  | -      start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
 | ||||||
|  | -        # Client only supports TLS 1.1
 | ||||||
|  | -        ctx1 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | -        ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_1_VERSION
 | ||||||
|  | -        assert_handshake_error { server_connect(port, ctx1) { } }
 | ||||||
|  | +    # Server disables TLS 1.2 and earlier
 | ||||||
|  | +    ctx_proc = proc { |ctx|
 | ||||||
|  | +      ctx.options |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 |
 | ||||||
|  | +        OpenSSL::SSL::OP_NO_TLSv1 | OpenSSL::SSL::OP_NO_TLSv1_1 |
 | ||||||
|  | +        OpenSSL::SSL::OP_NO_TLSv1_2
 | ||||||
|  | +    }
 | ||||||
|  | +    start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
 | ||||||
|  | +      # Client only supports TLS 1.2
 | ||||||
|  | +      ctx1 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | +      ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
 | ||||||
|  | +      assert_handshake_error { server_connect(port, ctx1) { } }
 | ||||||
|  |   | ||||||
|  | -        # Client only supports TLS 1.2
 | ||||||
|  | -        ctx2 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | -        ctx2.min_version = ctx2.max_version = OpenSSL::SSL::TLS1_2_VERSION
 | ||||||
|  | -        assert_nothing_raised { server_connect(port, ctx2) { } }
 | ||||||
|  | -      }
 | ||||||
|  | +      # Client only supports TLS 1.3
 | ||||||
|  | +      ctx2 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | +      ctx2.min_version = ctx2.max_version = OpenSSL::SSL::TLS1_3_VERSION
 | ||||||
|  | +      assert_nothing_raised { server_connect(port, ctx2) { } }
 | ||||||
|  | +    }
 | ||||||
|  |   | ||||||
|  | -      # Server only supports TLS 1.1
 | ||||||
|  | -      ctx_proc = proc { |ctx|
 | ||||||
|  | -        ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_1_VERSION
 | ||||||
|  | -      }
 | ||||||
|  | -      start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
 | ||||||
|  | -        # Client disables TLS 1.1
 | ||||||
|  | -        ctx1 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | -        ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_1
 | ||||||
|  | -        assert_handshake_error { server_connect(port, ctx1) { } }
 | ||||||
|  | +    # Server only supports TLS 1.2
 | ||||||
|  | +    ctx_proc = proc { |ctx|
 | ||||||
|  | +      ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
 | ||||||
|  | +    }
 | ||||||
|  | +    start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
 | ||||||
|  | +      # Client doesn't support TLS 1.2
 | ||||||
|  | +      ctx1 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | +      ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_2
 | ||||||
|  | +      assert_handshake_error { server_connect(port, ctx1) { } }
 | ||||||
|  |   | ||||||
|  | -        # Client disables TLS 1.2
 | ||||||
|  | -        ctx2 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | -        ctx2.options |= OpenSSL::SSL::OP_NO_TLSv1_2
 | ||||||
|  | -        assert_nothing_raised { server_connect(port, ctx2) { } }
 | ||||||
|  | -      }
 | ||||||
|  | -    else
 | ||||||
|  | -      pend "TLS 1.1 and TLS 1.2 must be supported; skipping"
 | ||||||
|  | -    end
 | ||||||
|  | +      # Client supports TLS 1.2 by default
 | ||||||
|  | +      ctx2 = OpenSSL::SSL::SSLContext.new
 | ||||||
|  | +      ctx2.options |= OpenSSL::SSL::OP_NO_TLSv1_3
 | ||||||
|  | +      assert_nothing_raised { server_connect(port, ctx2) { } }
 | ||||||
|  | +    }
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_ssl_methods_constant | ||||||
|  | 
 | ||||||
|  | From ccdb6f7bfa5f988a07beecedbf2b6205b6ab8492 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 20 Mar 2021 23:16:41 +0900 | ||||||
|  | Subject: [PATCH 7/8] pkey: assume a pkey always has public key components on | ||||||
|  |  OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0's EVP_PKEY_get0() returns NULL for provider-backed pkeys. | ||||||
|  | This causes segfault because it was supposed to never return NULL | ||||||
|  | before. | ||||||
|  | 
 | ||||||
|  | We can't check the existence of public key components in this way on | ||||||
|  | OpenSSL 3.0. Let's just skip it for now. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 11 +++++++++++ | ||||||
|  |  1 file changed, 11 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index 94760d32..09d45d85 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -428,9 +428,19 @@ ossl_pkey_s_generate_key(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |      return pkey_generate(argc, argv, self, 0); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +/*
 | ||||||
|  | + * TODO: There is no convenient way to check the presence of public key
 | ||||||
|  | + * components on OpenSSL 3.0. But since keys are immutable on 3.0, pkeys without
 | ||||||
|  | + * these should only be created by OpenSSL::PKey.generate_parameters or by
 | ||||||
|  | + * parsing DER-/PEM-encoded string. We would need another flag for that.
 | ||||||
|  | + */
 | ||||||
|  |  void | ||||||
|  |  ossl_pkey_check_public_key(const EVP_PKEY *pkey) | ||||||
|  |  { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +    if (EVP_PKEY_missing_parameters(pkey))
 | ||||||
|  | +        ossl_raise(ePKeyError, "parameters missing");
 | ||||||
|  | +#else
 | ||||||
|  |      void *ptr; | ||||||
|  |      const BIGNUM *n, *e, *pubkey; | ||||||
|  |   | ||||||
|  | @@ -466,6 +476,7 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey)
 | ||||||
|  |  	return; | ||||||
|  |      } | ||||||
|  |      ossl_raise(ePKeyError, "public key missing"); | ||||||
|  | +#endif
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  EVP_PKEY * | ||||||
|  | 
 | ||||||
|  | From d6535d13d174cd87ae99f3e60e97f7a00e1474e5 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 12 Apr 2021 10:43:46 +0900 | ||||||
|  | Subject: [PATCH 8/8] pkey: use EVP_PKEY_CTX_new_from_name() on OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | Replace EVP_PKEY_CTX_new_id() with the new EVP_PKEY_CTX_new_from_name() | ||||||
|  | which takes the algorithm name in a string instead of in an NID. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 6 ++++++ | ||||||
|  |  1 file changed, 6 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index 09d45d85..2a4835a2 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -315,6 +315,11 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
 | ||||||
|  |              ossl_raise(ePKeyError, "EVP_PKEY_CTX_new"); | ||||||
|  |      } | ||||||
|  |      else { | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +        ctx = EVP_PKEY_CTX_new_from_name(NULL, StringValueCStr(alg), NULL);
 | ||||||
|  | +        if (!ctx)
 | ||||||
|  | +            ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_from_name");
 | ||||||
|  | +#else
 | ||||||
|  |          const EVP_PKEY_ASN1_METHOD *ameth; | ||||||
|  |          ENGINE *tmpeng; | ||||||
|  |          int pkey_id; | ||||||
|  | @@ -333,6 +338,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)
 | ||||||
|  |          ctx = EVP_PKEY_CTX_new_id(pkey_id, NULL/* engine */); | ||||||
|  |          if (!ctx) | ||||||
|  |              ossl_raise(ePKeyError, "EVP_PKEY_CTX_new_id"); | ||||||
|  | +#endif
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      if (genparam && EVP_PKEY_paramgen_init(ctx) <= 0) { | ||||||
							
								
								
									
										304
									
								
								ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										304
									
								
								ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,304 @@ | |||||||
|  | From 8f948ed68a4ed6c05ff66d822711e3b70ae4bb3f Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 27 Sep 2021 13:32:03 +0900 | ||||||
|  | Subject: [PATCH 1/5] ext/openssl/ossl.h: add helper macros for | ||||||
|  |  OpenSSL/LibreSSL versions | ||||||
|  | 
 | ||||||
|  | Add following convenient macros: | ||||||
|  | 
 | ||||||
|  |  - OSSL_IS_LIBRESSL | ||||||
|  |  - OSSL_OPENSSL_PREREQ(maj, min, pat) | ||||||
|  |  - OSSL_LIBRESSL_PREREQ(maj, min, pat) | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl.h | 12 ++++++++++++ | ||||||
|  |  1 file changed, 12 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
 | ||||||
|  | index c20f506bda..a0cef29d74 100644
 | ||||||
|  | --- a/ext/openssl/ossl.h
 | ||||||
|  | +++ b/ext/openssl/ossl.h
 | ||||||
|  | @@ -42,6 +42,18 @@
 | ||||||
|  |  #include <openssl/evp.h> | ||||||
|  |  #include <openssl/dh.h> | ||||||
|  |   | ||||||
|  | +#ifndef LIBRESSL_VERSION_NUMBER
 | ||||||
|  | +# define OSSL_IS_LIBRESSL 0
 | ||||||
|  | +# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
 | ||||||
|  | +      (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
 | ||||||
|  | +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
 | ||||||
|  | +#else
 | ||||||
|  | +# define OSSL_IS_LIBRESSL 1
 | ||||||
|  | +# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
 | ||||||
|  | +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
 | ||||||
|  | +      (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * Common Module | ||||||
|  |   */ | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From bbf235091e49807ece8f3a3df95bbfcc9d3ab43d Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 22 Feb 2020 05:37:01 +0900 | ||||||
|  | Subject: [PATCH 2/5] ts: use TS_VERIFY_CTX_set_certs instead of | ||||||
|  |  TS_VERIFY_CTS_set_certs | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 fixed the typo in the function name and replaced the | ||||||
|  | current 'CTS' version with a macro. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/extconf.rb        | 5 ++++- | ||||||
|  |  ext/openssl/openssl_missing.h | 5 +++++ | ||||||
|  |  ext/openssl/ossl_ts.c         | 2 +- | ||||||
|  |  3 files changed, 10 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 | ||||||
|  | index 17d93443fc..09cae05b72 100644
 | ||||||
|  | --- a/ext/openssl/extconf.rb
 | ||||||
|  | +++ b/ext/openssl/extconf.rb
 | ||||||
|  | @@ -165,7 +165,7 @@ def find_openssl_library
 | ||||||
|  |  have_func("TS_STATUS_INFO_get0_status") | ||||||
|  |  have_func("TS_STATUS_INFO_get0_text") | ||||||
|  |  have_func("TS_STATUS_INFO_get0_failure_info") | ||||||
|  | -have_func("TS_VERIFY_CTS_set_certs")
 | ||||||
|  | +have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
 | ||||||
|  |  have_func("TS_VERIFY_CTX_set_store") | ||||||
|  |  have_func("TS_VERIFY_CTX_add_flags") | ||||||
|  |  have_func("TS_RESP_CTX_set_time_cb") | ||||||
|  | @@ -174,6 +174,9 @@ def find_openssl_library
 | ||||||
|  |   | ||||||
|  |  # added in 1.1.1 | ||||||
|  |  have_func("EVP_PKEY_check") | ||||||
|  | + 
 | ||||||
|  | +# added in 3.0.0
 | ||||||
|  | +have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
 | ||||||
|  |   | ||||||
|  |  Logging::message "=== Checking done. ===\n" | ||||||
|  |   | ||||||
|  | diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
 | ||||||
|  | index e575415f49..fe486bcfcf 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.h
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.h
 | ||||||
|  | @@ -236,4 +236,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 | ||||||
|  |      } while (0) | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +/* added in 3.0.0 */
 | ||||||
|  | +#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
 | ||||||
|  | +#  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  #endif /* _OSSL_OPENSSL_MISSING_H_ */ | ||||||
|  | diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
 | ||||||
|  | index 692c0d620f..f1da7c1947 100644
 | ||||||
|  | --- a/ext/openssl/ossl_ts.c
 | ||||||
|  | +++ b/ext/openssl/ossl_ts.c
 | ||||||
|  | @@ -820,7 +820,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |          X509_up_ref(cert); | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -    TS_VERIFY_CTS_set_certs(ctx, x509inter);
 | ||||||
|  | +    TS_VERIFY_CTX_set_certs(ctx, x509inter);
 | ||||||
|  |      TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE); | ||||||
|  |      TS_VERIFY_CTX_set_store(ctx, x509st); | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 5fba3bc1df93ab6abc3ea53be3393480f36ea259 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 19 Mar 2021 19:18:25 +0900 | ||||||
|  | Subject: [PATCH 3/5] ssl: use SSL_get_rbio() to check if SSL is started or not | ||||||
|  | 
 | ||||||
|  | Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally | ||||||
|  | calls SSL_get_rbio() and it's enough for our purpose. | ||||||
|  | 
 | ||||||
|  | In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue | ||||||
|  | if BIO has not been set up yet, and we would have to clean it up. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_ssl.c | 4 ++-- | ||||||
|  |  1 file changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
 | ||||||
|  | index 4b7efa39f5..ec430bfb0c 100644
 | ||||||
|  | --- a/ext/openssl/ossl_ssl.c
 | ||||||
|  | +++ b/ext/openssl/ossl_ssl.c
 | ||||||
|  | @@ -1535,8 +1535,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |  static inline int | ||||||
|  |  ssl_started(SSL *ssl) | ||||||
|  |  { | ||||||
|  | -    /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */
 | ||||||
|  | -    return SSL_get_fd(ssl) >= 0;
 | ||||||
|  | +    /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
 | ||||||
|  | +    return SSL_get_rbio(ssl) != NULL;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  static void | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | From 0a253027e6be47c0b7fd8b664f1048f24d7ca657 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Thu, 22 Apr 2021 13:57:47 +0900 | ||||||
|  | Subject: [PATCH 4/5] digest: use EVP_MD_CTX_get0_md() instead of | ||||||
|  |  EVP_MD_CTX_md() if exists | ||||||
|  | 
 | ||||||
|  | The function was renamed in OpenSSL 3.0 due to the change of the | ||||||
|  | lifetime of EVP_MD objects. They are no longer necessarily statically | ||||||
|  | allocated and can be reference-counted -- when an EVP_MD_CTX is free'd, | ||||||
|  | the associated EVP_MD can also become inaccessible. | ||||||
|  | 
 | ||||||
|  | Currently Ruby/OpenSSL only handles builtin algorithms, so no special | ||||||
|  | handling is needed except for adapting to the rename. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/extconf.rb        | 1 + | ||||||
|  |  ext/openssl/openssl_missing.h | 4 ++++ | ||||||
|  |  ext/openssl/ossl_digest.c     | 6 +++--- | ||||||
|  |  ext/openssl/ossl_hmac.c       | 2 +- | ||||||
|  |  4 files changed, 9 insertions(+), 4 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 | ||||||
|  | index 98f96afe..842b7f5b 100644
 | ||||||
|  | --- a/ext/openssl/extconf.rb
 | ||||||
|  | +++ b/ext/openssl/extconf.rb
 | ||||||
|  | @@ -177,6 +177,7 @@ def find_openssl_library
 | ||||||
|  |    | ||||||
|  |  # added in 3.0.0 | ||||||
|  |  have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") | ||||||
|  | +have_func("EVP_MD_CTX_get0_md")
 | ||||||
|  |   | ||||||
|  |  Logging::message "=== Checking done. ===\n" | ||||||
|  |   | ||||||
|  | diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
 | ||||||
|  | index 1b1a54a8..64212349 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.h
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.h
 | ||||||
|  | @@ -241,4 +241,8 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 | ||||||
|  |  #  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts) | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +#ifndef HAVE_EVP_MD_CTX_GET0_MD
 | ||||||
|  | +#  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  #endif /* _OSSL_OPENSSL_MISSING_H_ */ | ||||||
|  | diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c
 | ||||||
|  | index b2506de7..fc326ec1 100644
 | ||||||
|  | --- a/ext/openssl/ossl_digest.c
 | ||||||
|  | +++ b/ext/openssl/ossl_digest.c
 | ||||||
|  | @@ -63,7 +63,7 @@ ossl_evp_get_digestbyname(VALUE obj)
 | ||||||
|  |   | ||||||
|  |          GetDigest(obj, ctx); | ||||||
|  |   | ||||||
|  | -        md = EVP_MD_CTX_md(ctx);
 | ||||||
|  | +        md = EVP_MD_CTX_get0_md(ctx);
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      return md; | ||||||
|  | @@ -176,7 +176,7 @@ ossl_digest_reset(VALUE self)
 | ||||||
|  |      EVP_MD_CTX *ctx; | ||||||
|  |   | ||||||
|  |      GetDigest(self, ctx); | ||||||
|  | -    if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) {
 | ||||||
|  | +    if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) {
 | ||||||
|  |  	ossl_raise(eDigestError, "Digest initialization failed."); | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | @@ -259,7 +259,7 @@ ossl_digest_name(VALUE self)
 | ||||||
|  |   | ||||||
|  |      GetDigest(self, ctx); | ||||||
|  |   | ||||||
|  | -    return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx)));
 | ||||||
|  | +    return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx)));
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
 | ||||||
|  | index a21db6c4..2642728b 100644
 | ||||||
|  | --- a/ext/openssl/ossl_hmac.c
 | ||||||
|  | +++ b/ext/openssl/ossl_hmac.c
 | ||||||
|  | @@ -239,7 +239,7 @@ ossl_hmac_reset(VALUE self)
 | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  |      pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)); | ||||||
|  | -    if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1)
 | ||||||
|  | +    if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
 | ||||||
|  |          ossl_raise(eHMACError, "EVP_DigestSignInit"); | ||||||
|  |   | ||||||
|  |      return self; | ||||||
|  | 
 | ||||||
|  | From c106d888c62e44a11cdbba5e4d2d0cb837ec3e52 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Tue, 22 Jun 2021 18:50:17 +0900 | ||||||
|  | Subject: [PATCH 5/5] hmac: use EVP_MD_CTX_get_pkey_ctx() instead of | ||||||
|  |  EVP_MD_CTX_pkey_ctx() | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the | ||||||
|  | function name. Adjust compatibility macro so that we can use the new | ||||||
|  | function name for all OpenSSL 1.0.2-3.0. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/extconf.rb        |  1 + | ||||||
|  |  ext/openssl/openssl_missing.h | 16 ++++++++++++---- | ||||||
|  |  ext/openssl/ossl_hmac.c       |  2 +- | ||||||
|  |  3 files changed, 14 insertions(+), 5 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 | ||||||
|  | index 842b7f5b..d9d34b7c 100644
 | ||||||
|  | --- a/ext/openssl/extconf.rb
 | ||||||
|  | +++ b/ext/openssl/extconf.rb
 | ||||||
|  | @@ -178,6 +178,7 @@ def find_openssl_library
 | ||||||
|  |  # added in 3.0.0 | ||||||
|  |  have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") | ||||||
|  |  have_func("EVP_MD_CTX_get0_md") | ||||||
|  | +have_func("EVP_MD_CTX_get_pkey_ctx")
 | ||||||
|  |   | ||||||
|  |  Logging::message "=== Checking done. ===\n" | ||||||
|  |   | ||||||
|  | diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
 | ||||||
|  | index 64212349..55c4f378 100644
 | ||||||
|  | --- a/ext/openssl/openssl_missing.h
 | ||||||
|  | +++ b/ext/openssl/openssl_missing.h
 | ||||||
|  | @@ -42,10 +42,6 @@ int ossl_EC_curve_nist2nid(const char *);
 | ||||||
|  |  #  define EVP_MD_CTX_free EVP_MD_CTX_destroy | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | -#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX)
 | ||||||
|  | -#  define EVP_MD_CTX_pkey_ctx(x) (x)->pctx
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  #if !defined(HAVE_X509_STORE_GET_EX_DATA) | ||||||
|  |  #  define X509_STORE_get_ex_data(x, idx) \ | ||||||
|  |  	CRYPTO_get_ex_data(&(x)->ex_data, (idx)) | ||||||
|  | @@ -245,4 +241,16 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 | ||||||
|  |  #  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx) | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +/*
 | ||||||
|  | + * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to
 | ||||||
|  | + * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
 | ||||||
|  | + */
 | ||||||
|  | +#ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
 | ||||||
|  | +# ifdef HAVE_EVP_MD_CTX_PKEY_CTX
 | ||||||
|  | +#  define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
 | ||||||
|  | +# else
 | ||||||
|  | +#  define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
 | ||||||
|  | +# endif
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  #endif /* _OSSL_OPENSSL_MISSING_H_ */ | ||||||
|  | diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
 | ||||||
|  | index 2642728b..f89ff2f9 100644
 | ||||||
|  | --- a/ext/openssl/ossl_hmac.c
 | ||||||
|  | +++ b/ext/openssl/ossl_hmac.c
 | ||||||
|  | @@ -238,7 +238,7 @@ ossl_hmac_reset(VALUE self)
 | ||||||
|  |      EVP_PKEY *pkey; | ||||||
|  |   | ||||||
|  |      GetHMAC(self, ctx); | ||||||
|  | -    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
 | ||||||
|  | +    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
 | ||||||
|  |      if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1) | ||||||
|  |          ossl_raise(eHMACError, "EVP_DigestSignInit"); | ||||||
|  |   | ||||||
							
