Merge ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 into ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel
- Git
- lp:~lucaskanashiro/ubuntu/+source/ruby-net-ssh
- jammy-fix-openssl-3
- Merge into ubuntu/jammy-devel
Status: | Needs review | ||||
---|---|---|---|---|---|
Proposed branch: | ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 | ||||
Merge into: | ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel | ||||
Diff against target: |
848 lines (+764/-1) 12 files modified
debian/changelog (+8/-0) debian/control (+2/-1) debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch (+134/-0) debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch (+68/-0) debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch (+103/-0) debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch (+106/-0) debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch (+46/-0) debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch (+147/-0) debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch (+70/-0) debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch (+65/-0) debian/patches/series (+8/-0) debian/ruby-tests.rake (+7/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Utkarsh Gupta (community) | Approve | ||
git-ubuntu import | Pending | ||
Review via email: mp+421795@code.launchpad.net |
Commit message
Description of the change
Fix OpenSSL 3 issues in Jammy (LP: #1964025). This was fixed in version 1:7.0.0~beta1-2 in kinetic, and now I am backporting the upstream patch set to fix it in Jammy. This issue is making vagrant unusable, and some user are complaining about it.
PPA with proposed package:
https:/
autopkgtest result:
autopkgtest [19:06:49]: @@@@@@@
gem2deb-test-runner PASS
Lucas Kanashiro (lucaskanashiro) wrote : | # |
So far there is no regression because of new ruby-net-ssh in kinetic, and I do not expect any TBH. It did not migrate yet because of the long test queue we have at the moment, so I am not worried about it.
Lucas Kanashiro (lucaskanashiro) wrote : | # |
However, since you mentioned the version string, I think I'll use 1:6.1.0-3ubuntu0.1 instead of 1:6.1.0-3ubuntu1. Thanks for making me revisit this :)
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Package uploaded:
Uploading ruby-net-
Uploading ruby-net-
Uploading ruby-net-
Unmerged commits
- 8257009... by Lucas Kanashiro
-
update-maintainer
- 81cb3cd... by Lucas Kanashiro
-
Update changelog
- 1c25ff2... by Lucas Kanashiro
-
d/ruby-tests.rake: use custom openssl config file if using openssl 3
This will allow the usage of legacy ciphers during tests, not breaking a
bunch of them. - 2108453... by Lucas Kanashiro
-
Backport upstream patches to support OpenSSL 3 (LP: #1964025)
Origin: backport, https:/
/github. com/net- ssh/net- ssh/pull/ 864 - 7363613... by Antonio Terceiro
-
1:6.1.0-3 (patches unapplied)
Imported using git-ubuntu import.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 9d13b4e..ef64464 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,11 @@ |
6 | +ruby-net-ssh (1:6.1.0-3ubuntu0.1) jammy; urgency=medium |
7 | + |
8 | + * d/p/openssl-3/*.patch: backport upstream patches to support OpenSSL 3 |
9 | + (LP: #1964025). |
10 | + * d/ruby-tests.rake: use custom OpenSSL config file if using OpenSSL 3. |
11 | + |
12 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Mon, 09 May 2022 18:44:20 -0300 |
13 | + |
14 | ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium |
15 | |
16 | * Team upload |
17 | diff --git a/debian/control b/debian/control |
18 | index 62920fb..2483e6d 100644 |
19 | --- a/debian/control |
20 | +++ b/debian/control |
21 | @@ -1,7 +1,8 @@ |
22 | Source: ruby-net-ssh |
23 | Section: ruby |
24 | Priority: optional |
25 | -Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> |
26 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
27 | +XSBC-Original-Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> |
28 | Uploaders: Lucas Nussbaum <lucas@debian.org>, |
29 | Paul van Tilburg <paulvt@debian.org>, |
30 | David Suárez <david.sephirot@gmail.com> |
31 | diff --git a/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
32 | new file mode 100644 |
33 | index 0000000..0c63bee |
34 | --- /dev/null |
35 | +++ b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
36 | @@ -0,0 +1,134 @@ |
37 | +From: Simon Chopin <simon.chopin@canonical.com> |
38 | +Date: Fri, 8 Apr 2022 09:49:06 +0200 |
39 | +Subject: Generate all DSA keys with 1024 bits |
40 | + |
41 | +512bits keys are refused in newer OpenSSL libraries as too weak. |
42 | + |
43 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
44 | +--- |
45 | + test/authentication/methods/test_hostbased.rb | 2 +- |
46 | + test/authentication/methods/test_publickey.rb | 2 +- |
