|
 |
6daba0 |
From 8f948ed68a4ed6c05ff66d822711e3b70ae4bb3f Mon Sep 17 00:00:00 2001
|
|
|
6daba0 |
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
|
6daba0 |
Date: Mon, 27 Sep 2021 13:32:03 +0900
|
|
|
6daba0 |
Subject: [PATCH 1/5] ext/openssl/ossl.h: add helper macros for
|
|
|
6daba0 |
OpenSSL/LibreSSL versions
|
|
|
6daba0 |
|
|
|
6daba0 |
Add following convenient macros:
|
|
|
6daba0 |
|
|
|
6daba0 |
- OSSL_IS_LIBRESSL
|
|
|
6daba0 |
- OSSL_OPENSSL_PREREQ(maj, min, pat)
|
|
|
6daba0 |
- OSSL_LIBRESSL_PREREQ(maj, min, pat)
|
|
|
6daba0 |
---
|
|
|
6daba0 |
ext/openssl/ossl.h | 12 ++++++++++++
|
|
|
6daba0 |
1 file changed, 12 insertions(+)
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
|
|
|
6daba0 |
index c20f506bda..a0cef29d74 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl.h
|
|
|
6daba0 |
+++ b/ext/openssl/ossl.h
|
|
|
6daba0 |
@@ -42,6 +42,18 @@
|
|
|
6daba0 |
#include <openssl/evp.h>
|
|
|
6daba0 |
#include <openssl/dh.h>
|
|
|
6daba0 |
|
|
|
6daba0 |
+#ifndef LIBRESSL_VERSION_NUMBER
|
|
|
6daba0 |
+# define OSSL_IS_LIBRESSL 0
|
|
|
6daba0 |
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) \
|
|
|
6daba0 |
+ (OPENSSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
|
6daba0 |
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0
|
|
|
6daba0 |
+#else
|
|
|
6daba0 |
+# define OSSL_IS_LIBRESSL 1
|
|
|
6daba0 |
+# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0
|
|
|
6daba0 |
+# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \
|
|
|
6daba0 |
+ (LIBRESSL_VERSION_NUMBER >= (maj << 28) | (min << 20) | (pat << 12))
|
|
|
6daba0 |
+#endif
|
|
|
6daba0 |
+
|
|
|
6daba0 |
/*
|
|
|
6daba0 |
* Common Module
|
|
|
6daba0 |
*/
|
|
|
6daba0 |
--
|
|
|
6daba0 |
2.32.0
|
|
|
6daba0 |
|
|
|
6daba0 |
|
|
|
6daba0 |
From bbf235091e49807ece8f3a3df95bbfcc9d3ab43d Mon Sep 17 00:00:00 2001
|
|
|
6daba0 |
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
|
6daba0 |
Date: Sat, 22 Feb 2020 05:37:01 +0900
|
|
|
6daba0 |
Subject: [PATCH 2/5] ts: use TS_VERIFY_CTX_set_certs instead of
|
|
|
6daba0 |
TS_VERIFY_CTS_set_certs
|
|
|
6daba0 |
|
|
|
6daba0 |
OpenSSL 3.0 fixed the typo in the function name and replaced the
|
|
|
6daba0 |
current 'CTS' version with a macro.