								
								
									
										1450
									
								
								ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1450
									
								
								ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										831
									
								
								ruby-3.1.0-Use-EVP-API-in-more-places.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										831
									
								
								ruby-3.1.0-Use-EVP-API-in-more-places.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,831 @@ | |||||||
|  | From cf070378020088cd7e69b1cb08be68152ab8a078 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sun, 17 May 2020 18:25:38 +0900 | ||||||
|  | Subject: [PATCH 1/3] pkey: implement #to_text using EVP API | ||||||
|  | 
 | ||||||
|  | Use EVP_PKEY_print_private() instead of the low-level API *_print() | ||||||
|  | functions, such as RSA_print(). | ||||||
|  | 
 | ||||||
|  | EVP_PKEY_print_*() family was added in OpenSSL 1.0.0. | ||||||
|  | 
 | ||||||
|  | Note that it falls back to EVP_PKEY_print_public() and | ||||||
|  | EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH | ||||||
|  | type for which _private() fails if the private component is not set in | ||||||
|  | the pkey object. | ||||||
|  | 
 | ||||||
|  | Since the new API works in the same way for all key types, we now | ||||||
|  | implement #to_text in the base class OpenSSL::PKey::PKey rather than in | ||||||
|  | each subclass. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c     | 38 +++++++++++++++++++++++++++++++++++++ | ||||||
|  |  ext/openssl/ossl_pkey_dh.c  | 29 ---------------------------- | ||||||
|  |  ext/openssl/ossl_pkey_dsa.c | 29 ---------------------------- | ||||||
|  |  ext/openssl/ossl_pkey_ec.c  | 27 -------------------------- | ||||||
|  |  ext/openssl/ossl_pkey_rsa.c | 31 ------------------------------ | ||||||
|  |  test/openssl/test_pkey.rb   |  5 +++++ | ||||||
|  |  6 files changed, 43 insertions(+), 116 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index f9282b9417..21cd4b2cda 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -539,6 +539,43 @@ ossl_pkey_inspect(VALUE self)
 | ||||||
|  |                        OBJ_nid2sn(nid)); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +/*
 | ||||||
|  | + * call-seq:
 | ||||||
|  | + *    pkey.to_text -> string
 | ||||||
|  | + *
 | ||||||
|  | + * Dumps key parameters, public key, and private key components contained in
 | ||||||
|  | + * the key into a human-readable text.
 | ||||||
|  | + *
 | ||||||
|  | + * This is intended for debugging purpose.
 | ||||||
|  | + *
 | ||||||
|  | + * See also the man page EVP_PKEY_print_private(3).
 | ||||||
|  | + */
 | ||||||
|  | +static VALUE
 | ||||||
|  | +ossl_pkey_to_text(VALUE self)
 | ||||||
|  | +{
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  | +    BIO *bio;
 | ||||||
|  | +
 | ||||||
|  | +    GetPKey(self, pkey);
 | ||||||
|  | +    if (!(bio = BIO_new(BIO_s_mem())))
 | ||||||
|  | +        ossl_raise(ePKeyError, "BIO_new");
 | ||||||
|  | +
 | ||||||
|  | +    if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +    OSSL_BIO_reset(bio);
 | ||||||
|  | +    if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +    OSSL_BIO_reset(bio);
 | ||||||
|  | +    if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +
 | ||||||
|  | +    BIO_free(bio);
 | ||||||
|  | +    ossl_raise(ePKeyError, "EVP_PKEY_print_params");
 | ||||||
|  | +
 | ||||||
|  | +  out:
 | ||||||
|  | +    return ossl_membio2str(bio);
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  VALUE | ||||||
|  |  ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) | ||||||
|  |  { | ||||||
|  | @@ -1039,6 +1076,7 @@ Init_ossl_pkey(void)
 | ||||||
|  |      rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0); | ||||||
|  |      rb_define_method(cPKey, "oid", ossl_pkey_oid, 0); | ||||||
|  |      rb_define_method(cPKey, "inspect", ossl_pkey_inspect, 0); | ||||||
|  | +    rb_define_method(cPKey, "to_text", ossl_pkey_to_text, 0);
 | ||||||
|  |      rb_define_method(cPKey, "private_to_der", ossl_pkey_private_to_der, -1); | ||||||
|  |      rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1); | ||||||
|  |      rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0); | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | index 6b477b077c..acd3bf474e 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | @@ -266,34 +266,6 @@ ossl_dh_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     dh.to_text -> aString
 | ||||||
|  | - *
 | ||||||
|  | - * Prints all parameters of key to buffer
 | ||||||
|  | - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
 | ||||||
|  | - * Don't use :-)) (I's up to you)
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_dh_to_text(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    DH *dh;
 | ||||||
|  | -    BIO *out;
 | ||||||
|  | -    VALUE str;
 | ||||||
|  | -
 | ||||||
|  | -    GetDH(self, dh);
 | ||||||
|  | -    if (!(out = BIO_new(BIO_s_mem()))) {
 | ||||||
|  | -	ossl_raise(eDHError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!DHparams_print(out, dh)) {
 | ||||||
|  | -	BIO_free(out);
 | ||||||
|  | -	ossl_raise(eDHError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    str = ossl_membio2str(out);
 | ||||||
|  | -
 | ||||||
|  | -    return str;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *     dh.public_key -> aDH | ||||||
|  | @@ -426,7 +398,6 @@ Init_ossl_dh(void)
 | ||||||
|  |      rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1); | ||||||
|  |      rb_define_method(cDH, "public?", ossl_dh_is_public, 0); | ||||||
|  |      rb_define_method(cDH, "private?", ossl_dh_is_private, 0); | ||||||
|  | -    rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);
 | ||||||
|  |      rb_define_method(cDH, "export", ossl_dh_export, 0); | ||||||
|  |      rb_define_alias(cDH, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cDH, "to_s", "export"); | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | index 1c5a8a737e..f017cceb4a 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | @@ -264,34 +264,6 @@ ossl_dsa_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *    dsa.to_text -> aString
 | ||||||
|  | - *
 | ||||||
|  | - * Prints all parameters of key to buffer
 | ||||||
|  | - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!
 | ||||||
|  | - * Don't use :-)) (I's up to you)
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_dsa_to_text(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    DSA *dsa;
 | ||||||
|  | -    BIO *out;
 | ||||||
|  | -    VALUE str;
 | ||||||
|  | -
 | ||||||
|  | -    GetDSA(self, dsa);
 | ||||||
|  | -    if (!(out = BIO_new(BIO_s_mem()))) {
 | ||||||
|  | -	ossl_raise(eDSAError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!DSA_print(out, dsa, 0)) { /* offset = 0 */
 | ||||||
|  | -	BIO_free(out);
 | ||||||
|  | -	ossl_raise(eDSAError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    str = ossl_membio2str(out);
 | ||||||
|  | -
 | ||||||
|  | -    return str;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *    dsa.public_key -> aDSA | ||||||
|  | @@ -469,7 +441,6 @@ Init_ossl_dsa(void)
 | ||||||
|  |   | ||||||
|  |      rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0); | ||||||
|  |      rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0); | ||||||
|  | -    rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0);
 | ||||||
|  |      rb_define_method(cDSA, "export", ossl_dsa_export, -1); | ||||||
|  |      rb_define_alias(cDSA, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cDSA, "to_s", "export"); | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | index c2534251c3..ecb8305184 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | @@ -417,32 +417,6 @@ ossl_ec_key_to_der(VALUE self)
 | ||||||
|  |      else | ||||||
|  |          return ossl_pkey_export_spki(self, 1); | ||||||
|  |  } | ||||||
|  | -
 | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     key.to_text   => String
 | ||||||
|  | - *
 | ||||||
|  | - *  See the OpenSSL documentation for EC_KEY_print()
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE ossl_ec_key_to_text(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    EC_KEY *ec;
 | ||||||
|  | -    BIO *out;
 | ||||||
|  | -    VALUE str;
 | ||||||
|  | -
 | ||||||
|  | -    GetEC(self, ec);
 | ||||||
|  | -    if (!(out = BIO_new(BIO_s_mem()))) {
 | ||||||
|  | -	ossl_raise(eECError, "BIO_new(BIO_s_mem())");
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!EC_KEY_print(out, ec, 0)) {
 | ||||||
|  | -	BIO_free(out);
 | ||||||
|  | -	ossl_raise(eECError, "EC_KEY_print");
 | ||||||
|  | -    }
 | ||||||
|  | -    str = ossl_membio2str(out);
 | ||||||
|  | -
 | ||||||
|  | -    return str;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *     key.generate_key!   => self | ||||||
|  | @@ -1633,7 +1607,6 @@ void Init_ossl_ec(void)
 | ||||||
|  |      rb_define_method(cEC, "export", ossl_ec_key_export, -1); | ||||||
|  |      rb_define_alias(cEC, "to_pem", "export"); | ||||||
|  |      rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0); | ||||||
|  | -    rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);
 | ||||||
|  |   | ||||||
|  |   | ||||||
|  |      rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc); | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | index 43f82cb29e..7a7e66dbda 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | @@ -587,36 +587,6 @@ ossl_rsa_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - * call-seq:
 | ||||||
|  | - *   rsa.to_text => String
 | ||||||
|  | - *
 | ||||||
|  | - * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
 | ||||||
|  | - *
 | ||||||
|  | - * Dumps all parameters of a keypair to a String
 | ||||||
|  | - *
 | ||||||
|  | - * Don't use :-)) (It's up to you)
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_rsa_to_text(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    RSA *rsa;
 | ||||||
|  | -    BIO *out;
 | ||||||
|  | -    VALUE str;
 | ||||||
|  | -
 | ||||||
|  | -    GetRSA(self, rsa);
 | ||||||
|  | -    if (!(out = BIO_new(BIO_s_mem()))) {
 | ||||||
|  | -	ossl_raise(eRSAError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    if (!RSA_print(out, rsa, 0)) { /* offset = 0 */
 | ||||||
|  | -	BIO_free(out);
 | ||||||
|  | -	ossl_raise(eRSAError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    str = ossl_membio2str(out);
 | ||||||
|  | -
 | ||||||
|  | -    return str;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   * call-seq: | ||||||
|  |   *    rsa.public_key -> RSA | ||||||
|  | @@ -738,7 +708,6 @@ Init_ossl_rsa(void)
 | ||||||
|  |   | ||||||
|  |      rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0); | ||||||
|  |      rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0); | ||||||
|  | -    rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0);
 | ||||||
|  |      rb_define_method(cRSA, "export", ossl_rsa_export, -1); | ||||||
|  |      rb_define_alias(cRSA, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cRSA, "to_s", "export"); | ||||||
|  | diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
 | ||||||
|  | index 5307fe5b08..3630458b3c 100644
 | ||||||
|  | --- a/test/openssl/test_pkey.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey.rb
 | ||||||
|  | @@ -151,4 +151,9 @@ def test_x25519
 | ||||||
|  |      assert_equal bob_pem, bob.public_to_pem | ||||||
|  |      assert_equal [shared_secret].pack("H*"), alice.derive(bob) | ||||||
|  |    end | ||||||
|  | +
 | ||||||
|  | +  def test_to_text
 | ||||||
|  | +    rsa = Fixtures.pkey("rsa1024")
 | ||||||
|  | +    assert_include rsa.to_text, "publicExponent"
 | ||||||
|  | +  end
 | ||||||
|  |  end | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 0c45b22e485bfa62f4d704b08e3704e6444118c4 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Thu, 15 Apr 2021 19:11:32 +0900 | ||||||
|  | Subject: [PATCH 2/3] pkey: implement {DH,DSA,RSA}#public_key in Ruby | ||||||
|  | 
 | ||||||
|  | The low-level API that is used to implement #public_key is deprecated | ||||||
|  | in OpenSSL 3.0. It is actually very simple to implement in another way, | ||||||
|  | using existing methods only, in much shorter code. Let's do it. | ||||||
|  | 
 | ||||||
|  | While we are at it, the documentation is updated to recommend against | ||||||
|  | using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der | ||||||
|  | method, there is no real use case for #public_key in newly written Ruby | ||||||
|  | programs. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/lib/openssl/pkey.rb | 55 ++++++++++++++++++++++++++++ | ||||||
|  |  ext/openssl/ossl_pkey_dh.c      | 63 +++++++-------------------------- | ||||||
|  |  ext/openssl/ossl_pkey_dsa.c     | 42 ---------------------- | ||||||
|  |  ext/openssl/ossl_pkey_rsa.c     | 58 +----------------------------- | ||||||
|  |  test/openssl/test_pkey_rsa.rb   | 37 ++++++++++--------- | ||||||
|  |  5 files changed, 87 insertions(+), 168 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | index 53ee52f98b..569559e1ce 100644
 | ||||||
|  | --- a/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | +++ b/ext/openssl/lib/openssl/pkey.rb
 | ||||||
|  | @@ -10,6 +10,30 @@ module OpenSSL::PKey
 | ||||||
|  |    class DH | ||||||
|  |      include OpenSSL::Marshal | ||||||
|  |   | ||||||
|  | +    # :call-seq:
 | ||||||
|  | +    #    dh.public_key -> dhnew
 | ||||||
|  | +    #
 | ||||||
|  | +    # Returns a new DH instance that carries just the \DH parameters.
 | ||||||
|  | +    #
 | ||||||
|  | +    # Contrary to the method name, the returned DH object contains only
 | ||||||
|  | +    # parameters and not the public key.
 | ||||||
|  | +    #
 | ||||||
|  | +    # This method is provided for backwards compatibility. In most cases, there
 | ||||||
|  | +    # is no need to call this method.
 | ||||||
|  | +    #
 | ||||||
|  | +    # For the purpose of re-generating the key pair while keeping the
 | ||||||
|  | +    # parameters, check OpenSSL::PKey.generate_key.
 | ||||||
|  | +    #
 | ||||||
|  | +    # Example:
 | ||||||
|  | +    #   # OpenSSL::PKey::DH.generate by default generates a random key pair
 | ||||||
|  | +    #   dh1 = OpenSSL::PKey::DH.generate(2048)
 | ||||||
|  | +    #   p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
 | ||||||
|  | +    #   dhcopy = dh1.public_key
 | ||||||
|  | +    #   p dhcopy.priv_key #=> nil
 | ||||||
|  | +    def public_key
 | ||||||
|  | +      DH.new(to_der)
 | ||||||
|  | +    end
 | ||||||
|  | +
 | ||||||
|  |      # :call-seq: | ||||||
|  |      #    dh.compute_key(pub_bn) -> string | ||||||
|  |      # | ||||||
|  | @@ -89,6 +113,22 @@ def new(*args, &blk) # :nodoc:
 | ||||||
|  |    class DSA | ||||||
|  |      include OpenSSL::Marshal | ||||||
|  |   | ||||||
|  | +    # :call-seq:
 | ||||||
|  | +    #    dsa.public_key -> dsanew
 | ||||||
|  | +    #
 | ||||||
|  | +    # Returns a new DSA instance that carries just the \DSA parameters and the
 | ||||||
|  | +    # public key.
 | ||||||
|  | +    #
 | ||||||
|  | +    # This method is provided for backwards compatibility. In most cases, there
 | ||||||
|  | +    # is no need to call this method.
 | ||||||
|  | +    #
 | ||||||
|  | +    # For the purpose of serializing the public key, to PEM or DER encoding of
 | ||||||
|  | +    # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
 | ||||||
|  | +    # PKey#public_to_der.
 | ||||||
|  | +    def public_key
 | ||||||
|  | +      OpenSSL::PKey.read(public_to_der)
 | ||||||
|  | +    end
 | ||||||
|  | +
 | ||||||
|  |      class << self | ||||||
|  |        # :call-seq: | ||||||
|  |        #    DSA.generate(size) -> dsa | ||||||
|  | @@ -159,6 +199,21 @@ def to_bn(conversion_form = group.point_conversion_form)
 | ||||||
|  |    class RSA | ||||||
|  |      include OpenSSL::Marshal | ||||||
|  |   | ||||||
|  | +    # :call-seq:
 | ||||||
|  | +    #    rsa.public_key -> rsanew
 | ||||||
|  | +    #
 | ||||||
|  | +    # Returns a new RSA instance that carries just the public key components.
 | ||||||
|  | +    #
 | ||||||
|  | +    # This method is provided for backwards compatibility. In most cases, there
 | ||||||
|  | +    # is no need to call this method.
 | ||||||
|  | +    #
 | ||||||
|  | +    # For the purpose of serializing the public key, to PEM or DER encoding of
 | ||||||
|  | +    # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and