47 | + test/authentication/test_agent.rb | 12 ++++++------ |
48 | + test/authentication/test_key_manager.rb | 4 ++-- |
49 | + test/integration/test_agent.rb | 2 +- |
50 | + 5 files changed, 11 insertions(+), 11 deletions(-) |
51 | + |
52 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/6364a20037fe8 |
53 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
54 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
55 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
56 | +Last-Updated: 2022-05-09 |
57 | + |
58 | +diff --git a/test/authentication/methods/test_hostbased.rb b/test/authentication/methods/test_hostbased.rb |
59 | +index 4fbd37a..957a83e 100644 |
60 | +--- a/test/authentication/methods/test_hostbased.rb |
61 | ++++ b/test/authentication/methods/test_hostbased.rb |
62 | +@@ -76,7 +76,7 @@ module Authentication |
63 | + |
64 | + @@keys = nil |
65 | + def keys |
66 | +- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] |
67 | ++ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] |
68 | + end |
69 | + |
70 | + def key_manager(options={}) |
71 | +diff --git a/test/authentication/methods/test_publickey.rb b/test/authentication/methods/test_publickey.rb |
72 | +index 8f2cc73..449f74d 100644 |
73 | +--- a/test/authentication/methods/test_publickey.rb |
74 | ++++ b/test/authentication/methods/test_publickey.rb |
75 | +@@ -128,7 +128,7 @@ module Authentication |
76 | + |
77 | + @@keys = nil |
78 | + def keys |
79 | +- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] |
80 | ++ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] |
81 | + end |
82 | + |
83 | + def key_manager(options={}) |
84 | +diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb |
85 | +index 81ca477..42cc215 100644 |
86 | +--- a/test/authentication/test_agent.rb |
87 | ++++ b/test/authentication/test_agent.rb |
88 | +@@ -119,7 +119,7 @@ module Authentication |
89 | + |
90 | + def test_identities_should_augment_identities_with_comment_field |
91 | + key1 = key |
92 | +- key2 = OpenSSL::PKey::DSA.new(512) |
93 | ++ key2 = OpenSSL::PKey::DSA.new(1024) |
94 | + |
95 | + socket.expect do |s, type, buffer| |
96 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
97 | +@@ -135,9 +135,9 @@ module Authentication |
98 | + |
99 | + def test_identities_should_ignore_unimplemented_ones |
100 | + key1 = key |
101 | +- key2 = OpenSSL::PKey::DSA.new(512) |
102 | ++ key2 = OpenSSL::PKey::DSA.new(1024) |
103 | + key2.to_blob[0..5] = 'badkey' |
104 | +- key3 = OpenSSL::PKey::DSA.new(512) |
105 | ++ key3 = OpenSSL::PKey::DSA.new(1024) |
106 | + |
107 | + socket.expect do |s, type, buffer| |
108 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
109 | +@@ -155,7 +155,7 @@ module Authentication |
110 | + def test_identities_should_ignore_invalid_ones |
111 | + key1 = key |
112 | + key2_bad = Net::SSH::Buffer.new("") |
113 | +- key3 = OpenSSL::PKey::DSA.new(512) |
114 | ++ key3 = OpenSSL::PKey::DSA.new(1024) |
115 | + |
116 | + socket.expect do |s, type, buffer| |
117 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
118 | +@@ -251,7 +251,7 @@ module Authentication |
119 | + end |
120 | + |
121 | + def test_add_dsa_identity |
122 | +- dsa = OpenSSL::PKey::DSA.new(512) |
123 | ++ dsa = OpenSSL::PKey::DSA.new(1024) |
124 | + socket.expect do |s,type,buffer| |
125 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
126 | + assert_equal buffer.read_string, "ssh-dss" |
127 | +@@ -270,7 +270,7 @@ module Authentication |
128 | + end |
129 | + |
130 | + def test_add_dsa_cert_identity |
131 | +- cert = make_cert(OpenSSL::PKey::DSA.new(512)) |
132 | ++ cert = make_cert(OpenSSL::PKey::DSA.new(1024)) |
133 | + socket.expect do |s,type,buffer| |
134 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
135 | + assert_equal buffer.read_string, "ssh-dss-cert-v01@openssh.com" |
136 | +diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb |
137 | +index c40779f..5f38d73 100644 |
138 | +--- a/test/authentication/test_key_manager.rb |
139 | ++++ b/test/authentication/test_key_manager.rb |
140 | +@@ -317,7 +317,7 @@ module Authentication |
141 | + cert.critical_options = {} |
142 | + cert.extensions = {} |
143 | + cert.reserved = '' |
144 | +- cert.sign!(OpenSSL::PKey::DSA.new(512)) |
145 | ++ cert.sign!(OpenSSL::PKey::DSA.new(1024)) |
146 | + cert |
147 | + end |
148 | + end |
149 | +@@ -327,7 +327,7 @@ module Authentication |
150 | + end |
151 | + |
152 | + def dsa |
153 | +- @dsa ||= OpenSSL::PKey::DSA.new(512) |
154 | ++ @dsa ||= OpenSSL::PKey::DSA.new(1024) |
155 | + end |
156 | + |
157 | + def ecdsa_sha2_nistp256 |
158 | +diff --git a/test/integration/test_agent.rb b/test/integration/test_agent.rb |
159 | +index 4045c9a..e7db62c 100644 |
160 | +--- a/test/integration/test_agent.rb |
161 | ++++ b/test/integration/test_agent.rb |