|
|
|
6daba0 |
---
|
|
|
6daba0 |
ext/openssl/extconf.rb | 5 ++++-
|
|
|
6daba0 |
ext/openssl/openssl_missing.h | 5 +++++
|
|
|
6daba0 |
ext/openssl/ossl_ts.c | 2 +-
|
|
|
6daba0 |
3 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
|
6daba0 |
index 17d93443fc..09cae05b72 100644
|
|
|
6daba0 |
--- a/ext/openssl/extconf.rb
|
|
|
6daba0 |
+++ b/ext/openssl/extconf.rb
|
|
|
6daba0 |
@@ -165,7 +165,7 @@ def find_openssl_library
|
|
|
6daba0 |
have_func("TS_STATUS_INFO_get0_status")
|
|
|
6daba0 |
have_func("TS_STATUS_INFO_get0_text")
|
|
|
6daba0 |
have_func("TS_STATUS_INFO_get0_failure_info")
|
|
|
6daba0 |
-have_func("TS_VERIFY_CTS_set_certs")
|
|
|
6daba0 |
+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
|
6daba0 |
have_func("TS_VERIFY_CTX_set_store")
|
|
|
6daba0 |
have_func("TS_VERIFY_CTX_add_flags")
|
|
|
6daba0 |
have_func("TS_RESP_CTX_set_time_cb")
|
|
|
6daba0 |
@@ -174,6 +174,9 @@ def find_openssl_library
|
|
|
6daba0 |
|
|
|
6daba0 |
# added in 1.1.1
|
|
|
6daba0 |
have_func("EVP_PKEY_check")
|
|
|
6daba0 |
+
|
|
|
6daba0 |
+# added in 3.0.0
|
|
|
6daba0 |
+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
|
6daba0 |
|
|
|
6daba0 |
Logging::message "=== Checking done. ===\n"
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
index e575415f49..fe486bcfcf 100644
|
|
|
6daba0 |
--- a/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
+++ b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
@@ -236,4 +236,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
|
6daba0 |
} while (0)
|
|
|
6daba0 |
#endif
|
|
|
6daba0 |
|
|
|
6daba0 |
+/* added in 3.0.0 */
|
|
|
6daba0 |
+#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
|
|
|
6daba0 |
+# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
|
|
|
6daba0 |
+#endif
|
|
|
6daba0 |
+
|
|
|
6daba0 |
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
|
|
|
6daba0 |
index 692c0d620f..f1da7c1947 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl_ts.c
|
|
|
6daba0 |
+++ b/ext/openssl/ossl_ts.c
|
|
|
6daba0 |
@@ -820,7 +820,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
|
|
|
6daba0 |
X509_up_ref(cert);
|
|
|
6daba0 |
}
|
|
|
6daba0 |
|
|
|
6daba0 |
- TS_VERIFY_CTS_set_certs(ctx, x509inter);
|
|
|
6daba0 |
+ TS_VERIFY_CTX_set_certs(ctx, x509inter);
|
|
|
6daba0 |
TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
|
|
|
6daba0 |
TS_VERIFY_CTX_set_store(ctx, x509st);
|
|
|
6daba0 |
|
|
|
6daba0 |
--
|
|
|
6daba0 |
2.32.0
|
|
|
6daba0 |
|
|
|
6daba0 |
|
|
|
6daba0 |
From 5fba3bc1df93ab6abc3ea53be3393480f36ea259 Mon Sep 17 00:00:00 2001
|
|
|
6daba0 |
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
|
6daba0 |
Date: Fri, 19 Mar 2021 19:18:25 +0900
|
|
|
6daba0 |
Subject: [PATCH 3/5] ssl: use SSL_get_rbio() to check if SSL is started or not
|
|
|
6daba0 |
|
|
|
6daba0 |
Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally
|
|
|
6daba0 |
calls SSL_get_rbio() and it's enough for our purpose.
|
|
|
6daba0 |
|
|
|
6daba0 |
In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue
|
|
|
6daba0 |
if BIO has not been set up yet, and we would have to clean it up.
|
|
|
6daba0 |
---
|
|
|
6daba0 |
ext/openssl/ossl_ssl.c | 4 ++--
|
|
|
6daba0 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
|
|
|
6daba0 |
index 4b7efa39f5..ec430bfb0c 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl_ssl.c
|
|
|
6daba0 |
+++ b/ext/openssl/ossl_ssl.c
|
|
|
6daba0 |
@@ -1535,8 +1535,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
|
|
|
6daba0 |
static inline int
|
|
|
6daba0 |
ssl_started(SSL *ssl)
|
|
|
6daba0 |
{
|
|
|
6daba0 |
- /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */
|
|
|
6daba0 |
- return SSL_get_fd(ssl) >= 0;
|
|
|
6daba0 |
+ /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */
|
|
|
6daba0 |
+ return SSL_get_rbio(ssl) != NULL;
|
|
|
6daba0 |
}
|
|
|
6daba0 |
|
|
|
6daba0 |
static void
|
|
|
6daba0 |
--
|
|
|
6daba0 |
2.32.0
|
|
|
6daba0 |
|
|
|
6daba0 |
From 0a253027e6be47c0b7fd8b664f1048f24d7ca657 Mon Sep 17 00:00:00 2001
|
|
|
6daba0 |
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
|
6daba0 |
Date: Thu, 22 Apr 2021 13:57:47 +0900
|
|
|
6daba0 |
Subject: [PATCH 4/5] digest: use EVP_MD_CTX_get0_md() instead of
|
|
|
6daba0 |
EVP_MD_CTX_md() if exists
|
|
|
6daba0 |
|
|
|
6daba0 |
The function was renamed in OpenSSL 3.0 due to the change of the
|
|
|
6daba0 |
lifetime of EVP_MD objects. They are no longer necessarily statically
|
|
|
6daba0 |
allocated and can be reference-counted -- when an EVP_MD_CTX is free'd,
|
|
|
6daba0 |
the associated EVP_MD can also become inaccessible.