 | ||||||
|  | +    # PKey#public_to_der.
 | ||||||
|  | +    def public_key
 | ||||||
|  | +      OpenSSL::PKey.read(public_to_der)
 | ||||||
|  | +    end
 | ||||||
|  | +
 | ||||||
|  |      class << self | ||||||
|  |        # :call-seq: | ||||||
|  |        #    RSA.generate(size, exponent = 65537) -> RSA | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | index acd3bf474e..a512b209d3 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | @@ -266,48 +266,6 @@ ossl_dh_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     dh.public_key -> aDH
 | ||||||
|  | - *
 | ||||||
|  | - * Returns a new DH instance that carries just the public information, i.e.
 | ||||||
|  | - * the prime _p_ and the generator _g_, but no public/private key yet. Such
 | ||||||
|  | - * a pair may be generated using DH#generate_key!. The "public key" needed
 | ||||||
|  | - * for a key exchange with DH#compute_key is considered as per-session
 | ||||||
|  | - * information and may be retrieved with DH#pub_key once a key pair has
 | ||||||
|  | - * been generated.
 | ||||||
|  | - * If the current instance already contains private information (and thus a
 | ||||||
|  | - * valid public/private key pair), this information will no longer be present
 | ||||||
|  | - * in the new instance generated by DH#public_key. This feature is helpful for
 | ||||||
|  | - * publishing the Diffie-Hellman parameters without leaking any of the private
 | ||||||
|  | - * per-session information.
 | ||||||
|  | - *
 | ||||||
|  | - * === Example
 | ||||||
|  | - *  dh = OpenSSL::PKey::DH.new(2048) # has public and private key set
 | ||||||
|  | - *  public_key = dh.public_key # contains only prime and generator
 | ||||||
|  | - *  parameters = public_key.to_der # it's safe to publish this
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_dh_to_public_key(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    EVP_PKEY *pkey;
 | ||||||
|  | -    DH *orig_dh, *dh;
 | ||||||
|  | -    VALUE obj;
 | ||||||
|  | -
 | ||||||
|  | -    obj = rb_obj_alloc(rb_obj_class(self));
 | ||||||
|  | -    GetPKey(obj, pkey);
 | ||||||
|  | -
 | ||||||
|  | -    GetDH(self, orig_dh);
 | ||||||
|  | -    dh = DHparams_dup(orig_dh);
 | ||||||
|  | -    if (!dh)
 | ||||||
|  | -        ossl_raise(eDHError, "DHparams_dup");
 | ||||||
|  | -    if (!EVP_PKEY_assign_DH(pkey, dh)) {
 | ||||||
|  | -        DH_free(dh);
 | ||||||
|  | -        ossl_raise(eDHError, "EVP_PKEY_assign_DH");
 | ||||||
|  | -    }
 | ||||||
|  | -    return obj;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *     dh.params_ok? -> true | false | ||||||
|  | @@ -384,14 +342,20 @@ Init_ossl_dh(void)
 | ||||||
|  |       *   The per-session private key, an OpenSSL::BN. | ||||||
|  |       * | ||||||
|  |       * === Example of a key exchange | ||||||
|  | -     *  dh1 = OpenSSL::PKey::DH.new(2048)
 | ||||||
|  | -     *  der = dh1.public_key.to_der #you may send this publicly to the participating party
 | ||||||
|  | -     *  dh2 = OpenSSL::PKey::DH.new(der)
 | ||||||
|  | -     *  dh2.generate_key! #generate the per-session key pair
 | ||||||
|  | -     *  symm_key1 = dh1.compute_key(dh2.pub_key)
 | ||||||
|  | -     *  symm_key2 = dh2.compute_key(dh1.pub_key)
 | ||||||
|  | +     *   # you may send the parameters (der) and own public key (pub1) publicly
 | ||||||
|  | +     *   # to the participating party
 | ||||||
|  | +     *   dh1 = OpenSSL::PKey::DH.new(2048)
 | ||||||
|  | +     *   der = dh1.to_der
 | ||||||
|  | +     *   pub1 = dh1.pub_key
 | ||||||
|  | +     *
 | ||||||
|  | +     *   # the other party generates its per-session key pair
 | ||||||
|  | +     *   dhparams = OpenSSL::PKey::DH.new(der)
 | ||||||
|  | +     *   dh2 = OpenSSL::PKey.generate_key(dhparams)
 | ||||||
|  | +     *   pub2 = dh2.pub_key
 | ||||||
|  |       * | ||||||
|  | -     *  puts symm_key1 == symm_key2 # => true
 | ||||||
|  | +     *   symm_key1 = dh1.compute_key(pub2)
 | ||||||
|  | +     *   symm_key2 = dh2.compute_key(pub1)
 | ||||||
|  | +     *   puts symm_key1 == symm_key2 # => true
 | ||||||
|  |       */ | ||||||
|  |      cDH = rb_define_class_under(mPKey, "DH", cPKey); | ||||||
|  |      rb_define_method(cDH, "initialize", ossl_dh_initialize, -1); | ||||||
|  | @@ -402,7 +366,6 @@ Init_ossl_dh(void)
 | ||||||
|  |      rb_define_alias(cDH, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cDH, "to_s", "export"); | ||||||
|  |      rb_define_method(cDH, "to_der", ossl_dh_to_der, 0); | ||||||
|  | -    rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);
 | ||||||
|  |      rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0); | ||||||
|  |   | ||||||
|  |      DEF_OSSL_PKEY_BN(cDH, dh, p); | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | index f017cceb4a..ab9ac781e8 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dsa.c
 | ||||||
|  | @@ -264,47 +264,6 @@ ossl_dsa_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *    dsa.public_key -> aDSA
 | ||||||
|  | - *
 | ||||||
|  | - * Returns a new DSA instance that carries just the public key information.
 | ||||||
|  | - * If the current instance has also private key information, this will no
 | ||||||
|  | - * longer be present in the new instance. This feature is helpful for
 | ||||||
|  | - * publishing the public key information without leaking any of the private
 | ||||||
|  | - * information.
 | ||||||
|  | - *
 | ||||||
|  | - * === Example
 | ||||||
|  | - *  dsa = OpenSSL::PKey::DSA.new(2048) # has public and private information
 | ||||||
|  | - *  pub_key = dsa.public_key # has only the public part available
 | ||||||
|  | - *  pub_key_der = pub_key.to_der # it's safe to publish this
 | ||||||
|  | - *
 | ||||||
|  | - *
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_dsa_to_public_key(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    EVP_PKEY *pkey, *pkey_new;
 | ||||||
|  | -    DSA *dsa;
 | ||||||
|  | -    VALUE obj;
 | ||||||
|  | -
 | ||||||
|  | -    GetPKeyDSA(self, pkey);
 | ||||||
|  | -    obj = rb_obj_alloc(rb_obj_class(self));
 | ||||||
|  | -    GetPKey(obj, pkey_new);
 | ||||||
|  | -
 | ||||||
|  | -#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \
 | ||||||
|  | -	(i2d_of_void *)i2d_DSAPublicKey, (d2i_of_void *)d2i_DSAPublicKey, (char *)(dsa))
 | ||||||
|  | -    dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
 | ||||||
|  | -#undef DSAPublicKey_dup
 | ||||||
|  | -    if (!dsa)
 | ||||||
|  | -        ossl_raise(eDSAError, "DSAPublicKey_dup");
 | ||||||
|  | -    if (!EVP_PKEY_assign_DSA(pkey_new, dsa)) {
 | ||||||
|  | -        DSA_free(dsa);
 | ||||||
|  | -        ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");
 | ||||||
|  | -    }
 | ||||||
|  | -    return obj;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
|  |   *    dsa.syssign(string) -> aString | ||||||
|  | @@ -445,7 +404,6 @@ Init_ossl_dsa(void)
 | ||||||
|  |      rb_define_alias(cDSA, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cDSA, "to_s", "export"); | ||||||
|  |      rb_define_method(cDSA, "to_der", ossl_dsa_to_der, 0); | ||||||
|  | -    rb_define_method(cDSA, "public_key", ossl_dsa_to_public_key, 0);
 | ||||||
|  |      rb_define_method(cDSA, "syssign", ossl_dsa_sign, 1); | ||||||
|  |      rb_define_method(cDSA, "sysverify", ossl_dsa_verify, 2); | ||||||
|  |   | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | index 7a7e66dbda..1c5476cdcd 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_rsa.c
 | ||||||
|  | @@ -390,7 +390,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
 | ||||||
|  |   *   data = "Sign me!" | ||||||
|  |   *   pkey = OpenSSL::PKey::RSA.new(2048) | ||||||
|  |   *   signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256") | ||||||
|  | - *   pub_key = pkey.public_key
 | ||||||
|  | + *   pub_key = OpenSSL::PKey.read(pkey.public_to_der)
 | ||||||
|  |   *   puts pub_key.verify_pss("SHA256", signature, data, | ||||||
|  |   *                           salt_length: :auto, mgf1_hash: "SHA256") # => true | ||||||
|  |   */ | ||||||
|  | @@ -587,61 +587,6 @@ ossl_rsa_get_params(VALUE self)
 | ||||||
|  |      return hash; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -/*
 | ||||||
|  | - * call-seq:
 | ||||||
|  | - *    rsa.public_key -> RSA
 | ||||||
|  | - *
 | ||||||
|  | - * Makes new RSA instance containing the public key from the private key.
 | ||||||
|  | - */
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_rsa_to_public_key(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    EVP_PKEY *pkey, *pkey_new;
 | ||||||
|  | -    RSA *rsa;
 | ||||||
|  | -    VALUE obj;
 | ||||||
|  | -
 | ||||||
|  | -    GetPKeyRSA(self, pkey);
 | ||||||
|  | -    obj = rb_obj_alloc(rb_obj_class(self));
 | ||||||
|  | -    GetPKey(obj, pkey_new);
 | ||||||
|  | -
 | ||||||
|  | -    rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));
 | ||||||
|  | -    if (!rsa)
 | ||||||
|  | -        ossl_raise(eRSAError, "RSAPublicKey_dup");
 | ||||||
|  | -    if (!EVP_PKEY_assign_RSA(pkey_new, rsa)) {
 | ||||||
|  | -        RSA_free(rsa);
 | ||||||
|  | -        ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");
 | ||||||
|  | -    }
 | ||||||
|  | -    return obj;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  | -/*
 | ||||||
|  | - * TODO: Test me
 | ||||||
|  | -
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_rsa_blinding_on(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    RSA *rsa;
 | ||||||
|  | -
 | ||||||
|  | -    GetRSA(self, rsa);
 | ||||||
|  | -
 | ||||||
|  | -    if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) {
 | ||||||
|  | -	ossl_raise(eRSAError, NULL);
 | ||||||
|  | -    }
 | ||||||
|  | -    return self;
 | ||||||
|  | -}
 | ||||||
|  | -
 | ||||||
|  | -static VALUE
 | ||||||
|  | -ossl_rsa_blinding_off(VALUE self)
 | ||||||
|  | -{
 | ||||||
|  | -    RSA *rsa;
 | ||||||
|  | -
 | ||||||
|  | -    GetRSA(self, rsa);
 | ||||||
|  | -    RSA_blinding_off(rsa);
 | ||||||
|  | -
 | ||||||
|  | -    return self;
 | ||||||
|  | -}
 | ||||||
|  | - */
 | ||||||
|  | -
 | ||||||
|  |  /* | ||||||
|  |   * Document-method: OpenSSL::PKey::RSA#set_key | ||||||
|  |   * call-seq: | ||||||
|  | @@ -712,7 +657,6 @@ Init_ossl_rsa(void)
 | ||||||
|  |      rb_define_alias(cRSA, "to_pem", "export"); | ||||||
|  |      rb_define_alias(cRSA, "to_s", "export"); | ||||||
|  |      rb_define_method(cRSA, "to_der", ossl_rsa_to_der, 0); | ||||||
|  | -    rb_define_method(cRSA, "public_key", ossl_rsa_to_public_key, 0);
 | ||||||
|  |      rb_define_method(cRSA, "public_encrypt", ossl_rsa_public_encrypt, -1); | ||||||
|  |      rb_define_method(cRSA, "public_decrypt", ossl_rsa_public_decrypt, -1); | ||||||
|  |      rb_define_method(cRSA, "private_encrypt", ossl_rsa_private_encrypt, -1); | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index d1e68dbc9f..5f8d04e754 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -69,29 +69,28 @@ def test_private
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_new | ||||||
|  | -    key = OpenSSL::PKey::RSA.new 512
 | ||||||
|  | -    pem  = key.public_key.to_pem
 | ||||||
|  | -    OpenSSL::PKey::RSA.new pem
 | ||||||
|  | -    assert_equal([], OpenSSL.errors)
 | ||||||
|  | -  end
 | ||||||
|  | +    key = OpenSSL::PKey::RSA.new(512)
 | ||||||
|  | +    assert_equal 512, key.n.num_bits
 | ||||||
|  | +    assert_equal 65537, key.e
 | ||||||
|  | +    assert_not_nil key.d
 | ||||||
|  |   | ||||||
|  | -  def test_new_exponent_default
 | ||||||
|  | -    assert_equal(65537, OpenSSL::PKey::RSA.new(512).e)
 | ||||||
|  | +    # Specify public exponent
 | ||||||
|  | +    key2 = OpenSSL::PKey::RSA.new(512, 3)
 | ||||||
|  | +    assert_equal 512, key2.n.num_bits
 | ||||||
|  | +    assert_equal 3, key2.e
 | ||||||
|  | +    assert_not_nil key2.d
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | -  def test_new_with_exponent
 | ||||||
|  | -    1.upto(30) do |idx|
 | ||||||
|  | -      e = (2 ** idx) + 1
 | ||||||
|  | -      key = OpenSSL::PKey::RSA.new(512, e)
 | ||||||
|  | -      assert_equal(e, key.e)
 | ||||||
|  | -    end
 | ||||||
|  | -  end
 | ||||||
|  | +  def test_s_generate
 | ||||||
|  | +    key1 = OpenSSL::PKey::RSA.generate(512)
 | ||||||
|  | +    assert_equal 512, key1.n.num_bits
 | ||||||
|  | +    assert_equal 65537, key1.e
 | ||||||
|  |   | ||||||
|  | -  def test_generate
 | ||||||
|  | -    key = OpenSSL::PKey::RSA.generate(512, 17)
 | ||||||
|  | -    assert_equal 512, key.n.num_bits
 | ||||||
|  | -    assert_equal 17, key.e
 | ||||||
|  | -    assert_not_nil key.d
 | ||||||
|  | +    # Specify public exponent
 | ||||||
|  | +    key2 = OpenSSL::PKey::RSA.generate(512, 3)
 | ||||||
|  | +    assert_equal 512, key2.n.num_bits
 | ||||||
|  | +    assert_equal 3, key2.e
 | ||||||
|  | +    assert_not_nil key2.d
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_new_break | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 2150af0e55b2a25c24f62006e27e0aec3dc81b57 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 10 Jul 2020 14:34:51 +0900 | ||||||
|  | Subject: [PATCH 3/3] pkey/dh, pkey/ec: use EVP_PKEY_check() family | ||||||
|  | 
 | ||||||
|  | Use EVP_PKEY_param_check() instead of DH_check() if available. Also, | ||||||
|  | use EVP_PKEY_public_check() instead of EC_KEY_check_key(). | ||||||
|  | 
 | ||||||
|  | EVP_PKEY_*check() is part of the EVP API and is meant to replace those | ||||||
|  | low-level functions. They were added by OpenSSL 1.1.1. It is currently | ||||||
|  | not provided by LibreSSL. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/extconf.rb       |  3 +++ | ||||||
|  |  ext/openssl/ossl_pkey_dh.c   | 27 +++++++++++++++++++++++---- | ||||||
|  |  ext/openssl/ossl_pkey_ec.c   | 23 +++++++++++++++++++---- | ||||||
|  |  test/openssl/test_pkey_dh.rb | 16 ++++++++++++++++ | ||||||
|  |  4 files changed, 61 insertions(+), 8 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 | ||||||
|  | index b3c6647faf..17d93443fc 100644
 | ||||||
|  | --- a/ext/openssl/extconf.rb
 | ||||||
|  | +++ b/ext/openssl/extconf.rb
 | ||||||
|  | @@ -172,6 +172,9 @@ def find_openssl_library
 | ||||||
|  |  have_func("EVP_PBE_scrypt") | ||||||
|  |  have_func("SSL_CTX_set_post_handshake_auth") | ||||||
|  |   | ||||||
|  | +# added in 1.1.1
 | ||||||
|  | +have_func("EVP_PKEY_check")
 | ||||||
|  | +
 | ||||||
|  |  Logging::message "=== Checking done. ===\n" | ||||||
|  |   | ||||||
|  |  create_header | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | index a512b209d3..ca782bbe59 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_dh.c
 | ||||||
|  | @@ -273,19 +273,38 @@ ossl_dh_get_params(VALUE self)
 | ||||||
|  |   * Validates the Diffie-Hellman parameters associated with this instance. | ||||||
|  |   * It checks whether a safe prime and a suitable generator are used. If this | ||||||
|  |   * is not the case, +false+ is returned. | ||||||
|  | + *
 | ||||||
|  | + * See also the man page EVP_PKEY_param_check(3).
 | ||||||
|  |   */ | ||||||
|  |  static VALUE | ||||||
|  |  ossl_dh_check_params(VALUE self) | ||||||
|  |  { | ||||||
|  | +    int ret;
 | ||||||
|  | +#ifdef HAVE_EVP_PKEY_CHECK
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  | +    EVP_PKEY_CTX *pctx;
 | ||||||
|  | +
 | ||||||
|  | +    GetPKey(self, pkey);
 | ||||||
|  | +    pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
 | ||||||
|  | +    if (!pctx)
 | ||||||
|  | +        ossl_raise(eDHError, "EVP_PKEY_CTX_new");
 | ||||||
|  | +    ret = EVP_PKEY_param_check(pctx);
 | ||||||
|  | +    EVP_PKEY_CTX_free(pctx);
 | ||||||
|  | +#else
 | ||||||
|  |      DH *dh; | ||||||
|  |      int codes; | ||||||
|  |   | ||||||
|  |      GetDH(self, dh); | ||||||
|  | -    if (!DH_check(dh, &codes)) {
 | ||||||
|  | -	return Qfalse;
 | ||||||
|  | -    }
 | ||||||
|  | +    ret = DH_check(dh, &codes) == 1 && codes == 0;
 | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  | -    return codes == 0 ? Qtrue : Qfalse;
 | ||||||
|  | +    if (ret == 1)
 | ||||||
|  | +        return Qtrue;
 | ||||||
|  | +    else {
 | ||||||
|  | +        /* DH_check_ex() will put error entry on failure */
 | ||||||
|  | +        ossl_clear_error();
 | ||||||
|  | +        return Qfalse;
 | ||||||
|  | +    }
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | index ecb8305184..829529d4b9 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey_ec.c