162 | +@@ -19,7 +19,7 @@ class TestAgent < NetSSHTest |
163 | + def setup |
164 | + @keys = [ |
165 | + OpenSSL::PKey::RSA.new(1024), |
166 | +- OpenSSL::PKey::DSA.new(512), |
167 | ++ OpenSSL::PKey::DSA.new(1024), |
168 | + OpenSSL::PKey::EC.new("prime256v1").generate_key |
169 | + ] |
170 | + @keys << Net::SSH::Authentication::ED25519::PrivKey.read(ED25519, nil) if Net::SSH::Authentication::ED25519Loader::LOADED |
171 | diff --git a/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
172 | new file mode 100644 |
173 | index 0000000..2a5f342 |
174 | --- /dev/null |
175 | +++ b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
176 | @@ -0,0 +1,68 @@ |
177 | +From: Simon Chopin <simon.chopin@canonical.com> |
178 | +Date: Wed, 6 Apr 2022 18:43:57 +0200 |
179 | +Subject: tests: Enable legacy providers if using OpenSSL 3.0 |
180 | + |
181 | +Quite a few tests rely on outdated algorithms that have been relegated |
182 | +to the legacy provider in OpenSSL 3.0. `rake test` now loads a custom |
183 | +OpenSSL configuration file to enable said legacy provider, which is |
184 | +usually disabled by default. |
185 | +--- |
186 | + Rakefile | 6 ++++++ |
187 | + test/openssl3.conf | 25 +++++++++++++++++++++++++ |
188 | + 2 files changed, 31 insertions(+) |
189 | + create mode 100644 test/openssl3.conf |
190 | + |
191 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/e4ffdc07b1f0f |
192 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
193 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
194 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
195 | +Last-Updated: 2022-05-09 |
196 | + |
197 | +diff --git a/Rakefile b/Rakefile |
198 | +index 0271797..3720209 100644 |
199 | +--- a/Rakefile |
200 | ++++ b/Rakefile |
201 | +@@ -94,6 +94,12 @@ Rake::TestTask.new do |t| |
202 | + t.test_files = test_files |
203 | + end |
204 | + |
205 | ++# We need to enable the OpenSSL 3.0 legacy providers for our test suite |
206 | ++require 'openssl' |
207 | ++if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" then |
208 | ++ ENV['OPENSSL_CONF'] = 'test/openssl3.conf' |
209 | ++end |
210 | ++ |
211 | + desc "Run tests of Net::SSH:Test" |
212 | + Rake::TestTask.new do |t| |
213 | + t.name = "test_test" |
214 | +diff --git a/test/openssl3.conf b/test/openssl3.conf |
215 | +new file mode 100644 |
216 | +index 0000000..79bae9a |
217 | +--- /dev/null |
218 | ++++ b/test/openssl3.conf |
219 | +@@ -0,0 +1,25 @@ |
220 | ++openssl_conf = openssl_init |
221 | ++ |
222 | ++[openssl_init] |
223 | ++ssl_conf = ssl_sect |
224 | ++providers = provider_sect |
225 | ++ |
226 | ++[provider_sect] |
227 | ++default = default_sect |
228 | ++legacy = legacy_sect |
229 | ++ |
230 | ++[default_sect] |
231 | ++activate = 1 |
232 | ++ |
233 | ++[legacy_sect] |
234 | ++activate = 1 |
235 | ++ |
236 | ++[ssl_sect] |
237 | ++system_default = system_default_sect |
238 | ++ |
239 | ++[system_default_sect] |
240 | ++CipherString = DEFAULT@SECLEVEL=0 |
241 | ++# system_default = system_default_sect |
242 | ++# |
243 | ++# [system_default_sect] |
244 | ++# Options = UnsafeLegacyRenegotiation |
245 | diff --git a/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
246 | new file mode 100644 |
247 | index 0000000..328ee32 |
248 | --- /dev/null |
249 | +++ b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
250 | @@ -0,0 +1,103 @@ |
251 | +From: Simon Chopin <simon.chopin@canonical.com> |
252 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
253 | +Subject: buffer: create RSA keys by loading PEM data directly |
254 | + |
255 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
256 | +details directly, and there are no dedicated constructors as of Ruby |
257 | +3.0, so we need to actually create a PEM certificate in-memory and load |
258 | +that instead. |
259 | + |
260 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
261 | +--- |
262 | + lib/net/ssh/buffer.rb | 18 +++++++++--------- |
263 | + test/test_buffer.rb | 16 +++++++++------- |
264 | + test/test_known_hosts.rb | 15 +++++++-------- |
265 | + 3 files changed, 25 insertions(+), 24 deletions(-) |
266 | + |
267 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852cab |
268 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
269 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
270 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
271 | +Last-Updated: 2022-05-09 |
272 | + |
273 | +diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb |
274 | +index 0fe4e56..0384299 100644 |
275 | +--- a/lib/net/ssh/buffer.rb |
276 | ++++ b/lib/net/ssh/buffer.rb |
277 | +@@ -309,15 +309,15 @@ module Net |
278 | + key.pub_key = read_bignum |
279 | + end |
280 | + when /^ssh-rsa$/ |
281 | +- key = OpenSSL::PKey::RSA.new |
282 | +- if key.respond_to?(:set_key) |