|
|
|
6daba0 |
|
|
|
6daba0 |
Currently Ruby/OpenSSL only handles builtin algorithms, so no special
|
|
|
6daba0 |
handling is needed except for adapting to the rename.
|
|
|
6daba0 |
---
|
|
|
6daba0 |
ext/openssl/extconf.rb | 1 +
|
|
|
6daba0 |
ext/openssl/openssl_missing.h | 4 ++++
|
|
|
6daba0 |
ext/openssl/ossl_digest.c | 6 +++---
|
|
|
6daba0 |
ext/openssl/ossl_hmac.c | 2 +-
|
|
|
6daba0 |
4 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
|
6daba0 |
index 98f96afe..842b7f5b 100644
|
|
|
6daba0 |
--- a/ext/openssl/extconf.rb
|
|
|
6daba0 |
+++ b/ext/openssl/extconf.rb
|
|
|
6daba0 |
@@ -177,6 +177,7 @@ def find_openssl_library
|
|
|
6daba0 |
|
|
|
6daba0 |
# added in 3.0.0
|
|
|
6daba0 |
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
|
6daba0 |
+have_func("EVP_MD_CTX_get0_md")
|
|
|
6daba0 |
|
|
|
6daba0 |
Logging::message "=== Checking done. ===\n"
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
index 1b1a54a8..64212349 100644
|
|
|
6daba0 |
--- a/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
+++ b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
@@ -241,4 +241,8 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
|
6daba0 |
# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
|
|
|
6daba0 |
#endif
|
|
|
6daba0 |
|
|
|
6daba0 |
+#ifndef HAVE_EVP_MD_CTX_GET0_MD
|
|
|
6daba0 |
+# define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
|
|
|
6daba0 |
+#endif
|
|
|
6daba0 |
+
|
|
|
6daba0 |
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl_digest.c b/ext/openssl/ossl_digest.c
|
|
|
6daba0 |
index b2506de7..fc326ec1 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl_digest.c
|
|
|
6daba0 |
+++ b/ext/openssl/ossl_digest.c
|
|
|
6daba0 |
@@ -63,7 +63,7 @@ ossl_evp_get_digestbyname(VALUE obj)
|
|
|
6daba0 |
|
|
|
6daba0 |
GetDigest(obj, ctx);
|
|
|
6daba0 |
|
|
|
6daba0 |
- md = EVP_MD_CTX_md(ctx);
|
|
|
6daba0 |
+ md = EVP_MD_CTX_get0_md(ctx);
|
|
|
6daba0 |
}
|
|
|
6daba0 |
|
|
|
6daba0 |
return md;
|
|
|
6daba0 |
@@ -176,7 +176,7 @@ ossl_digest_reset(VALUE self)
|
|
|
6daba0 |
EVP_MD_CTX *ctx;
|
|
|
6daba0 |
|
|
|
6daba0 |
GetDigest(self, ctx);
|
|
|
6daba0 |
- if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) {
|
|
|
6daba0 |
+ if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL) != 1) {
|
|
|
6daba0 |
ossl_raise(eDigestError, "Digest initialization failed.");
|
|
|
6daba0 |
}
|
|
|
6daba0 |
|
|
|
6daba0 |
@@ -259,7 +259,7 @@ ossl_digest_name(VALUE self)
|
|
|
6daba0 |
|
|
|
6daba0 |
GetDigest(self, ctx);
|
|
|
6daba0 |
|
|
|
6daba0 |
- return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx)));
|
|
|
6daba0 |
+ return rb_str_new_cstr(EVP_MD_name(EVP_MD_CTX_get0_md(ctx)));
|
|
|
6daba0 |
}
|
|
|
6daba0 |
|
|
|
6daba0 |
/*
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
index a21db6c4..2642728b 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
+++ b/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
@@ -239,7 +239,7 @@ ossl_hmac_reset(VALUE self)
|
|
|
6daba0 |
|
|
|
6daba0 |
GetHMAC(self, ctx);
|
|
|
6daba0 |
pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
|
|
|
6daba0 |
- if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_md(ctx), NULL, pkey) != 1)
|
|
|
6daba0 |
+ if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
|
|
|
6daba0 |
ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
|
6daba0 |
|
|
|
6daba0 |
return self;
|
|
|
6daba0 |
|
|
|
6daba0 |
From c106d888c62e44a11cdbba5e4d2d0cb837ec3e52 Mon Sep 17 00:00:00 2001
|
|
|
6daba0 |
From: Kazuki Yamaguchi <k@rhe.jp>
|
|
|
6daba0 |
Date: Tue, 22 Jun 2021 18:50:17 +0900
|
|
|
6daba0 |
Subject: [PATCH 5/5] hmac: use EVP_MD_CTX_get_pkey_ctx() instead of
|
|
|
6daba0 |
EVP_MD_CTX_pkey_ctx()
|
|
|
6daba0 |
|
|
|
6daba0 |
OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the
|
|
|
6daba0 |
function name. Adjust compatibility macro so that we can use the new
|
|
|
6daba0 |
function name for all OpenSSL 1.0.2-3.0.