 | ||||||
|  | @@ -443,20 +443,35 @@ static VALUE ossl_ec_key_generate_key(VALUE self)
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  | - *  call-seq:
 | ||||||
|  | - *     key.check_key   => true
 | ||||||
|  | + * call-seq:
 | ||||||
|  | + *    key.check_key   => true
 | ||||||
|  |   * | ||||||
|  | - *  Raises an exception if the key is invalid.
 | ||||||
|  | + * Raises an exception if the key is invalid.
 | ||||||
|  |   * | ||||||
|  | - *  See the OpenSSL documentation for EC_KEY_check_key()
 | ||||||
|  | + * See also the man page EVP_PKEY_public_check(3).
 | ||||||
|  |   */ | ||||||
|  |  static VALUE ossl_ec_key_check_key(VALUE self) | ||||||
|  |  { | ||||||
|  | +#ifdef HAVE_EVP_PKEY_CHECK
 | ||||||
|  | +    EVP_PKEY *pkey;
 | ||||||
|  | +    EVP_PKEY_CTX *pctx;
 | ||||||
|  | +    int ret;
 | ||||||
|  | +
 | ||||||
|  | +    GetPKey(self, pkey);
 | ||||||
|  | +    pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);
 | ||||||
|  | +    if (!pctx)
 | ||||||
|  | +        ossl_raise(eDHError, "EVP_PKEY_CTX_new");
 | ||||||
|  | +    ret = EVP_PKEY_public_check(pctx);
 | ||||||
|  | +    EVP_PKEY_CTX_free(pctx);
 | ||||||
|  | +    if (ret != 1)
 | ||||||
|  | +        ossl_raise(eECError, "EVP_PKEY_public_check");
 | ||||||
|  | +#else
 | ||||||
|  |      EC_KEY *ec; | ||||||
|  |   | ||||||
|  |      GetEC(self, ec); | ||||||
|  |      if (EC_KEY_check_key(ec) != 1) | ||||||
|  |  	ossl_raise(eECError, "EC_KEY_check_key"); | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |      return Qtrue; | ||||||
|  |  } | ||||||
|  | diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | index 279ce1984c..f80af8f841 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dh.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | @@ -86,6 +86,22 @@ def test_key_exchange
 | ||||||
|  |      assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key)) | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | +  def test_params_ok?
 | ||||||
|  | +    dh0 = Fixtures.pkey("dh1024")
 | ||||||
|  | +
 | ||||||
|  | +    dh1 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
 | ||||||
|  | +      OpenSSL::ASN1::Integer(dh0.p),
 | ||||||
|  | +      OpenSSL::ASN1::Integer(dh0.g)
 | ||||||
|  | +    ]))
 | ||||||
|  | +    assert_equal(true, dh1.params_ok?)
 | ||||||
|  | +
 | ||||||
|  | +    dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
 | ||||||
|  | +      OpenSSL::ASN1::Integer(dh0.p + 1),
 | ||||||
|  | +      OpenSSL::ASN1::Integer(dh0.g)
 | ||||||
|  | +    ]))
 | ||||||
|  | +    assert_equal(false, dh2.params_ok?)
 | ||||||
|  | +  end
 | ||||||
|  | +
 | ||||||
|  |    def test_dup | ||||||
|  |      dh = Fixtures.pkey("dh1024") | ||||||
|  |      dh2 = dh.dup | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,114 @@ | |||||||
|  | From 8c185e0ae5e42bf5f3d76a1a0898946671116fa3 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Wed, 3 Nov 2021 23:31:29 +0900 | ||||||
|  | Subject: [PATCH 1/2] pkey: test parsing concatenated PEM string | ||||||
|  | 
 | ||||||
|  | PEM-encoded private keys are sometimes stored together with irrelevant | ||||||
|  | PEM blocks, such as the corresponding X.509 certificate. | ||||||
|  | 
 | ||||||
|  | PEM_read_bio_*() family automatically skips unknown PEM blocks, but on | ||||||
|  | OpenSSL 3.0 we will be using the new OSSL_DECODER API instead due to | ||||||
|  | some breaking changes around the password callback. | ||||||
|  | 
 | ||||||
|  | Let's add a test case so that we won't break the current behavior. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_pkey_rsa.rb | 6 ++++++ | ||||||
|  |  1 file changed, 6 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index dbe87ba4..7510658d 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -306,6 +306,12 @@ def test_RSAPrivateKey
 | ||||||
|  |   | ||||||
|  |      assert_equal asn1.to_der, rsa1024.to_der | ||||||
|  |      assert_equal pem, rsa1024.export | ||||||
|  | +
 | ||||||
|  | +    # Unknown PEM prepended
 | ||||||
|  | +    cert = issue_cert(OpenSSL::X509::Name.new([["CN", "nobody"]]), rsa1024, 1, [], nil, nil)
 | ||||||
|  | +    str = cert.to_text + cert.to_pem + rsa1024.to_pem
 | ||||||
|  | +    key = OpenSSL::PKey::RSA.new(str)
 | ||||||
|  | +    assert_same_rsa rsa1024, key
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_RSAPrivateKey_encrypted | ||||||
|  | 
 | ||||||
|  | From a84ea531bbd080c3f58fe8d3dc9ffb1af2251f35 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Sat, 20 Mar 2021 23:16:16 +0900 | ||||||
|  | Subject: [PATCH 2/2] pkey: use OSSL_DECODER to load encrypted PEM on OpenSSL | ||||||
|  |  3.0 | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 has rewritten routines to load pkeys (PEM_read_bio_* and | ||||||
|  | d2i_* functions) around the newly introduced OSSL_DECODER API. | ||||||
|  | 
 | ||||||
|  | This comes with a slight behavior change. They now decrypt and parse | ||||||
|  | each encountered PEM block, then check the kind of the block. This used | ||||||
|  | to be the reverse: they checked the PEM header to see the kind, and then | ||||||
|  | decrypted the content. This means that the password callback may now be | ||||||
|  | called repeatedly. | ||||||
|  | 
 | ||||||
|  | Let's use the OSSL_DECODER API directly on OpenSSL 3.0 so that the | ||||||
|  | return value from the password callback will be reused automatically. | ||||||
|  | ---
 | ||||||
|  |  ext/openssl/ossl_pkey.c | 40 ++++++++++++++++++++++++++++++++++++++++ | ||||||
|  |  1 file changed, 40 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 | ||||||
|  | index f9f5162e..b08168a5 100644
 | ||||||
|  | --- a/ext/openssl/ossl_pkey.c
 | ||||||
|  | +++ b/ext/openssl/ossl_pkey.c
 | ||||||
|  | @@ -78,6 +78,45 @@ ossl_pkey_new(EVP_PKEY *pkey)
 | ||||||
|  |      return obj; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 | ||||||
|  | +# include <openssl/decoder.h>
 | ||||||
|  | +
 | ||||||
|  | +EVP_PKEY *
 | ||||||
|  | +ossl_pkey_read_generic(BIO *bio, VALUE pass)
 | ||||||
|  | +{
 | ||||||
|  | +    void *ppass = (void *)pass;
 | ||||||
|  | +    OSSL_DECODER_CTX *dctx;
 | ||||||
|  | +    EVP_PKEY *pkey = NULL;
 | ||||||
|  | +    int pos = 0, pos2;
 | ||||||
|  | +
 | ||||||
|  | +    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
 | ||||||
|  | +    if (!dctx)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +    if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +
 | ||||||
|  | +    /* First check DER */
 | ||||||
|  | +    if (OSSL_DECODER_from_bio(dctx, bio) == 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +
 | ||||||
|  | +    /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */
 | ||||||
|  | +    OSSL_BIO_reset(bio);
 | ||||||
|  | +    if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1)
 | ||||||
|  | +        goto out;
 | ||||||
|  | +    while (OSSL_DECODER_from_bio(dctx, bio) != 1) {
 | ||||||
|  | +        if (BIO_eof(bio))
 | ||||||
|  | +            goto out;
 | ||||||
|  | +        pos2 = BIO_tell(bio);
 | ||||||
|  | +        if (pos2 < 0 || pos2 <= pos)
 | ||||||
|  | +            goto out;
 | ||||||
|  | +        pos = pos2;
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +  out:
 | ||||||
|  | +    OSSL_DECODER_CTX_free(dctx);
 | ||||||
|  | +    return pkey;
 | ||||||
|  | +}
 | ||||||
|  | +#else
 | ||||||
|  |  EVP_PKEY * | ||||||
|  |  ossl_pkey_read_generic(BIO *bio, VALUE pass) | ||||||
|  |  { | ||||||
|  | @@ -106,6 +145,7 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
 | ||||||
|  |    out: | ||||||
|  |      return pkey; | ||||||
|  |  } | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |  /* | ||||||
|  |   *  call-seq: | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -0,0 +1,29 @@ | |||||||
|  | From b4b5eab2a5fd0e9ac62c01102dd26d0a433c5683 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 18 May 2020 02:17:28 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/test_digest: do not test constants for legacy | ||||||
|  |  algorithms | ||||||
|  | 
 | ||||||
|  | Remove availability test for MD4 and RIPEMD160 as they are considered | ||||||
|  | legacy and may be missing depending on the compile-time options of | ||||||
|  | OpenSSL. OpenSSL 3.0 by default disables them. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_digest.rb | 2 +- | ||||||
|  |  1 file changed, 1 insertion(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
 | ||||||
|  | index 8d7046e831..84c128c12f 100644
 | ||||||
|  | --- a/test/openssl/test_digest.rb
 | ||||||
|  | +++ b/test/openssl/test_digest.rb
 | ||||||
|  | @@ -54,7 +54,7 @@ def test_reset
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_digest_constants | ||||||
|  | -    %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
 | ||||||
|  | +    %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do |name|
 | ||||||
|  |        assert_not_nil(OpenSSL::Digest.new(name)) | ||||||
|  |        klass = OpenSSL::Digest.const_get(name.tr('-', '_')) | ||||||
|  |        assert_not_nil(klass.new) | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,439 @@ | |||||||
|  | From 9596788bdd2d061bef042485af14262e9fc4020c Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Thu, 13 Aug 2020 23:20:55 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for | ||||||
|  | encryption of the certificates. However, in OpenSSL 3.0, the algorithm | ||||||
|  | is part of the legacy provider and is not enabled by default. | ||||||
|  | 
 | ||||||
|  | Specify another algorithm that is still in the default provider for | ||||||
|  | these test cases. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_pkcs12.rb | 297 ++++++++++++++++++------------------ | ||||||
|  |  1 file changed, 149 insertions(+), 148 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
 | ||||||
|  | index fdbe753b17..ec676743bc 100644
 | ||||||
|  | --- a/test/openssl/test_pkcs12.rb
 | ||||||
|  | +++ b/test/openssl/test_pkcs12.rb
 | ||||||
|  | @@ -5,6 +5,9 @@
 | ||||||
|  |   | ||||||
|  |  module OpenSSL | ||||||
|  |    class TestPKCS12 < OpenSSL::TestCase | ||||||
|  | +    DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
 | ||||||
|  | +    DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
 | ||||||
|  | +
 | ||||||
|  |      def setup | ||||||
|  |        super | ||||||
|  |        ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") | ||||||
|  | @@ -14,47 +17,41 @@ def setup
 | ||||||
|  |          ["subjectKeyIdentifier","hash",false], | ||||||
|  |          ["authorityKeyIdentifier","keyid:always",false], | ||||||
|  |        ] | ||||||
|  | -      @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)
 | ||||||
|  | +      ca_key = Fixtures.pkey("rsa-1")
 | ||||||
|  | +      @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)
 | ||||||
|  |   | ||||||
|  |        inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") | ||||||
|  | -      inter_ca_key = OpenSSL::PKey.read <<-_EOS_
 | ||||||
|  | ------BEGIN RSA PRIVATE KEY-----
 | ||||||
|  | -MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K
 | ||||||
|  | -oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT
 | ||||||
|  | -ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB
 | ||||||
|  | -AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV
 | ||||||
|  | -5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9
 | ||||||
|  | -iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC
 | ||||||
|  | -G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5
 | ||||||
|  | -Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA
 | ||||||
|  | -HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf
 | ||||||
|  | -ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG
 | ||||||
|  | -jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK
 | ||||||
|  | -FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
 | ||||||
|  | -Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
 | ||||||
|  | ------END RSA PRIVATE KEY-----
 | ||||||
|  | -      _EOS_
 | ||||||
|  | -      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))
 | ||||||
|  | +      inter_ca_key = Fixtures.pkey("rsa-2")
 | ||||||
|  | +      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)
 | ||||||
|  |   | ||||||
|  |        exts = [ | ||||||
|  |          ["keyUsage","digitalSignature",true], | ||||||
|  |          ["subjectKeyIdentifier","hash",false], | ||||||
|  |        ] | ||||||
|  |        ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") | ||||||
|  | -      @mykey = Fixtures.pkey("rsa1024")
 | ||||||
|  | +      @mykey = Fixtures.pkey("rsa-3")
 | ||||||
|  |        @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key) | ||||||
|  |      end | ||||||
|  |   | ||||||
|  | -    def test_create
 | ||||||
|  | +    def test_create_single_key_single_cert
 | ||||||
|  |        pkcs12 = OpenSSL::PKCS12.create( | ||||||
|  |          "omg", | ||||||
|  |          "hello", | ||||||
|  |          @mykey, | ||||||
|  | -        @mycert
 | ||||||
|  | +        @mycert,
 | ||||||
|  | +        nil,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |        ) | ||||||
|  | -      assert_equal @mycert.to_der, pkcs12.certificate.to_der
 | ||||||
|  | +      assert_equal @mycert, pkcs12.certificate
 | ||||||
|  |        assert_equal @mykey.to_der, pkcs12.key.to_der | ||||||
|  |        assert_nil pkcs12.ca_certs | ||||||
|  | +
 | ||||||
|  | +      der = pkcs12.to_der
 | ||||||
|  | +      decoded = OpenSSL::PKCS12.new(der, "omg")
 | ||||||
|  | +      assert_equal @mykey.to_der, decoded.key.to_der
 | ||||||
|  | +      assert_equal @mycert, decoded.certificate
 | ||||||
|  | +      assert_equal [], Array(decoded.ca_certs)
 | ||||||
|  |      end | ||||||
|  |   | ||||||
|  |      def test_create_no_pass | ||||||
|  | @@ -62,14 +59,17 @@ def test_create_no_pass
 | ||||||
|  |          nil, | ||||||
|  |          "hello", | ||||||
|  |          @mykey, | ||||||
|  | -        @mycert
 | ||||||
|  | +        @mycert,
 | ||||||
|  | +        nil,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |        ) | ||||||
|  | -      assert_equal @mycert.to_der, pkcs12.certificate.to_der
 | ||||||
|  | +      assert_equal @mycert, pkcs12.certificate
 | ||||||
|  |        assert_equal @mykey.to_der, pkcs12.key.to_der | ||||||
|  |        assert_nil pkcs12.ca_certs | ||||||
|  |   | ||||||
|  |        decoded = OpenSSL::PKCS12.new(pkcs12.to_der) | ||||||
|  | -      assert_cert @mycert, decoded.certificate
 | ||||||
|  | +      assert_equal @mycert, decoded.certificate
 | ||||||
|  |      end | ||||||
|  |   | ||||||
|  |      def test_create_with_chain | ||||||
|  | @@ -80,7 +80,9 @@ def test_create_with_chain
 | ||||||
|  |          "hello", | ||||||
|  |          @mykey, | ||||||
|  |          @mycert, | ||||||
|  | -        chain
 | ||||||
|  | +        chain,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |        ) | ||||||
|  |        assert_equal chain, pkcs12.ca_certs | ||||||
|  |      end | ||||||
|  | @@ -95,14 +97,16 @@ def test_create_with_chain_decode
 | ||||||
|  |          "hello", | ||||||
|  |          @mykey, | ||||||
|  |          @mycert, | ||||||
|  | -        chain
 | ||||||
|  | +        chain,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |        ) | ||||||
|  |   | ||||||
|  |        decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd) | ||||||
|  |        assert_equal chain.size, decoded.ca_certs.size | ||||||
|  | -      assert_include_cert @cacert, decoded.ca_certs
 | ||||||
|  | -      assert_include_cert @inter_cacert, decoded.ca_certs
 | ||||||
|  | -      assert_cert @mycert, decoded.certificate
 | ||||||
|  | +      assert_include decoded.ca_certs, @cacert
 | ||||||
|  | +      assert_include decoded.ca_certs, @inter_cacert
 | ||||||
|  | +      assert_equal @mycert, decoded.certificate
 | ||||||
|  |        assert_equal @mykey.to_der, decoded.key.to_der | ||||||
|  |      end | ||||||
|  |   | ||||||
|  | @@ -126,8 +130,8 @@ def test_create_with_itr
 | ||||||
|  |          @mykey, | ||||||
|  |          @mycert, | ||||||
|  |          [], | ||||||
|  | -        nil,
 | ||||||
|  | -        nil,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |          2048 | ||||||
|  |        ) | ||||||
|  |   | ||||||
|  | @@ -138,8 +142,8 @@ def test_create_with_itr
 | ||||||
|  |            @mykey, | ||||||
|  |            @mycert, | ||||||