283 | +- e = read_bignum |
284 | +- n = read_bignum |
285 | +- key.set_key(n, e, nil) |
286 | +- else |
287 | +- key.e = read_bignum |
288 | +- key.n = read_bignum |
289 | +- end |
290 | ++ e = read_bignum |
291 | ++ n = read_bignum |
292 | ++ |
293 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
294 | ++ OpenSSL::ASN1::Integer(n), |
295 | ++ OpenSSL::ASN1::Integer(e) |
296 | ++ ]) |
297 | ++ |
298 | ++ key = OpenSSL::PKey::RSA.new(asn1.to_der) |
299 | + when /^ssh-ed25519$/ |
300 | + Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'") |
301 | + key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self) |
302 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
303 | +index e1fcbd2..b74e2f1 100644 |
304 | +--- a/test/test_buffer.rb |
305 | ++++ b/test/test_buffer.rb |
306 | +@@ -336,13 +336,15 @@ class TestBuffer < NetSSHTest |
307 | + def test_write_rsa_key_should_write_argument_to_end_of_buffer |
308 | + buffer = new("start") |
309 | + |
310 | +- key = OpenSSL::PKey::RSA.new |
311 | +- if key.respond_to?(:set_key) |
312 | +- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) |
313 | +- else |
314 | +- key.e = 0xffeeddccbbaa9988 |
315 | +- key.n = 0x7766554433221100 |
316 | +- end |
317 | ++ n = 0x7766554433221100 |
318 | ++ e = 0xffeeddccbbaa9988 |
319 | ++ |
320 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
321 | ++ OpenSSL::ASN1::Integer(n), |
322 | ++ OpenSSL::ASN1::Integer(e) |
323 | ++ ]) |
324 | ++ |
325 | ++ key = OpenSSL::PKey::RSA.new(asn1.to_der) |
326 | + |
327 | + buffer.write_key(key) |
328 | + assert_equal "start\0\0\0\7ssh-rsa\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00", buffer.to_s |
329 | +diff --git a/test/test_known_hosts.rb b/test/test_known_hosts.rb |
330 | +index 6b1fda6..187f6ac 100644 |
331 | +--- a/test/test_known_hosts.rb |
332 | ++++ b/test/test_known_hosts.rb |
333 | +@@ -132,13 +132,12 @@ class TestKnownHosts < NetSSHTest |
334 | + end |
335 | + |
336 | + def rsa_key |
337 | +- key = OpenSSL::PKey::RSA.new |
338 | +- if key.respond_to?(:set_key) |
339 | +- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) |
340 | +- else |
341 | +- key.e = 0xffeeddccbbaa9988 |
342 | +- key.n = 0x7766554433221100 |
343 | +- end |
344 | +- key |
345 | ++ n = 0x7766554433221100 |
346 | ++ e = 0xffeeddccbbaa9988 |
347 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
348 | ++ OpenSSL::ASN1::Integer(n), |
349 | ++ OpenSSL::ASN1::Integer(e) |
350 | ++ ]) |
351 | ++ OpenSSL::PKey::RSA.new(asn1.to_der) |
352 | + end |
353 | + end |
354 | diff --git a/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
355 | new file mode 100644 |
356 | index 0000000..c29b87c |
357 | --- /dev/null |
358 | +++ b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
359 | @@ -0,0 +1,106 @@ |
360 | +From: Simon Chopin <simon.chopin@canonical.com> |
361 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
362 | +Subject: buffer: create DSA keys by loading PEM data directly |
363 | + |
364 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
365 | +details directly, and there are no dedicated constructors as of Ruby |
366 | +3.0, so we need to actually create a PEM certificate in-memory and load |
367 | +that instead. |
368 | + |
369 | +To add insult to injury, contrary to other types of keys such as RSA, we |
370 | +need to actually build the full PEM data and not just pack the numbers |
371 | +in a simple sequence, making the code even a bit more complicated. |
372 | + |
373 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
374 | +--- |
375 | + lib/net/ssh/buffer.rb | 31 ++++++++++++++++++------------- |
376 | + test/test_buffer.rb | 28 ++++++++++++++++++---------- |
377 | + 2 files changed, 36 insertions(+), 23 deletions(-) |
378 | + |
379 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852 |
380 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
381 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
382 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
383 | +Last-Updated: 2022-05-09 |
384 | + |
385 | +diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb |
386 | +index 0384299..5a7dff0 100644 |
387 | +--- a/lib/net/ssh/buffer.rb |
388 | ++++ b/lib/net/ssh/buffer.rb |
389 | +@@ -295,19 +295,24 @@ module Net |
390 | + when /^(.*)-cert-v01@openssh\.com$/ |
391 | + key = Net::SSH::Authentication::Certificate.read_certblob(self, $1) |
392 | + when /^ssh-dss$/ |
393 | +- key = OpenSSL::PKey::DSA.new |
394 | +- if key.respond_to?(:set_pqg) |
395 | +- key.set_pqg(read_bignum, read_bignum, read_bignum) |
396 | +- else |
397 | +- key.p = read_bignum |
398 | +- key.q = read_bignum |
399 | +- key.g = read_bignum |
400 | +- end |
401 | +- if key.respond_to?(:set_key) |
402 | +- key.set_key(read_bignum, nil) |
403 | +- else |
404 | +- key.pub_key = read_bignum |