|
|
|
6daba0 |
---
|
|
|
6daba0 |
ext/openssl/extconf.rb | 1 +
|
|
|
6daba0 |
ext/openssl/openssl_missing.h | 16 ++++++++++++----
|
|
|
6daba0 |
ext/openssl/ossl_hmac.c | 2 +-
|
|
|
6daba0 |
3 files changed, 14 insertions(+), 5 deletions(-)
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
|
|
|
6daba0 |
index 842b7f5b..d9d34b7c 100644
|
|
|
6daba0 |
--- a/ext/openssl/extconf.rb
|
|
|
6daba0 |
+++ b/ext/openssl/extconf.rb
|
|
|
6daba0 |
@@ -178,6 +178,7 @@ def find_openssl_library
|
|
|
6daba0 |
# added in 3.0.0
|
|
|
6daba0 |
have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
|
|
|
6daba0 |
have_func("EVP_MD_CTX_get0_md")
|
|
|
6daba0 |
+have_func("EVP_MD_CTX_get_pkey_ctx")
|
|
|
6daba0 |
|
|
|
6daba0 |
Logging::message "=== Checking done. ===\n"
|
|
|
6daba0 |
|
|
|
6daba0 |
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
index 64212349..55c4f378 100644
|
|
|
6daba0 |
--- a/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
+++ b/ext/openssl/openssl_missing.h
|
|
|
6daba0 |
@@ -42,10 +42,6 @@ int ossl_EC_curve_nist2nid(const char *);
|
|
|
6daba0 |
# define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
|
6daba0 |
#endif
|
|
|
6daba0 |
|
|
|
6daba0 |
-#if !defined(HAVE_EVP_MD_CTX_PKEY_CTX)
|
|
|
6daba0 |
-# define EVP_MD_CTX_pkey_ctx(x) (x)->pctx
|
|
|
6daba0 |
-#endif
|
|
|
6daba0 |
-
|
|
|
6daba0 |
#if !defined(HAVE_X509_STORE_GET_EX_DATA)
|
|
|
6daba0 |
# define X509_STORE_get_ex_data(x, idx) \
|
|
|
6daba0 |
CRYPTO_get_ex_data(&(x)->ex_data, (idx))
|
|
|
6daba0 |
@@ -245,4 +241,16 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
|
|
|
6daba0 |
# define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
|
|
|
6daba0 |
#endif
|
|
|
6daba0 |
|
|
|
6daba0 |
+/*
|
|
|
6daba0 |
+ * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to
|
|
|
6daba0 |
+ * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
|
|
|
6daba0 |
+ */
|
|
|
6daba0 |
+#ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
|
|
|
6daba0 |
+# ifdef HAVE_EVP_MD_CTX_PKEY_CTX
|
|
|
6daba0 |
+# define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
|
|
|
6daba0 |
+# else
|
|
|
6daba0 |
+# define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
|
|
|
6daba0 |
+# endif
|
|
|
6daba0 |
+#endif
|
|
|
6daba0 |
+
|
|
|
6daba0 |
#endif /* _OSSL_OPENSSL_MISSING_H_ */
|
|
|
6daba0 |
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
index 2642728b..f89ff2f9 100644
|
|
|
6daba0 |
--- a/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
+++ b/ext/openssl/ossl_hmac.c
|
|
|
6daba0 |
@@ -238,7 +238,7 @@ ossl_hmac_reset(VALUE self)
|
|
|
6daba0 |
EVP_PKEY *pkey;
|
|
|
6daba0 |
|
|
|
6daba0 |
GetHMAC(self, ctx);
|
|
|
6daba0 |
- pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
|
|
|
6daba0 |
+ pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
|
|
|
6daba0 |
if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
|
|
|
6daba0 |
ossl_raise(eHMACError, "EVP_DigestSignInit");
|
|
|
6daba0 |
|