|  |            [], | ||||||
|  | -          nil,
 | ||||||
|  | -          nil,
 | ||||||
|  | +          DEFAULT_PBE_PKEYS,
 | ||||||
|  | +          DEFAULT_PBE_CERTS,
 | ||||||
|  |            "omg" | ||||||
|  |          ) | ||||||
|  |        end | ||||||
|  | @@ -152,7 +156,8 @@ def test_create_with_mac_itr
 | ||||||
|  |          @mykey, | ||||||
|  |          @mycert, | ||||||
|  |          [], | ||||||
|  | -        nil,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  |          nil, | ||||||
|  |          nil, | ||||||
|  |          2048 | ||||||
|  | @@ -165,148 +170,144 @@ def test_create_with_mac_itr
 | ||||||
|  |            @mykey, | ||||||
|  |            @mycert, | ||||||
|  |            [], | ||||||
|  | -          nil,
 | ||||||
|  | -          nil,
 | ||||||
|  | +          DEFAULT_PBE_PKEYS,
 | ||||||
|  | +          DEFAULT_PBE_CERTS,
 | ||||||
|  |            nil, | ||||||
|  |            "omg" | ||||||
|  |          ) | ||||||
|  |        end | ||||||
|  |      end | ||||||
|  |   | ||||||
|  | -    def test_new_with_one_key_and_one_cert
 | ||||||
|  | -      # generated with:
 | ||||||
|  | -      #   openssl version #=> OpenSSL 1.0.2h  3 May 2016
 | ||||||
|  | -      #   openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>
 | ||||||
|  | -      str = <<~EOF.unpack("m").first
 | ||||||
|  | -MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH
 | ||||||
|  | -BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM
 | ||||||
|  | -Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN
 | ||||||
|  | -YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj
 | ||||||
|  | -A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS
 | ||||||
|  | -XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga
 | ||||||
|  | -LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7
 | ||||||
|  | -7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL
 | ||||||
|  | -ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp
 | ||||||
|  | -xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes
 | ||||||
|  | -dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj
 | ||||||
|  | -jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9
 | ||||||
|  | -wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY
 | ||||||
|  | -IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL
 | ||||||
|  | -1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/
 | ||||||
|  | -Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1
 | ||||||
|  | -E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi
 | ||||||
|  | -MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8
 | ||||||
|  | -qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD
 | ||||||
|  | -Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o
 | ||||||
|  | -0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq
 | ||||||
|  | -xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn
 | ||||||
|  | -F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG
 | ||||||
|  | -s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf
 | ||||||
|  | -SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA
 | ||||||
|  | -x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl
 | ||||||
|  | -BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE
 | ||||||
|  | -vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo
 | ||||||
|  | -OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu
 | ||||||
|  | -SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D
 | ||||||
|  | -llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd
 | ||||||
|  | -f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb
 | ||||||
|  | -8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF
 | ||||||
|  | -vyl2WuMdEwQIMWFFphPkIUICAggA
 | ||||||
|  | -      EOF
 | ||||||
|  | -      p12 = OpenSSL::PKCS12.new(str, "abc123")
 | ||||||
|  | -
 | ||||||
|  | -      assert_equal @mykey.to_der, p12.key.to_der
 | ||||||
|  | -      assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
 | ||||||
|  | -      assert_equal [], Array(p12.ca_certs)
 | ||||||
|  | -    end
 | ||||||
|  | -
 | ||||||
|  |      def test_new_with_no_keys | ||||||
|  |        # generated with: | ||||||
|  | -      #   openssl pkcs12 -in <@mycert> -nokeys -export -out <out>
 | ||||||
|  | +      #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
 | ||||||
|  |        str = <<~EOF.unpack("m").first | ||||||
|  | -MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH
 | ||||||
|  | -BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W
 | ||||||
|  | -irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU
 | ||||||
|  | -0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67
 | ||||||
|  | -I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN
 | ||||||
|  | -Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr
 | ||||||
|  | -mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd
 | ||||||
|  | -NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe
 | ||||||
|  | -lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0
 | ||||||
|  | -LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI
 | ||||||
|  | -aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I
 | ||||||
|  | -OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB
 | ||||||
|  | -DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM
 | ||||||
|  | -Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx
 | ||||||
|  | -ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4
 | ||||||
|  | -mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP
 | ||||||
|  | -1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=
 | ||||||
|  | +MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
 | ||||||
|  | +DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
 | ||||||
|  | +DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
 | ||||||
|  | +rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV
 | ||||||
|  | +kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C
 | ||||||
|  | +hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23
 | ||||||
|  | +18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN
 | ||||||
|  | +JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0
 | ||||||
|  | +Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA
 | ||||||
|  | +PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y
 | ||||||
|  | +DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS
 | ||||||
|  | +ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy
 | ||||||
|  | +cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70
 | ||||||
|  | +63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC
 | ||||||
|  | ++YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p
 | ||||||
|  | +OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG
 | ||||||
|  | +e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs
 | ||||||
|  | +rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr
 | ||||||
|  | +riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW
 | ||||||
|  | +W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy
 | ||||||
|  | ++xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo
 | ||||||
|  | +eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN
 | ||||||
|  | +aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor
 | ||||||
|  | +757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3
 | ||||||
|  | +AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr
 | ||||||
|  | +pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ
 | ||||||
|  | +JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA
 | ||||||
|  | +EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5
 | ||||||
|  | +enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ
 | ||||||
|  | +J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT
 | ||||||
|  | +yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3
 | ||||||
|  | +omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO
 | ||||||
|  | +j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ
 | ||||||
|  | +7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
 | ||||||
|  | +CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
 | ||||||
|  | +AA==
 | ||||||
|  |        EOF | ||||||
|  |        p12 = OpenSSL::PKCS12.new(str, "abc123") | ||||||
|  |   | ||||||
|  |        assert_equal nil, p12.key | ||||||
|  |        assert_equal nil, p12.certificate | ||||||
|  |        assert_equal 1, p12.ca_certs.size | ||||||
|  | -      assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der
 | ||||||
|  | +      assert_equal @mycert.subject, p12.ca_certs[0].subject
 | ||||||
|  |      end | ||||||
|  |   | ||||||
|  |      def test_new_with_no_certs | ||||||
|  |        # generated with: | ||||||
|  | -      #   openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>
 | ||||||
|  | +      #   openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
 | ||||||
|  |        str = <<~EOF.unpack("m").first | ||||||
|  | -MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH
 | ||||||
|  | -AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN
 | ||||||
|  | -AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ
 | ||||||
|  | -V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q
 | ||||||
|  | -cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh
 | ||||||
|  | -O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ
 | ||||||
|  | -7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne
 | ||||||
|  | -ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg
 | ||||||
|  | -DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE
 | ||||||
|  | -7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX
 | ||||||
|  | -nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN
 | ||||||
|  | -N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj
 | ||||||
|  | -Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY
 | ||||||
|  | -i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft
 | ||||||
|  | -JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg
 | ||||||
|  | -GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF
 | ||||||
|  | -Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
 | ||||||
|  | +MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
 | ||||||
|  | +DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
 | ||||||
|  | +KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
 | ||||||
|  | +72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ
 | ||||||
|  | +1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU
 | ||||||
|  | ++D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS
 | ||||||
|  | +WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9
 | ||||||
|  | +lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K
 | ||||||
|  | +zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX
 | ||||||
|  | +rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM
 | ||||||
|  | +CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7
 | ||||||
|  | +n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1
 | ||||||
|  | +WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN
 | ||||||
|  | +ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63
 | ||||||
|  | +cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N
 | ||||||
|  | +Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF
 | ||||||
|  | +nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy
 | ||||||
|  | +w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM
 | ||||||
|  | +GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh
 | ||||||
|  | +KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3
 | ||||||
|  | +FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+
 | ||||||
|  | +Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g
 | ||||||
|  | +JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR
 | ||||||
|  | +R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH
 | ||||||
|  | +7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN
 | ||||||
|  | +KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1
 | ||||||
|  | +n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ
 | ||||||
|  | +Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1
 | ||||||
|  | +S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t
 | ||||||
|  | +n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W
 | ||||||
|  | +yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL
 | ||||||
|  | +f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF
 | ||||||
|  | +ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p
 | ||||||
|  | +FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0
 | ||||||
|  | +r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q
 | ||||||
|  | +0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P
 | ||||||
|  | +8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS
 | ||||||
|  | +H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+
 | ||||||
|  | +53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A
 | ||||||
|  | +CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23
 | ||||||
|  | +fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v
 | ||||||
|  | +AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS
 | ||||||
|  | +SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e
 | ||||||
|  | +wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX
 | ||||||
|  | +2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk
 | ||||||
|  | +AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z
 | ||||||
|  | +OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx
 | ||||||
|  | +9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV
 | ||||||
|  | +H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq
 | ||||||
|  | +NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz
 | ||||||
|  | +8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C
 | ||||||
|  | +KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr
 | ||||||
|  | +fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf
 | ||||||
|  | +NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW
 | ||||||
|  | +VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
 | ||||||
|  | +M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
 | ||||||
|  | +BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
 | ||||||
|  |        EOF | ||||||
|  |        p12 = OpenSSL::PKCS12.new(str, "abc123") | ||||||
|  |   | ||||||
|  | -      assert_equal @mykey.to_der, p12.key.to_der
 | ||||||
|  | +      assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der
 | ||||||
|  |        assert_equal nil, p12.certificate | ||||||
|  |        assert_equal [], Array(p12.ca_certs) | ||||||
|  |      end | ||||||
|  |   | ||||||
|  |      def test_dup | ||||||
|  | -      p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)
 | ||||||
|  | +      p12 = OpenSSL::PKCS12.create(
 | ||||||
|  | +        "pass",
 | ||||||
|  | +        "name",
 | ||||||
|  | +        @mykey,
 | ||||||
|  | +        @mycert,
 | ||||||
|  | +        nil,
 | ||||||
|  | +        DEFAULT_PBE_PKEYS,
 | ||||||
|  | +        DEFAULT_PBE_CERTS,
 | ||||||
|  | +      )
 | ||||||
|  |        assert_equal p12.to_der, p12.dup.to_der | ||||||
|  |      end | ||||||
|  | -
 | ||||||
|  | -    private
 | ||||||
|  | -    def assert_cert expected, actual
 | ||||||
|  | -      [
 | ||||||
|  | -        :subject,
 | ||||||
|  | -        :issuer,
 | ||||||
|  | -        :serial,
 | ||||||
|  | -        :not_before,
 | ||||||
|  | -        :not_after,
 | ||||||
|  | -      ].each do |attribute|
 | ||||||
|  | -        assert_equal expected.send(attribute), actual.send(attribute)
 | ||||||
|  | -      end
 | ||||||
|  | -      assert_equal expected.to_der, actual.to_der
 | ||||||
|  | -    end
 | ||||||
|  | -
 | ||||||
|  | -    def assert_include_cert cert, ary
 | ||||||
|  | -      der = cert.to_der
 | ||||||
|  | -      ary.each do |candidate|
 | ||||||
|  | -        if candidate.to_der == der
 | ||||||
|  | -          return true
 | ||||||
|  | -        end
 | ||||||
|  | -      end
 | ||||||
|  | -      false
 | ||||||
|  | -    end
 | ||||||
|  |    end | ||||||
|  |  end | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,67 @@ | |||||||
|  | From 10d2216b2f35a31777a099d9f765b0b6ea34a63e Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 18 May 2020 02:35:35 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/test_pkey: use EC keys for | ||||||
|  |  PKey.generate_parameters tests | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits, | ||||||