405 | +- end |
406 | ++ p = read_bignum |
407 | ++ q = read_bignum |
408 | ++ g = read_bignum |
409 | ++ pub_key = read_bignum |
410 | ++ |
411 | ++ asn1 = OpenSSL::ASN1::Sequence.new([ |
412 | ++ OpenSSL::ASN1::Sequence.new([ |
413 | ++ OpenSSL::ASN1::ObjectId.new('DSA'), |
414 | ++ OpenSSL::ASN1::Sequence.new([ |
415 | ++ OpenSSL::ASN1::Integer.new(p), |
416 | ++ OpenSSL::ASN1::Integer.new(q), |
417 | ++ OpenSSL::ASN1::Integer.new(g) |
418 | ++ ]), |
419 | ++ ]), |
420 | ++ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) |
421 | ++ ]) |
422 | ++ |
423 | ++ key = OpenSSL::PKey::DSA.new(asn1.to_der) |
424 | + when /^ssh-rsa$/ |
425 | + e = read_bignum |
426 | + n = read_bignum |
427 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
428 | +index b74e2f1..f75a729 100644 |
429 | +--- a/test/test_buffer.rb |
430 | ++++ b/test/test_buffer.rb |
431 | +@@ -318,16 +318,24 @@ class TestBuffer < NetSSHTest |
432 | + def test_write_dss_key_should_write_argument_to_end_of_buffer |
433 | + buffer = new("start") |
434 | + |
435 | +- key = OpenSSL::PKey::DSA.new |
436 | +- if key.respond_to?(:set_pqg) |
437 | +- key.set_pqg(0xffeeddccbbaa9988, 0x7766554433221100, 0xffddbb9977553311) |
438 | +- key.set_key(0xeeccaa8866442200, nil) |
439 | +- else |
440 | +- key.p = 0xffeeddccbbaa9988 |
441 | +- key.q = 0x7766554433221100 |
442 | +- key.g = 0xffddbb9977553311 |
443 | +- key.pub_key = 0xeeccaa8866442200 |
444 | +- end |
445 | ++ p = 0xffeeddccbbaa9988 |
446 | ++ q = 0x7766554433221100 |
447 | ++ g = 0xffddbb9977553311 |
448 | ++ pub_key = 0xeeccaa8866442200 |
449 | ++ |
450 | ++ asn1 = OpenSSL::ASN1::Sequence.new([ |
451 | ++ OpenSSL::ASN1::Sequence.new([ |
452 | ++ OpenSSL::ASN1::ObjectId.new('DSA'), |
453 | ++ OpenSSL::ASN1::Sequence.new([ |
454 | ++ OpenSSL::ASN1::Integer.new(p), |
455 | ++ OpenSSL::ASN1::Integer.new(q), |
456 | ++ OpenSSL::ASN1::Integer.new(g) |
457 | ++ ]), |
458 | ++ ]), |
459 | ++ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) |
460 | ++ ]) |
461 | ++ |
462 | ++ key = OpenSSL::PKey::DSA.new(asn1.to_der) |
463 | + |
464 | + buffer.write_key(key) |
465 | + assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s |
466 | diff --git a/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
467 | new file mode 100644 |
468 | index 0000000..438cdba |
469 | --- /dev/null |
470 | +++ b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
471 | @@ -0,0 +1,46 @@ |
472 | +From: Simon Chopin <simon.chopin@canonical.com> |
473 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
474 | +Subject: transport: create EC keys by loading PEM data directly |
475 | + |
476 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
477 | +details directly, and there are no dedicated constructors as of Ruby |
478 | +3.0, so we need to actually create a PEM certificate in-memory and load |
479 | +that instead. |
480 | + |
481 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
482 | +--- |
483 | + lib/net/ssh/transport/openssl.rb | 14 +++++++++++--- |
484 | + 1 file changed, 11 insertions(+), 3 deletions(-) |
485 | + |
486 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/4de6831dea |
487 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
488 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
489 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
490 | +Last-Updated: 2022-05-09 |
491 | + |
492 | +diff --git a/lib/net/ssh/transport/openssl.rb b/lib/net/ssh/transport/openssl.rb |
493 | +index 0581dd5..c5ff2fb 100644 |
494 | +--- a/lib/net/ssh/transport/openssl.rb |
495 | ++++ b/lib/net/ssh/transport/openssl.rb |
496 | +@@ -147,10 +147,18 @@ module OpenSSL |
497 | + |
498 | + public_key_oct = buffer.read_string |
499 | + begin |
500 | +- key = OpenSSL::PKey::EC.new(OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key]) |
501 | +- group = key.group |
502 | ++ curvename = OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key] |
503 | ++ group = OpenSSL::PKey::EC::Group.new(curvename) |
504 | + point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_oct, 2)) |
505 | +- key.public_key = point |
506 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
507 | ++ OpenSSL::ASN1::Sequence([ |
508 | ++ OpenSSL::ASN1::ObjectId("id-ecPublicKey"), |
509 | ++ OpenSSL::ASN1::ObjectId(curvename) |
510 | ++ ]), |
511 | ++ OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed)) |
512 | ++ ]) |
513 | ++ |
514 | ++ key = OpenSSL::PKey::EC.new(asn1.to_der) |
515 | + |
516 | + return key |
517 | + rescue OpenSSL::PKey::ECError |
518 | diff --git a/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
519 | new file mode 100644 |
520 | index 0000000..93a87c0 |
521 | --- /dev/null |
522 | +++ b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
523 | @@ -0,0 +1,147 @@ |