|  | but generating 2048 bits parameters takes very long time. Let's use EC | ||||||
|  | in these test cases instead. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_pkey.rb | 27 +++++++++++---------------- | ||||||
|  |  1 file changed, 11 insertions(+), 16 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
 | ||||||
|  | index 3630458b3c..88a6e04581 100644
 | ||||||
|  | --- a/test/openssl/test_pkey.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey.rb
 | ||||||
|  | @@ -27,20 +27,16 @@ def test_generic_oid_inspect
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_s_generate_parameters | ||||||
|  | -    # 512 is non-default; 1024 is used if 'dsa_paramgen_bits' is not specified
 | ||||||
|  | -    # with OpenSSL 1.1.0.
 | ||||||
|  | -    pkey = OpenSSL::PKey.generate_parameters("DSA", {
 | ||||||
|  | -      "dsa_paramgen_bits" => 512,
 | ||||||
|  | -      "dsa_paramgen_q_bits" => 256,
 | ||||||
|  | +    pkey = OpenSSL::PKey.generate_parameters("EC", {
 | ||||||
|  | +      "ec_paramgen_curve" => "secp384r1",
 | ||||||
|  |      }) | ||||||
|  | -    assert_instance_of OpenSSL::PKey::DSA, pkey
 | ||||||
|  | -    assert_equal 512, pkey.p.num_bits
 | ||||||
|  | -    assert_equal 256, pkey.q.num_bits
 | ||||||
|  | -    assert_equal nil, pkey.priv_key
 | ||||||
|  | +    assert_instance_of OpenSSL::PKey::EC, pkey
 | ||||||
|  | +    assert_equal "secp384r1", pkey.group.curve_name
 | ||||||
|  | +    assert_equal nil, pkey.private_key
 | ||||||
|  |   | ||||||
|  |      # Invalid options are checked | ||||||
|  |      assert_raise(OpenSSL::PKey::PKeyError) { | ||||||
|  | -      OpenSSL::PKey.generate_parameters("DSA", "invalid" => "option")
 | ||||||
|  | +      OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      # Parameter generation callback is called | ||||||
|  | @@ -59,14 +55,13 @@ def test_s_generate_key
 | ||||||
|  |        # DSA key pair cannot be generated without parameters | ||||||
|  |        OpenSSL::PKey.generate_key("DSA") | ||||||
|  |      } | ||||||
|  | -    pkey_params = OpenSSL::PKey.generate_parameters("DSA", {
 | ||||||
|  | -      "dsa_paramgen_bits" => 512,
 | ||||||
|  | -      "dsa_paramgen_q_bits" => 256,
 | ||||||
|  | +    pkey_params = OpenSSL::PKey.generate_parameters("EC", {
 | ||||||
|  | +      "ec_paramgen_curve" => "secp384r1",
 | ||||||
|  |      }) | ||||||
|  |      pkey = OpenSSL::PKey.generate_key(pkey_params) | ||||||
|  | -    assert_instance_of OpenSSL::PKey::DSA, pkey
 | ||||||
|  | -    assert_equal 512, pkey.p.num_bits
 | ||||||
|  | -    assert_not_equal nil, pkey.priv_key
 | ||||||
|  | +    assert_instance_of OpenSSL::PKey::EC, pkey
 | ||||||
|  | +    assert_equal "secp384r1", pkey.group.curve_name
 | ||||||
|  | +    assert_not_equal nil, pkey.private_key
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_hmac_sign_verify | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,31 @@ | |||||||
|  | From 05fd14aea7eff2a6911a6f529f1237276482c6e7 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Fri, 10 Jul 2020 13:56:38 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/test_ssl: relax regex to match OpenSSL's error | ||||||
|  |  message | ||||||
|  | 
 | ||||||
|  | OpenSSL 3.0 slightly changed the error message for a certificate | ||||||
|  | verification failure when an untrusted self-signed certificate is found | ||||||
|  | in the chain. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_ssl.rb | 4 +++- | ||||||
|  |  1 file changed, 3 insertions(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
 | ||||||
|  | index 6095d545b5..9e9b8b9b69 100644
 | ||||||
|  | --- a/test/openssl/test_ssl.rb
 | ||||||
|  | +++ b/test/openssl/test_ssl.rb
 | ||||||
|  | @@ -964,7 +964,9 @@ def test_connect_certificate_verify_failed_exception_message
 | ||||||
|  |      start_server(ignore_listener_error: true) { |port| | ||||||
|  |        ctx = OpenSSL::SSL::SSLContext.new | ||||||
|  |        ctx.set_params | ||||||
|  | -      assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
 | ||||||
|  | +      # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
 | ||||||
|  | +      # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
 | ||||||
|  | +      assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
 | ||||||
|  |          server_connect(port, ctx) | ||||||
|  |        } | ||||||
|  |      } | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,265 @@ | |||||||
|  | From 2c6797bc97d7c92284dc3c0ed27f97ace4e5cfb9 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Mon, 31 May 2021 11:44:05 +0900 | ||||||
|  | Subject: [PATCH] test/openssl/utils: remove dup_public helper method | ||||||
|  | 
 | ||||||
|  | It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not | ||||||
|  | work with OpenSSL 3.0. The same can easily be achieved using | ||||||
|  | PKey#public_to_der regardless of the key kind. | ||||||
|  | ---
 | ||||||
|  |  test/openssl/test_pkey_dh.rb  |  8 +++++--- | ||||||
|  |  test/openssl/test_pkey_dsa.rb | 15 +++++++++++---- | ||||||
|  |  test/openssl/test_pkey_ec.rb  | 15 +++++++++++---- | ||||||
|  |  test/openssl/test_pkey_rsa.rb | 31 +++++++++++++++++-------------- | ||||||
|  |  test/openssl/utils.rb         | 26 -------------------------- | ||||||
|  |  5 files changed, 44 insertions(+), 51 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | index f80af8f841..757704caf6 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dh.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dh.rb
 | ||||||
|  | @@ -40,12 +40,14 @@ def test_derive_key
 | ||||||
|  |   | ||||||
|  |    def test_DHparams | ||||||
|  |      dh1024 = Fixtures.pkey("dh1024") | ||||||
|  | +    dh1024params = dh1024.public_key
 | ||||||
|  | +
 | ||||||
|  |      asn1 = OpenSSL::ASN1::Sequence([ | ||||||
|  |        OpenSSL::ASN1::Integer(dh1024.p), | ||||||
|  |        OpenSSL::ASN1::Integer(dh1024.g) | ||||||
|  |      ]) | ||||||
|  |      key = OpenSSL::PKey::DH.new(asn1.to_der) | ||||||
|  | -    assert_same_dh dup_public(dh1024), key
 | ||||||
|  | +    assert_same_dh dh1024params, key
 | ||||||
|  |   | ||||||
|  |      pem = <<~EOF | ||||||
|  |      -----BEGIN DH PARAMETERS----- | ||||||
|  | @@ -55,9 +57,9 @@ def test_DHparams
 | ||||||
|  |      -----END DH PARAMETERS----- | ||||||
|  |      EOF | ||||||
|  |      key = OpenSSL::PKey::DH.new(pem) | ||||||
|  | -    assert_same_dh dup_public(dh1024), key
 | ||||||
|  | +    assert_same_dh dh1024params, key
 | ||||||
|  |      key = OpenSSL::PKey.read(pem) | ||||||
|  | -    assert_same_dh dup_public(dh1024), key
 | ||||||
|  | +    assert_same_dh dh1024params, key
 | ||||||
|  |   | ||||||
|  |      assert_equal asn1.to_der, dh1024.to_der | ||||||
|  |      assert_equal pem, dh1024.export | ||||||
|  | diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | index 147e50176b..0994607f21 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_dsa.rb
 | ||||||
|  | @@ -138,6 +138,8 @@ def test_DSAPrivateKey_encrypted
 | ||||||
|  |   | ||||||
|  |    def test_PUBKEY | ||||||
|  |      dsa512 = Fixtures.pkey("dsa512") | ||||||
|  | +    dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der)
 | ||||||
|  | +
 | ||||||
|  |      asn1 = OpenSSL::ASN1::Sequence([ | ||||||
|  |        OpenSSL::ASN1::Sequence([ | ||||||
|  |          OpenSSL::ASN1::ObjectId("DSA"), | ||||||
|  | @@ -153,7 +155,7 @@ def test_PUBKEY
 | ||||||
|  |      ]) | ||||||
|  |      key = OpenSSL::PKey::DSA.new(asn1.to_der) | ||||||
|  |      assert_not_predicate key, :private? | ||||||
|  | -    assert_same_dsa dup_public(dsa512), key
 | ||||||
|  | +    assert_same_dsa dsa512pub, key
 | ||||||
|  |   | ||||||
|  |      pem = <<~EOF | ||||||
|  |      -----BEGIN PUBLIC KEY----- | ||||||
|  | @@ -166,10 +168,15 @@ def test_PUBKEY
 | ||||||
|  |      -----END PUBLIC KEY----- | ||||||
|  |      EOF | ||||||
|  |      key = OpenSSL::PKey::DSA.new(pem) | ||||||
|  | -    assert_same_dsa dup_public(dsa512), key
 | ||||||
|  | +    assert_same_dsa dsa512pub, key
 | ||||||
|  | +
 | ||||||
|  | +    assert_equal asn1.to_der, key.to_der
 | ||||||
|  | +    assert_equal pem, key.export
 | ||||||
|  |   | ||||||
|  | -    assert_equal asn1.to_der, dup_public(dsa512).to_der
 | ||||||
|  | -    assert_equal pem, dup_public(dsa512).export
 | ||||||
|  | +    assert_equal asn1.to_der, dsa512.public_to_der
 | ||||||
|  | +    assert_equal asn1.to_der, key.public_to_der
 | ||||||
|  | +    assert_equal pem, dsa512.public_to_pem
 | ||||||
|  | +    assert_equal pem, key.public_to_pem
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_read_DSAPublicKey_pem | ||||||
|  | diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | index 4b6df0290f..d62f1b5eb8 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_ec.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_ec.rb
 | ||||||
|  | @@ -210,6 +210,8 @@ def test_ECPrivateKey_encrypted
 | ||||||
|  |   | ||||||
|  |    def test_PUBKEY | ||||||
|  |      p256 = Fixtures.pkey("p256") | ||||||
|  | +    p256pub = OpenSSL::PKey::EC.new(p256.public_to_der)
 | ||||||
|  | +
 | ||||||
|  |      asn1 = OpenSSL::ASN1::Sequence([ | ||||||
|  |        OpenSSL::ASN1::Sequence([ | ||||||
|  |          OpenSSL::ASN1::ObjectId("id-ecPublicKey"), | ||||||
|  | @@ -221,7 +223,7 @@ def test_PUBKEY
 | ||||||
|  |      ]) | ||||||
|  |      key = OpenSSL::PKey::EC.new(asn1.to_der) | ||||||
|  |      assert_not_predicate key, :private? | ||||||
|  | -    assert_same_ec dup_public(p256), key
 | ||||||
|  | +    assert_same_ec p256pub, key
 | ||||||
|  |   | ||||||
|  |      pem = <<~EOF | ||||||
|  |      -----BEGIN PUBLIC KEY----- | ||||||
|  | @@ -230,10 +232,15 @@ def test_PUBKEY
 | ||||||
|  |      -----END PUBLIC KEY----- | ||||||
|  |      EOF | ||||||
|  |      key = OpenSSL::PKey::EC.new(pem) | ||||||
|  | -    assert_same_ec dup_public(p256), key
 | ||||||
|  | +    assert_same_ec p256pub, key
 | ||||||
|  | +
 | ||||||
|  | +    assert_equal asn1.to_der, key.to_der
 | ||||||
|  | +    assert_equal pem, key.export
 | ||||||
|  |   | ||||||
|  | -    assert_equal asn1.to_der, dup_public(p256).to_der
 | ||||||
|  | -    assert_equal pem, dup_public(p256).export
 | ||||||
|  | +    assert_equal asn1.to_der, p256.public_to_der
 | ||||||
|  | +    assert_equal asn1.to_der, key.public_to_der
 | ||||||
|  | +    assert_equal pem, p256.public_to_pem
 | ||||||
|  | +    assert_equal pem, key.public_to_pem
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_ec_group | ||||||
|  | diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | index 5e127f5407..4548bdb2cf 100644
 | ||||||
|  | --- a/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | +++ b/test/openssl/test_pkey_rsa.rb
 | ||||||
|  | @@ -201,7 +201,7 @@ def test_sign_verify_pss
 | ||||||
|  |   | ||||||
|  |    def test_encrypt_decrypt | ||||||
|  |      rsapriv = Fixtures.pkey("rsa-1") | ||||||
|  | -    rsapub = dup_public(rsapriv)
 | ||||||
|  | +    rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
 | ||||||
|  |   | ||||||
|  |      # Defaults to PKCS #1 v1.5 | ||||||
|  |      raw = "data" | ||||||
|  | @@ -216,7 +216,7 @@ def test_encrypt_decrypt
 | ||||||
|  |   | ||||||
|  |    def test_encrypt_decrypt_legacy | ||||||
|  |      rsapriv = Fixtures.pkey("rsa-1") | ||||||
|  | -    rsapub = dup_public(rsapriv)
 | ||||||
|  | +    rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)
 | ||||||
|  |   | ||||||
|  |      # Defaults to PKCS #1 v1.5 | ||||||
|  |      raw = "data" | ||||||
|  | @@ -346,13 +346,15 @@ def test_RSAPrivateKey_encrypted
 | ||||||
|  |   | ||||||
|  |    def test_RSAPublicKey | ||||||
|  |      rsa1024 = Fixtures.pkey("rsa1024") | ||||||
|  | +    rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
 | ||||||
|  | +
 | ||||||
|  |      asn1 = OpenSSL::ASN1::Sequence([ | ||||||
|  |        OpenSSL::ASN1::Integer(rsa1024.n), | ||||||
|  |        OpenSSL::ASN1::Integer(rsa1024.e) | ||||||
|  |      ]) | ||||||
|  |      key = OpenSSL::PKey::RSA.new(asn1.to_der) | ||||||
|  |      assert_not_predicate key, :private? | ||||||
|  | -    assert_same_rsa dup_public(rsa1024), key
 | ||||||
|  | +    assert_same_rsa rsa1024pub, key
 | ||||||
|  |   | ||||||
|  |      pem = <<~EOF | ||||||
|  |      -----BEGIN RSA PUBLIC KEY----- | ||||||
|  | @@ -362,11 +364,13 @@ def test_RSAPublicKey
 | ||||||
|  |      -----END RSA PUBLIC KEY----- | ||||||
|  |      EOF | ||||||
|  |      key = OpenSSL::PKey::RSA.new(pem) | ||||||
|  | -    assert_same_rsa dup_public(rsa1024), key
 | ||||||
|  | +    assert_same_rsa rsa1024pub, key
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_PUBKEY | ||||||
|  |      rsa1024 = Fixtures.pkey("rsa1024") | ||||||
|  | +    rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)
 | ||||||
|  | +
 | ||||||
|  |      asn1 = OpenSSL::ASN1::Sequence([ | ||||||
|  |        OpenSSL::ASN1::Sequence([ | ||||||
|  |          OpenSSL::ASN1::ObjectId("rsaEncryption"), | ||||||
|  | @@ -381,7 +385,7 @@ def test_PUBKEY
 | ||||||
|  |      ]) | ||||||
|  |      key = OpenSSL::PKey::RSA.new(asn1.to_der) | ||||||
|  |      assert_not_predicate key, :private? | ||||||
|  | -    assert_same_rsa dup_public(rsa1024), key
 | ||||||
|  | +    assert_same_rsa rsa1024pub, key
 | ||||||
|  |   | ||||||
|  |      pem = <<~EOF | ||||||
|  |      -----BEGIN PUBLIC KEY----- | ||||||
|  | @@ -392,10 +396,15 @@ def test_PUBKEY
 | ||||||
|  |      -----END PUBLIC KEY----- | ||||||
|  |      EOF | ||||||
|  |      key = OpenSSL::PKey::RSA.new(pem) | ||||||
|  | -    assert_same_rsa dup_public(rsa1024), key
 | ||||||
|  | +    assert_same_rsa rsa1024pub, key
 | ||||||
|  | +
 | ||||||
|  | +    assert_equal asn1.to_der, key.to_der
 | ||||||
|  | +    assert_equal pem, key.export
 | ||||||
|  |   | ||||||
|  | -    assert_equal asn1.to_der, dup_public(rsa1024).to_der
 | ||||||
|  | -    assert_equal pem, dup_public(rsa1024).export
 | ||||||
|  | +    assert_equal asn1.to_der, rsa1024.public_to_der
 | ||||||
|  | +    assert_equal asn1.to_der, key.public_to_der
 | ||||||
|  | +    assert_equal pem, rsa1024.public_to_pem
 | ||||||
|  | +    assert_equal pem, key.public_to_pem
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_pem_passwd | ||||||
|  | @@ -482,12 +491,6 @@ def test_private_encoding_encrypted
 | ||||||
|  |      assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef") | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | -  def test_public_encoding
 | ||||||
|  | -    rsa1024 = Fixtures.pkey("rsa1024")
 | ||||||
|  | -    assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der
 | ||||||
|  | -    assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem
 | ||||||
|  | -  end
 | ||||||
|  | -
 | ||||||
|  |    def test_dup | ||||||
|  |      key = Fixtures.pkey("rsa1024") | ||||||
|  |      key2 = key.dup | ||||||
|  | diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
 | ||||||
|  | index c1d737b2ab..f664bd3074 100644
 | ||||||
|  | --- a/test/openssl/utils.rb
 | ||||||
|  | +++ b/test/openssl/utils.rb
 | ||||||
|  | @@ -313,32 +313,6 @@ def check_component(base, test, keys)
 | ||||||
|  |        assert_equal base.send(comp), test.send(comp) | ||||||
|  |      } | ||||||
|  |    end | ||||||
|  | -
 | ||||||
|  | -  def dup_public(key)
 | ||||||
|  | -    case key
 | ||||||
|  | -    when OpenSSL::PKey::RSA
 | ||||||
|  | -      rsa = OpenSSL::PKey::RSA.new
 | ||||||
|  | -      rsa.set_key(key.n, key.e, nil)
 | ||||||
|  | -      rsa
 | ||||||
|  | -    when OpenSSL::PKey::DSA
 | ||||||
|  | -      dsa = OpenSSL::PKey::DSA.new
 | ||||||
|  | -      dsa.set_pqg(key.p, key.q, key.g)
 | ||||||
|  | -      dsa.set_key(key.pub_key, nil)
 | ||||||
|  | -      dsa
 | ||||||
|  | -    when OpenSSL::PKey::DH
 | ||||||
|  | -      dh = OpenSSL::PKey::DH.new
 | ||||||
|  | -      dh.set_pqg(key.p, nil, key.g)
 | ||||||
|  | -      dh
 | ||||||
|  | -    else
 | ||||||
|  | -      if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
 | ||||||
|  | -        ec = OpenSSL::PKey::EC.new(key.group)
 | ||||||
|  | -        ec.public_key = key.public_key
 | ||||||
|  | -        ec
 | ||||||
|  | -      else
 | ||||||
|  | -        raise "unknown key type"
 | ||||||
|  | -      end
 | ||||||
|  | -    end
 | ||||||
|  | -  end
 | ||||||
|  |  end | ||||||
|  |   | ||||||
|  |  module OpenSSL::Certs | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
							