524 | +From: Simon Chopin <simon.chopin@canonical.com> |
525 | +Date: Mon, 11 Apr 2022 16:25:39 +0200 |
526 | +Subject: Use OpenSSL::PKey::EC.generate static method |
527 | + |
528 | +Migrate all instances of the pattern EC.new(foo).generate_key to |
529 | +EC.generate(foo), as the old pattern isn't supported when using OpenSSL |
530 | +3.0, since one is not allowed to mess with the internal data of already |
531 | +created objects now. |
532 | + |
533 | +The new API has been introduced in Ruby 2.4. |
534 | + |
535 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
536 | +--- |
537 | + lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | 2 +- |
538 | + test/authentication/test_agent.rb | 4 ++-- |
539 | + test/authentication/test_key_manager.rb | 6 +++--- |
540 | + test/test_buffer.rb | 6 +++--- |
541 | + test/transport/kex/test_curve25519_sha256.rb | 2 +- |
542 | + test/transport/kex/test_ecdh_sha2_nistp256.rb | 4 ++-- |
543 | + 6 files changed, 12 insertions(+), 12 deletions(-) |
544 | + |
545 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/8729d47045b |
546 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
547 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
548 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
549 | +Last-Updated: 2022-05-09 |
550 | + |
551 | +diff --git a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
552 | +index 84d0e4a..a0b2d73 100644 |
553 | +--- a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
554 | ++++ b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
555 | +@@ -18,7 +18,7 @@ module Net |
556 | + private |
557 | + |
558 | + def generate_key #:nodoc: |
559 | +- OpenSSL::PKey::EC.new(curve_name).generate_key |
560 | ++ OpenSSL::PKey::EC.generate(curve_name) |
561 | + end |
562 | + |
563 | + # compute shared secret from server's public key and client's private key |
564 | +diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb |
565 | +index 42cc215..253317f 100644 |
566 | +--- a/test/authentication/test_agent.rb |
567 | ++++ b/test/authentication/test_agent.rb |
568 | +@@ -286,7 +286,7 @@ module Authentication |
569 | + end |
570 | + |
571 | + def test_add_ecdsa_identity |
572 | +- ecdsa = OpenSSL::PKey::EC.new("prime256v1").generate_key |
573 | ++ ecdsa = OpenSSL::PKey::EC.generate("prime256v1") |
574 | + socket.expect do |s,type,buffer| |
575 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
576 | + assert_equal buffer.read_string, "ecdsa-sha2-nistp256" |
577 | +@@ -303,7 +303,7 @@ module Authentication |
578 | + end |
579 | + |
580 | + def test_add_ecdsa_cert_identity |
581 | +- cert = make_cert(OpenSSL::PKey::EC.new("prime256v1").generate_key) |
582 | ++ cert = make_cert(OpenSSL::PKey::EC.generate("prime256v1")) |
583 | + socket.expect do |s,type,buffer| |
584 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
585 | + assert_equal buffer.read_string, "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
586 | +diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb |
587 | +index 5f38d73..06a4594 100644 |
588 | +--- a/test/authentication/test_key_manager.rb |
589 | ++++ b/test/authentication/test_key_manager.rb |
590 | +@@ -331,15 +331,15 @@ module Authentication |
591 | + end |
592 | + |
593 | + def ecdsa_sha2_nistp256 |
594 | +- @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
595 | ++ @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.generate('prime256v1') |
596 | + end |
597 | + |
598 | + def ecdsa_sha2_nistp384 |
599 | +- @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.new('secp384r1').generate_key |
600 | ++ @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.generate('secp384r1') |
601 | + end |
602 | + |
603 | + def ecdsa_sha2_nistp521 |
604 | +- @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.new('secp521r1').generate_key |
605 | ++ @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.generate('secp521r1') |
606 | + end |
607 | + |
608 | + def rsa_pk |
609 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
610 | +index f75a729..57b98e5 100644 |
611 | +--- a/test/test_buffer.rb |
612 | ++++ b/test/test_buffer.rb |
613 | +@@ -456,7 +456,7 @@ class TestBuffer < NetSSHTest |
614 | + end |
615 | + |
616 | + def random_ecdsa_sha2_nistp256 |
617 | +- k = OpenSSL::PKey::EC.new('prime256v1').generate_key |
618 | ++ k = OpenSSL::PKey::EC.generate('prime256v1') |
619 | + buffer = Net::SSH::Buffer.from(:string, 'nistp256', |
620 | + :string, k.public_key.to_bn.to_s(2)) |
621 | + key = yield(buffer) |
622 | +@@ -465,7 +465,7 @@ class TestBuffer < NetSSHTest |
623 | + end |
624 | + |
625 | + def random_ecdsa_sha2_nistp384 |
626 | +- k = OpenSSL::PKey::EC.new('secp384r1').generate_key |
627 | ++ k = OpenSSL::PKey::EC.generate('secp384r1') |