								
								
									
										161
									
								
								ruby.spec
									
									
									
									
									
								
							
							
						
						
									
										161
									
								
								ruby.spec
									
									
									
									
									
								
							| @ -22,7 +22,7 @@ | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %global release 157 | %global release 159 | ||||||
| %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} | %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} | ||||||
| 
 | 
 | ||||||
| # The RubyGems library has to stay out of Ruby directory tree, since the | # The RubyGems library has to stay out of Ruby directory tree, since the | ||||||
| @ -66,9 +66,6 @@ | |||||||
| 
 | 
 | ||||||
| %global tapset_libdir %(echo %{_libdir} | sed 's/64//')* | %global tapset_libdir %(echo %{_libdir} | sed 's/64//')* | ||||||
| 
 | 
 | ||||||
| # Temporarily disable tests failing with OpenSSL 3.0 |  | ||||||
| %bcond_with openssl_tests |  | ||||||
| 
 |  | ||||||
| %if 0%{?fedora} >= 19 | %if 0%{?fedora} >= 19 | ||||||
| %bcond_without rubypick | %bcond_without rubypick | ||||||
| %endif | %endif | ||||||
| @ -173,16 +170,79 @@ Patch22: rubygems-3.2.33-Fix-loading-operating_system-rb-customizations-too-late | |||||||
| # https://github.com/ruby/ruby/pull/5239 | # https://github.com/ruby/ruby/pull/5239 | ||||||
| Patch23: ruby-3.1.0-Fix-stack-buffer-overflow.patch | Patch23: ruby-3.1.0-Fix-stack-buffer-overflow.patch | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
| # OpenSSL 3.0 compatibility patches | # OpenSSL 3.0 compatibility patches | ||||||
| 
 | 
 | ||||||
| # Support openssl 3.0 |  | ||||||
| # Revert OpenSSL < 3.x enforcement. | # Revert OpenSSL < 3.x enforcement. | ||||||
| # https://github.com/ruby/openssl/commit/202ff1372a40a8adf9aac74bfe8a39141b0c57e5 | # https://github.com/ruby/openssl/commit/202ff1372a40a8adf9aac74bfe8a39141b0c57e5 | ||||||
| Patch30: ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch | Patch30: ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch | ||||||
| 
 | 
 | ||||||
| # https://github.com/ruby/openssl/commit/d963d4e276658d110bcb796722d76efa7fb68efa | # Fix test broken by wrongly formatted distinguished name submitted to | ||||||
| # https://github.com/ruby/openssl/pull/399/ | # `OpenSSL::X509::Name.parse`. | ||||||
| Patch40: ruby-3.0-support-openssl-3.0-pr399.patch | # https://github.com/ruby/openssl/issues/470 | ||||||
|  | # https://github.com/rubygems/rubygems/pull/5030 | ||||||
|  | Patch31: rubygems-3.2.30-Provide-distinguished-name-which-will-be-correctly-p.patch | ||||||
|  | 
 | ||||||
|  | # Refactor PEM/DER serialization code. | ||||||
|  | # https://github.com/ruby/openssl/pull/328 | ||||||
|  | Patch40: ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch | ||||||
|  | # Implement more 'generic' operations using the EVP API. | ||||||
|  | # https://github.com/ruby/openssl/pull/329 | ||||||
|  | Patch41: ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch | ||||||
|  | # Migrate from the low-level HMAC API to the EVP API. | ||||||
|  | # https://github.com/ruby/openssl/pull/371 | ||||||
|  | Patch42: ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch | ||||||
|  | # Allow setting algorithm-specific options in #sign and #verify. | ||||||
|  | # https://github.com/ruby/openssl/pull/374 | ||||||
|  | Patch43: ruby-3.1.0-Allow-setting-algorithm-specific-options-in-sign-and-verify.patch | ||||||
|  | # Use high level EVP interface to generate parameters and keys. | ||||||
|  | # https://github.com/ruby/openssl/pull/397 | ||||||
|  | Patch44: ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch | ||||||
|  | # Use EVP API in more places. | ||||||
|  | # https://github.com/ruby/openssl/pull/436 | ||||||
|  | Patch45: ruby-3.1.0-Use-EVP-API-in-more-places.patch | ||||||
|  | # Implement PKey#{encrypt,decrypt,sign_raw,verify_{raw,verify_recover}}. | ||||||
|  | # https://github.com/ruby/openssl/pull/382 | ||||||
|  | Patch46: ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch | ||||||
|  | # Fix `OpenSSL::TestSSL#test_dup` test failure. | ||||||
|  | # https://github.com/ruby/openssl/commit/7b66eaa2dbabb6570dbbbdfac24c4dcdcc6793d7 | ||||||
|  | Patch47: ruby-3.1.0-test-openssl-utils-remove-dup_public-helper-method.patch | ||||||
|  | # Fix `OpenSSL::TestDigest#test_digest_constants` test case. | ||||||
|  | # https://github.com/ruby/openssl/commit/a3e59f4c2e200c76ef1d93945ff8737a05715e17 | ||||||
|  | Patch48: ruby-3.1.0-test-openssl-test_digest-do-not-test-constants-for-l.patch | ||||||
|  | # Fix `OpenSSL::TestSSL#test_connect_certificate_verify_failed_exception_message` | ||||||
|  | # test case. | ||||||
|  | # https://github.com/ruby/openssl/commit/b5a0a198505452c7457b192da2e5cd5dda04f23d | ||||||
|  | Patch49: ruby-3.1.0-test-openssl-test_ssl-relax-regex-to-match-OpenSSL-s.patch | ||||||
|  | # Fix `OpenSSL::TestPKCS12#test_{new_with_no_keys,new_with_one_key_and_one_cert}` | ||||||
|  | # test failures. | ||||||
|  | # https://github.com/ruby/openssl/commit/998406d18f2acf73090e9fd9d92a7b4227ac593b | ||||||
|  | Patch50: ruby-3.1.0-test-openssl-test_pkcs12-fix-test-failures-with-Open.patch | ||||||
|  | # Fix `OpenSSL::TestPKey#test_s_generate_key` test case. | ||||||
|  | # https://github.com/ruby/openssl/commit/c732387ee5aaa8c5a9717e8b3ffebb3d7430e99a | ||||||
|  | Patch51: ruby-3.1.0-test-openssl-test_pkey-use-EC-keys-for-PKey.generate.patch | ||||||
|  | # Miscellaneous changes for OpenSSL 3.0 support. | ||||||
|  | # https://github.com/ruby/openssl/pull/468 | ||||||
|  | Patch52: ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch | ||||||
|  | # Use OSSL_DECODER to load encrypted PEM. | ||||||
|  | # https://github.com/ruby/openssl/pull/479 | ||||||
|  | Patch53: ruby-3.1.0-Use-OSSL_DECODER-to-load-encrypted-PEM-on-OpenSSL-3.0.patch | ||||||
|  | # Allocate EVP_PKEY on #initialize. | ||||||
|  | # https://github.com/ruby/openssl/pull/478 | ||||||
|  | Patch54: ruby-3.1.0-Allocate-EVP_PKEY-on-initialize.patch | ||||||
|  | # Disable `OpenSSL::TestPKeyRSA#test_no_private_exp` test case which is not | ||||||
|  | # compatible with OpenSSL 3.0. | ||||||
|  | # https://github.com/ruby/ruby/commit/47975ece4096cdab16b3f200f93ea2377dfb41ac | ||||||
|  | Patch55: ruby-3.1.0-Disable-test_no_private_exp-on-OpenSSL-3.0.patch | ||||||
|  | # Deprecate PKey::*#set_* and PKey::{DH,EC}#generate_key! | ||||||
|  | # https://github.com/ruby/openssl/pull/480 | ||||||
|  | Patch56: ruby-3.1.0-Deprecate-PKey-set_-and-PKey-DH-EC-generate_key.patch | ||||||
|  | # Fix `OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0` errors. | ||||||
|  | # https://github.com/rubygems/rubygems/pull/5196 | ||||||
|  | Patch57: rubygems-3.3.1-Fix-compatibility-with-OpenSSL3.0.patch | ||||||
|  | # Miscellaneous changes for OpenSSL 3.0 support. | ||||||
|  | # https://github.com/ruby/openssl/pull/481 | ||||||
|  | Patch58: ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support-part-2.patch | ||||||
| 
 | 
 | ||||||
| Requires: %{name}-libs%{?_isa} = %{version}-%{release} | Requires: %{name}-libs%{?_isa} = %{version}-%{release} | ||||||
| Suggests: rubypick | Suggests: rubypick | ||||||
| @ -625,7 +685,26 @@ rm -rf ext/fiddle/libffi* | |||||||
| %patch22 -p1 | %patch22 -p1 | ||||||
| %patch23 -p1 | %patch23 -p1 | ||||||
| %patch30 -p1 -R | %patch30 -p1 -R | ||||||
|  | %patch31 -p1 | ||||||
| %patch40 -p1 | %patch40 -p1 | ||||||
|  | %patch41 -p1 | ||||||
|  | %patch42 -p1 | ||||||
|  | %patch43 -p1 | ||||||
|  | %patch44 -p1 | ||||||
|  | %patch45 -p1 | ||||||
|  | %patch46 -p1 | ||||||
|  | %patch47 -p1 | ||||||
|  | %patch48 -p1 | ||||||
|  | %patch49 -p1 | ||||||
|  | %patch50 -p1 | ||||||
|  | %patch51 -p1 | ||||||
|  | %patch52 -p1 | ||||||
|  | %patch53 -p1 | ||||||
|  | %patch54 -p1 | ||||||
|  | %patch55 -p1 | ||||||
|  | %patch56 -p1 | ||||||
|  | %patch57 -p1 | ||||||
|  | %patch58 -p1 | ||||||
| 
 | 
 | ||||||
| # Provide an example of usage of the tapset: | # Provide an example of usage of the tapset: | ||||||
| cp -a %{SOURCE3} . | cp -a %{SOURCE3} . | ||||||
| @ -892,68 +971,6 @@ make runruby TESTRUN_SCRIPT="--enable-gems %{SOURCE13}" | |||||||
| # Check if systemtap is supported. | # Check if systemtap is supported. | ||||||
| %{?with_systemtap:make runruby TESTRUN_SCRIPT=%{SOURCE14}} | %{?with_systemtap:make runruby TESTRUN_SCRIPT=%{SOURCE14}} | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
| # Temporarily disable tests, as openssl gem is not ready yet |  | ||||||
| # Therefore I'm disabling all the affected tests bellow. |  | ||||||
| # https://github.com/ruby/openssl/pull/399 |  | ||||||
| %if %{without openssl_tests} |  | ||||||
| # Loading SSL Certificate fails (Segfault). |  | ||||||
| sed -i '/^  if defined?(OpenSSL::SSL/,/^  end/ s/^/#/g' \ |  | ||||||
|   tool/test/webrick/test_httpproxy.rb |  | ||||||
| sed -i "/^\s*def test_upstream_proxy$/ a \ |  | ||||||
|   skip 'Fails to load cert with openssl 3.0.'" tool/test/webrick/test_httpproxy.rb |  | ||||||
| sed -i "/^\s*def test_connect$/ a \ |  | ||||||
|   skip 'Fails to load cert with o penssl 3.0.'" tool/test/webrick/test_httpproxy.rb |  | ||||||
| mv test/net/http/test_https.rb{,.disable} |  | ||||||
| mv test/openssl/utils.rb{,.disable} |  | ||||||
| 
 |  | ||||||
| # Disable certificates, because they fail to load. Same as without OpenSSL. |  | ||||||
| for vname in \ |  | ||||||
|   PUBLIC_CERT \ |  | ||||||
|   PRIVATE_KEY \ |  | ||||||
|   ENCRYPTED_PRIVATE_KEY \ |  | ||||||
|   PUBLIC_KEY \ |  | ||||||
| ;do |  | ||||||
|   sed -i "s/^\(\s*${vname}\s*=\s*\).*$/\1nil/" \ |  | ||||||
|     test/rubygems/helper.rb |  | ||||||
| done |  | ||||||
| # Missing openssl certificate methods (e.g. '.to_pem'), |  | ||||||
| # or certificates completely. Caused by disabling certificates above. |  | ||||||
| mv test/rubygems/test_gem_security_trust_dir.rb{,.disable} |  | ||||||
| mv test/rubygems/test_gem_security_signer.rb{,.disable} |  | ||||||
| mv test/rubygems/test_gem_security_policy.rb{,.disable} |  | ||||||
| mv test/rubygems/test_gem_commands_cert_command.rb{,.disable} |  | ||||||
| mv test/rubygems/test_gem_security.rb{,.disable} |  | ||||||
| for tname in \ |  | ||||||
|   build_auto_signed \ |  | ||||||
|   build_auto_signed_encrypted_key \ |  | ||||||
|   build_signed \ |  | ||||||
|   build_signed_encrypted_key \ |  | ||||||
|   verify_security_policy_checksum_missing \ |  | ||||||
|   verify_security_policy_low_security \ |  | ||||||
| ;do |  | ||||||
|   sed -i "/^\s*def test_${tname}$/ a \ |  | ||||||
|     skip 'Missing certificate methods.'" test/rubygems/test_gem_package.rb |  | ||||||
| done |  | ||||||
| sed -i "/^\s*def test_add_file_signer$/ a \ |  | ||||||
|   skip 'Missing certificate method \".length\".'" \ |  | ||||||
|     test/rubygems/test_gem_package_tar_writer.rb |  | ||||||
| sed -i "/^\s*def test_do_not_allow_invalid_client_cert_auth_connection$/ a \ |  | ||||||
|   skip 'Missing a certificate.'" \ |  | ||||||
|     test/rubygems/test_gem_remote_fetcher.rb |  | ||||||
| sed -i "/^\s*def test_ssl_client_cert_auth_connection$/ a \ |  | ||||||
|   skip 'Missing a certificate.'" \ |  | ||||||
|     test/rubygems/test_gem_remote_fetcher.rb |  | ||||||
| sed -i "/pend 'openssl is missing'/ a \ |  | ||||||
|   skip 'Segfault.'" \ |  | ||||||
|     test/rubygems/test_gem_commands_build_command.rb |  | ||||||
| 
 |  | ||||||
| # Different output for Invalid CA certificate error. |  | ||||||
| sed -i "/^\s*def test_verify_certificate_extra_message$/ a \ |  | ||||||
|   skip 'Different error output with OpenSSL 3.0.'" \ |  | ||||||
|     test/rubygems/test_gem_request.rb |  | ||||||
| %endif |  | ||||||
| 
 |  | ||||||
| DISABLE_TESTS="" | DISABLE_TESTS="" | ||||||
| MSPECOPTS="" | MSPECOPTS="" | ||||||
| 
 | 
 | ||||||
| @ -1442,6 +1459,10 @@ mv test/fiddle/test_import.rb{,.disable} | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Jan 25 2022 Vít Ondruch <vondruch@redhat.com> - 3.0.3-159 | ||||||
|  | - Update OpenSSL 3 compatibility patches. | ||||||
|  |   Resolves: rhbz#1952925 | ||||||
|  | 
 | ||||||
| * Thu Jan 20 2022 Vít Ondruch <vondruch@redhat.com> - 3.0.3-157 | * Thu Jan 20 2022 Vít Ondruch <vondruch@redhat.com> - 3.0.3-157 | ||||||
| - Fix segfault in `TestArray#test_sample` on s390x. | - Fix segfault in `TestArray#test_sample` on s390x. | ||||||
|   Related: rhbz#2049693 |   Related: rhbz#2049693 | ||||||
|  | |||||||
| @ -0,0 +1,44 @@ | |||||||
|  | From bb0f57aeb4de36a3b2b8b8cb01d25b32af0357d3 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com> | ||||||
|  | Date: Wed, 27 Oct 2021 16:28:24 +0200 | ||||||
|  | Subject: [PATCH] Provide distinguished name which will be correctly parsed. | ||||||
|  | 
 | ||||||
|  | It seems that since ruby openssl 2.1.0 [[1]], the distinguished name | ||||||
|  | submitted to `OpenSSL::X509::Name.parse` is not correctly parsed if it | ||||||
|  | does not contain the first slash: | ||||||
|  | 
 | ||||||
|  | ~~~ | ||||||
|  | $ ruby -v | ||||||
|  | ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux] | ||||||
|  | 
 | ||||||
|  | $ gem list | grep openssl | ||||||
|  | openssl (default: 2.2.0) | ||||||
|  | 
 | ||||||
|  | $ irb -r openssl | ||||||
|  | irb(main):001:0> OpenSSL::X509::Name.parse("CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE) | ||||||
|  | => "CN = nobody/DC=example"
 | ||||||
|  | irb(main):002:0> OpenSSL::X509::Name.parse("/CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE) | ||||||
|  | => "CN = nobody, DC = example"
 | ||||||
|  | ~~~ | ||||||
|  | 
 | ||||||
|  | [1]: https://github.com/ruby/openssl/commit/19c67cd10c57f3ab7b13966c36431ebc3fdd653b | ||||||
|  | ---
 | ||||||
|  |  lib/rubygems/security.rb | 2 +- | ||||||
|  |  1 file changed, 1 insertion(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
 | ||||||
|  | index c80639af6d..12de141f36 100644
 | ||||||
|  | --- a/lib/rubygems/security.rb
 | ||||||
|  | +++ b/lib/rubygems/security.rb
 | ||||||
|  | @@ -510,7 +510,7 @@ def self.email_to_name(email_address)
 | ||||||
|  |   | ||||||
|  |      dcs = dcs.split '.' | ||||||
|  |   | ||||||
|  | -    name = "CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
 | ||||||
|  | +    name = "/CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}"
 | ||||||
|  |   | ||||||
|  |      OpenSSL::X509::Name.parse name | ||||||
|  |    end | ||||||
|  | -- 
 | ||||||
|  | 2.32.0 | ||||||
|  | 
 | ||||||
| @ -92,10 +92,9 @@ even fully sure it was the right thing to do when I added that, and it | |||||||
| was not the culprit of the end user issue that led to making that | was not the culprit of the end user issue that led to making that | ||||||
| change. | change. | ||||||
| ---
 | ---
 | ||||||
|  .github/workflows/install-rubygems.yml |  5 ---- |  lib/rubygems.rb                | 32 ++++++++++++++++---------------- | ||||||
|  lib/rubygems.rb                        | 32 +++++++++++++------------- |  test/rubygems/test_rubygems.rb | 23 +++++++++++++++++++++++ | ||||||
|  test/rubygems/test_rubygems.rb         | 23 ++++++++++++++++++ |  2 files changed, 39 insertions(+), 16 deletions(-) | ||||||
|  3 files changed, 39 insertions(+), 21 deletions(-) |  | ||||||
| 
 | 
 | ||||||
| diff --git a/lib/rubygems.rb b/lib/rubygems.rb
 | diff --git a/lib/rubygems.rb b/lib/rubygems.rb
 | ||||||
| index b8747409304..11474b6554c 100644
 | index b8747409304..11474b6554c 100644
 | ||||||
| @ -189,8 +188,8 @@ Otherwise first OS customizations load and activate that fiddle version, | |||||||
| but then when we change to `Gem.default_dir`, that fiddle version is no | but then when we change to `Gem.default_dir`, that fiddle version is no | ||||||
| longer there. | longer there. | ||||||
| ---
 | ---
 | ||||||
|  bundler/spec/commands/clean_spec.rb          | 2 +- |  spec/bundler/commands/clean_spec.rb          | 2 +- | ||||||
|  bundler/spec/install/gems/standalone_spec.rb | 2 +- |  spec/bundler/install/gems/standalone_spec.rb | 2 +- | ||||||
|  2 files changed, 2 insertions(+), 2 deletions(-) |  2 files changed, 2 insertions(+), 2 deletions(-) | ||||||
| 
 | 
 | ||||||
| diff --git a/spec/bundler/commands/clean_spec.rb b/spec/bundler/commands/clean_spec.rb
 | diff --git a/spec/bundler/commands/clean_spec.rb b/spec/bundler/commands/clean_spec.rb
 | ||||||
|  | |||||||
							