628 | + buffer = Net::SSH::Buffer.from(:string, 'nistp384', |
629 | + :string, k.public_key.to_bn.to_s(2)) |
630 | + key = yield(buffer) |
631 | +@@ -474,7 +474,7 @@ class TestBuffer < NetSSHTest |
632 | + end |
633 | + |
634 | + def random_ecdsa_sha2_nistp521 |
635 | +- k = OpenSSL::PKey::EC.new('secp521r1').generate_key |
636 | ++ k = OpenSSL::PKey::EC.generate('secp521r1') |
637 | + buffer = Net::SSH::Buffer.from(:string, 'nistp521', |
638 | + :string, k.public_key.to_bn.to_s(2)) |
639 | + key = yield(buffer) |
640 | +diff --git a/test/transport/kex/test_curve25519_sha256.rb b/test/transport/kex/test_curve25519_sha256.rb |
641 | +index 8177a38..d990019 100644 |
642 | +--- a/test/transport/kex/test_curve25519_sha256.rb |
643 | ++++ b/test/transport/kex/test_curve25519_sha256.rb |
644 | +@@ -111,7 +111,7 @@ unless ENV['NET_SSH_NO_ED25519'] |
645 | + end |
646 | + |
647 | + def server_host_key |
648 | +- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
649 | ++ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') |
650 | + end |
651 | + |
652 | + def packet_data |
653 | +diff --git a/test/transport/kex/test_ecdh_sha2_nistp256.rb b/test/transport/kex/test_ecdh_sha2_nistp256.rb |
654 | +index 932d8d7..a2ed6b4 100644 |
655 | +--- a/test/transport/kex/test_ecdh_sha2_nistp256.rb |
656 | ++++ b/test/transport/kex/test_ecdh_sha2_nistp256.rb |
657 | +@@ -109,11 +109,11 @@ module Transport |
658 | + end |
659 | + |
660 | + def server_key |
661 | +- @server_key ||= OpenSSL::PKey::EC.new(ecparam).generate_key |
662 | ++ @server_key ||= OpenSSL::PKey::EC.generate(ecparam) |
663 | + end |
664 | + |
665 | + def server_host_key |
666 | +- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
667 | ++ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') |
668 | + end |
669 | + |
670 | + def packet_data |
671 | diff --git a/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
672 | new file mode 100644 |
673 | index 0000000..623e2e6 |
674 | --- /dev/null |
675 | +++ b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
676 | @@ -0,0 +1,70 @@ |
677 | +From: Simon Chopin <simon.chopin@canonical.com> |
678 | +Date: Mon, 11 Apr 2022 16:04:08 +0200 |
679 | +Subject: diffie-hellman: create the key by generating the PEM file |
680 | + |
681 | +This makes the code compatible with OpenSSL 3.0. However, an issue with |
682 | +this is that it is not possible anymore to ensure a specific size for |
683 | +the private key, as indicated in the inline comment. |
684 | + |
685 | +v2: avoid PKey.generate_key on older releases (< 2.7) |
686 | + |
687 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
688 | +--- |
689 | + .../transport/kex/diffie_hellman_group1_sha1.rb | 36 +++++++++++----------- |
690 | + 1 file changed, 18 insertions(+), 18 deletions(-) |
691 | + |
692 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/8929562bec |
693 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
694 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
695 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
696 | +Last-Updated: 2022-05-09 |
697 | + |
698 | +diff --git a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
699 | +index 34af18b..a78b5d5 100644 |
700 | +--- a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
701 | ++++ b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
702 | +@@ -59,26 +59,26 @@ module Net |
703 | + |
704 | + # Generate a DH key with a private key consisting of the given |
705 | + # number of bytes. |
706 | +- def generate_key #:nodoc: |
707 | +- dh = OpenSSL::PKey::DH.new |
708 | +- |
709 | +- if dh.respond_to?(:set_pqg) |
710 | +- p, g = get_parameters |
711 | +- dh.set_pqg(p, nil, g) |
712 | ++ def generate_key # :nodoc: |
713 | ++ p, g = get_parameters |
714 | ++ |
715 | ++ asn1 = OpenSSL::ASN1::Sequence( |
716 | ++ [ |
717 | ++ OpenSSL::ASN1::Integer(p), |
718 | ++ OpenSSL::ASN1::Integer(g) |
719 | ++ ] |
720 | ++ ) |
721 | ++ |
722 | ++ dh_params = OpenSSL::PKey::DH.new(asn1.to_der) |
723 | ++ # XXX No private key size check! In theory the latter call should work but fails on OpenSSL 3.0 as |
724 | ++ # dh_paramgen_subprime_len is now reserved for DHX algorithm |
725 | ++ # key = OpenSSL::PKey.generate_key(dh_params, "dh_paramgen_subprime_len" => data[:need_bytes]/8) |
726 | ++ if OpenSSL::PKey.respond_to?(:generate_key) |
727 | ++ OpenSSL::PKey.generate_key(dh_params) |
728 | + else |
729 | +- dh.p, dh.g = get_parameters |
730 | +- end |
731 | +- |
732 | +- dh.generate_key! |
733 | +- until dh.valid? && dh.priv_key.num_bytes == data[:need_bytes] |
734 | +- if dh.respond_to?(:set_key) |
735 | +- dh.set_key(nil, OpenSSL::BN.rand(data[:need_bytes] * 8)) |
736 | +- else |
737 | +- dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8) |
738 | +- end |
739 | +- dh.generate_key! |
740 | ++ dh_params.generate_key! |
741 | ++ dh_params |
742 | + end |
743 | +- dh |
744 | + end |
745 | + |
746 | + # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the |
747 | diff --git a/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
748 | new file mode 100644 |
749 | index 0000000..4e393ca |
750 | --- /dev/null |
751 | +++ b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
752 | @@ -0,0 +1,65 @@ |
753 | +From: Florian Wininger <fw.centrale@gmail.com> |
754 | +Date: Fri, 29 Apr 2022 14:19:55 +0200 |
755 | +Subject: Fix unit tests for OpenSSL 3 |
756 | + |
757 | +--- |
758 | + test/common.rb | 12 ++++++++++++ |
759 | + test/transport/kex/test_diffie_hellman_group1_sha1.rb | 2 +- |
760 | + test/transport/test_algorithms.rb | 2 +- |
761 | + 3 files changed, 14 insertions(+), 2 deletions(-) |
762 | + |
763 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/395f0cd4029c |
764 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
765 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
766 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
767 | +Last-Updated: 2022-05-09 |
768 | + |
769 | +diff --git a/test/common.rb b/test/common.rb |
770 | +index 8ae521c..db97d60 100644 |
771 | +--- a/test/common.rb |
772 | ++++ b/test/common.rb |
773 | +@@ -46,6 +46,18 @@ def P(*args) |
774 | + Net::SSH::Packet.new(Net::SSH::Buffer.from(*args)) |
775 | + end |
776 | + |
777 | ++# DH key generate with OpenSSL::PKey::DH.new(512).to_pem |
778 | ++def dh_512bits_bn |
779 | ++ OpenSSL::PKey::DH.new( |
780 | ++ <<~DH_KEY |
781 | ++ -----BEGIN DH PARAMETERS----- |
782 | ++ MEYCQQDkZMgCTieW40x/bmCpf6m1XHERNnyOodot21UsJkCidr+T6aAcy/Oz4mWo |
783 | ++ aYudmZZLQz7jhz0Ut2VQUw0Nz033AgEC |
784 | ++ -----END DH PARAMETERS----- |
785 | ++ DH_KEY |
786 | ++ ).p |
787 | ++end |
788 | ++ |
789 | + class NetSSHTest < Minitest::Test |
790 | + def assert_nothing_raised(&block) |
791 | + yield |
792 | +diff --git a/test/transport/kex/test_diffie_hellman_group1_sha1.rb b/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
793 | +index be51720..d621de6 100644 |
794 | +--- a/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
795 | ++++ b/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
796 | +@@ -134,7 +134,7 @@ module Transport |
797 | + end |
798 | + |
799 | + def server_dh_pubkey |
800 | +- @server_dh_pubkey ||= bn(1234567890) |
801 | ++ @server_dh_pubkey ||= OpenSSL::BN.new(dh_512bits_bn, 10) |
802 | + end |
803 | + |
804 | + def shared_secret |
805 | +diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb |
806 | +index 105f3af..7eb50aa 100644 |
807 | +--- a/test/transport/test_algorithms.rb |
808 | ++++ b/test/transport/test_algorithms.rb |
809 | +@@ -368,7 +368,7 @@ module Transport |
810 | + end |
811 | + |
812 | + def shared_secret |
813 | +- @shared_secret ||= OpenSSL::BN.new("1234567890", 10) |
814 | ++ @shared_secret ||= dh_512bits_bn |
815 | + end |
816 | + |
817 | + def session_id |
818 | diff --git a/debian/patches/series b/debian/patches/series |
819 | index cb8efb3..f7fd3ea 100644 |
820 | --- a/debian/patches/series |
821 | +++ b/debian/patches/series |
822 | @@ -1 +1,9 @@ |
823 | 0001-openssl-DSA-don-t-hardcode-expected-signature-size.patch |
824 | +openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
825 | +openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
826 | +openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
827 | +openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
828 | +openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
829 | +openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
830 | +openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
831 | +openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
832 | diff --git a/debian/ruby-tests.rake b/debian/ruby-tests.rake |
833 | index 751fecc..38479eb 100644 |
834 | --- a/debian/ruby-tests.rake |
835 | +++ b/debian/ruby-tests.rake |
836 | @@ -3,5 +3,12 @@ require 'gem2deb/rake/testtask' |
837 | # Unfortunately this also disables 'ed25519' tests. |
838 | ENV['NET_SSH_NO_ED25519'] = '1' |
839 | |
840 | +# Some tests rely no ciphers which are considered legacy in OpenSSL 3. For now, |
841 | +# let's use the custom config file to enable them and make the tests pass. |
842 | +require 'openssl' |
843 | +if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" |
844 | + ENV['OPENSSL_CONF'] = Dir.pwd + '/test/openssl3.conf' |
845 | +end |
846 | + |
847 | Gem2Deb::Rake::TestTask.new do |t| |
848 | end |
Well,
ruby-net-ssh | 1:6.1.0-2 | jammy/universe | source, all proposed/ universe | source, all
ruby-net-ssh | 1:6.1.0-2 | kinetic/universe | source, all
ruby-net-ssh | 1:7.0.0~beta1-2 | kinetic-
Hopefully 7.0.0~beta1-2 will migrate soon otherwise version in Jammy will be greater than in Kinetic.