								
								
									
										105
									
								
								rubygems-3.3.1-Fix-compatibility-with-OpenSSL3.0.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										105
									
								
								rubygems-3.3.1-Fix-compatibility-with-OpenSSL3.0.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,105 @@ | |||||||
|  | From 558128594de16add5b453833fd5b043a24c1b7f5 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Wed, 22 Dec 2021 01:38:47 +0900 | ||||||
|  | Subject: [PATCH 1/3] Use OpenSSL::PKey::EC.generate to generate ECC key pairs | ||||||
|  | 
 | ||||||
|  | When Ruby/OpenSSL is built against OpenSSL 3.0, OpenSSL::PKey::PKey | ||||||
|  | instances are immutable and OpenSSL::PKey::EC#generate_key cannot work | ||||||
|  | because it modifies the receiver. | ||||||
|  | 
 | ||||||
|  | OpenSSL::PKey::EC.generate is available on Ruby 2.4 (Ruby/OpenSSL 2.0) | ||||||
|  | or later. | ||||||
|  | ---
 | ||||||
|  |  lib/rubygems/security.rb | 10 +++++++--- | ||||||
|  |  1 file changed, 7 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
 | ||||||
|  | index 22759972070..2aa07381d69 100644
 | ||||||
|  | --- a/lib/rubygems/security.rb
 | ||||||
|  | +++ b/lib/rubygems/security.rb
 | ||||||
|  | @@ -490,9 +490,13 @@ def self.create_key(algorithm)
 | ||||||
|  |        when 'rsa' | ||||||
|  |          OpenSSL::PKey::RSA.new(RSA_DSA_KEY_LENGTH) | ||||||
|  |        when 'ec' | ||||||
|  | -        domain_key = OpenSSL::PKey::EC.new(EC_NAME)
 | ||||||
|  | -        domain_key.generate_key
 | ||||||
|  | -        domain_key
 | ||||||
|  | +        if RUBY_VERSION >= "2.4.0"
 | ||||||
|  | +          OpenSSL::PKey::EC.generate(EC_NAME)
 | ||||||
|  | +        else
 | ||||||
|  | +          domain_key = OpenSSL::PKey::EC.new(EC_NAME)
 | ||||||
|  | +          domain_key.generate_key
 | ||||||
|  | +          domain_key
 | ||||||
|  | +        end
 | ||||||
|  |        else | ||||||
|  |          raise Gem::Security::Exception, | ||||||
|  |          "#{algorithm} algorithm not found. RSA, DSA, and EC algorithms are supported." | ||||||
|  | 
 | ||||||
|  | From 60067d4f09b7fb9c23bed38e91acfde0293f29a0 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Wed, 22 Dec 2021 01:49:05 +0900 | ||||||
|  | Subject: [PATCH 2/3] Use OpenSSL::X509::Certificate#check_private_key | ||||||
|  | 
 | ||||||
|  | The method is for the exact purpose: to check that an instance of | ||||||
|  | OpenSSL::PKey::PKey matches the public key in a certificate. | ||||||
|  | ---
 | ||||||
|  |  lib/rubygems/security.rb        | 2 +- | ||||||
|  |  lib/rubygems/security/policy.rb | 4 +--- | ||||||
|  |  2 files changed, 2 insertions(+), 4 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
 | ||||||
|  | index 2aa07381d69..2906819bd34 100644
 | ||||||
|  | --- a/lib/rubygems/security.rb
 | ||||||
|  | +++ b/lib/rubygems/security.rb
 | ||||||
|  | @@ -530,7 +530,7 @@ def self.re_sign(expired_certificate, private_key, age = ONE_YEAR,
 | ||||||
|  |      raise Gem::Security::Exception, | ||||||
|  |            "incorrect signing key for re-signing " + | ||||||
|  |            "#{expired_certificate.subject}" unless | ||||||
|  | -      expired_certificate.public_key.to_pem == get_public_key(private_key).to_pem
 | ||||||
|  | +      expired_certificate.check_private_key(private_key)
 | ||||||
|  |   | ||||||
|  |      unless expired_certificate.subject.to_s == | ||||||
|  |             expired_certificate.issuer.to_s | ||||||
|  | diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb
 | ||||||
|  | index 3c3cb647ee3..06eae073f4a 100644
 | ||||||
|  | --- a/lib/rubygems/security/policy.rb
 | ||||||
|  | +++ b/lib/rubygems/security/policy.rb
 | ||||||
|  | @@ -115,11 +115,9 @@ def check_key(signer, key)
 | ||||||
|  |        raise Gem::Security::Exception, 'missing key or signature' | ||||||
|  |      end | ||||||
|  |   | ||||||
|  | -    public_key = Gem::Security.get_public_key(key)
 | ||||||
|  | -
 | ||||||
|  |      raise Gem::Security::Exception, | ||||||
|  |        "certificate #{signer.subject} does not match the signing key" unless | ||||||
|  | -        signer.public_key.to_pem == public_key.to_pem
 | ||||||
|  | +        signer.check_private_key(key)
 | ||||||
|  |   | ||||||
|  |      true | ||||||
|  |    end | ||||||
|  | 
 | ||||||
|  | From 6819e3d0fadc10ce8d10919402eedb730cf0e43f Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Kazuki Yamaguchi <k@rhe.jp> | ||||||
|  | Date: Wed, 22 Dec 2021 01:54:10 +0900 | ||||||
|  | Subject: [PATCH 3/3] Fix Gem::Security.get_public_key on OpenSSL 3.0 | ||||||
|  | 
 | ||||||
|  | Ruby/OpenSSL 2.2 added OpenSSL::PKey::PKey#public_to_der for serializing | ||||||
|  | only the public key components contained in the instance. This works | ||||||
|  | for all possible key types. | ||||||
|  | ---
 | ||||||
|  |  lib/rubygems/security.rb | 2 ++ | ||||||
|  |  1 file changed, 2 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
 | ||||||
|  | index 2906819bd34..f21c1756422 100644
 | ||||||
|  | --- a/lib/rubygems/security.rb
 | ||||||
|  | +++ b/lib/rubygems/security.rb
 | ||||||
|  | @@ -424,6 +424,8 @@ def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS,
 | ||||||
|  |    # Gets the right public key from a PKey instance | ||||||
|  |   | ||||||
|  |    def self.get_public_key(key) | ||||||
|  | +    # Ruby 3.0 (Ruby/OpenSSL 2.2) or later
 | ||||||
|  | +    return OpenSSL::PKey.read(key.public_to_der) if key.respond_to?(:public_to_der)
 | ||||||
|  |      return key.public_key unless key.is_a?(OpenSSL::PKey::EC) | ||||||
|  |   | ||||||
|  |      ec_key = OpenSSL::PKey::EC.new(key.group.curve_name) | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user