Merge ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 into ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel
- Git
- lp:~lucaskanashiro/ubuntu/+source/ruby-net-ssh
- jammy-fix-openssl-3
- Merge into ubuntu/jammy-devel
Proposed by
Lucas Kanashiro
| Status: | Needs review | ||||
|---|---|---|---|---|---|
| Proposed branch: | ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 | ||||
| Merge into: | ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel | ||||
| Diff against target: |
848 lines (+764/-1) 12 files modified
debian/changelog (+8/-0) debian/control (+2/-1) debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch (+134/-0) debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch (+68/-0) debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch (+103/-0) debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch (+106/-0) debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch (+46/-0) debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch (+147/-0) debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch (+70/-0) debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch (+65/-0) debian/patches/series (+8/-0) debian/ruby-tests.rake (+7/-0) |
||||
| Related bugs: |
|
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Utkarsh Gupta (community) | Approve | ||
| git-ubuntu import | Pending | ||
|
Review via email:
|
|||
Commit message
Description of the change
Fix OpenSSL 3 issues in Jammy (LP: #1964025). This was fixed in version 1:7.0.0~beta1-2 in kinetic, and now I am backporting the upstream patch set to fix it in Jammy. This issue is making vagrant unusable, and some user are complaining about it.
PPA with proposed package:
https:/
autopkgtest result:
autopkgtest [19:06:49]: @@@@@@@
gem2deb-test-runner PASS
To post a comment you must log in.
Revision history for this message
| Lucas Kanashiro (lucaskanashiro) wrote : | # |
So far there is no regression because of new ruby-net-ssh in kinetic, and I do not expect any TBH. It did not migrate yet because of the long test queue we have at the moment, so I am not worried about it.
Revision history for this message
| Lucas Kanashiro (lucaskanashiro) wrote : | # |
However, since you mentioned the version string, I think I'll use 1:6.1.0-3ubuntu0.1 instead of 1:6.1.0-3ubuntu1. Thanks for making me revisit this :)
Revision history for this message
| Lucas Kanashiro (lucaskanashiro) wrote : | # |
Package uploaded:
Uploading ruby-net-
Uploading ruby-net-
Uploading ruby-net-
Unmerged commits
- 8257009... by Lucas Kanashiro
-
update-maintainer
- 81cb3cd... by Lucas Kanashiro
-
Update changelog
- 1c25ff2... by Lucas Kanashiro
-
d/ruby-tests.rake: use custom openssl config file if using openssl 3
This will allow the usage of legacy ciphers during tests, not breaking a
bunch of them. - 2108453... by Lucas Kanashiro
-
Backport upstream patches to support OpenSSL 3 (LP: #1964025)
Origin: backport, https:/
/github. com/net- ssh/net- ssh/pull/ 864 - 7363613... by Antonio Terceiro
-
1:6.1.0-3 (patches unapplied)
Imported using git-ubuntu import.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | diff --git a/debian/changelog b/debian/changelog |
| 2 | index 9d13b4e..ef64464 100644 |
| 3 | --- a/debian/changelog |
| 4 | +++ b/debian/changelog |
| 5 | @@ -1,3 +1,11 @@ |
| 6 | +ruby-net-ssh (1:6.1.0-3ubuntu0.1) jammy; urgency=medium |
| 7 | + |
| 8 | + * d/p/openssl-3/*.patch: backport upstream patches to support OpenSSL 3 |
| 9 | + (LP: #1964025). |
| 10 | + * d/ruby-tests.rake: use custom OpenSSL config file if using OpenSSL 3. |
| 11 | + |
| 12 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Mon, 09 May 2022 18:44:20 -0300 |
| 13 | + |
| 14 | ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium |
| 15 | |
| 16 | * Team upload |
| 17 | diff --git a/debian/control b/debian/control |
| 18 | index 62920fb..2483e6d 100644 |
| 19 | --- a/debian/control |
| 20 | +++ b/debian/control |
| 21 | @@ -1,7 +1,8 @@ |
| 22 | Source: ruby-net-ssh |
| 23 | Section: ruby |
| 24 | Priority: optional |
| 25 | -Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> |
| 26 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
| 27 | +XSBC-Original-Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> |
| 28 | Uploaders: Lucas Nussbaum <lucas@debian.org>, |
| 29 | Paul van Tilburg <paulvt@debian.org>, |
| 30 | David Suárez <david.sephirot@gmail.com> |
| 31 | diff --git a/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
| 32 | new file mode 100644 |
| 33 | index 0000000..0c63bee |
| 34 | --- /dev/null |
| 35 | +++ b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
| 36 | @@ -0,0 +1,134 @@ |
| 37 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 38 | +Date: Fri, 8 Apr 2022 09:49:06 +0200 |
| 39 | +Subject: Generate all DSA keys with 1024 bits |
| 40 | + |
| 41 | +512bits keys are refused in newer OpenSSL libraries as too weak. |
| 42 | + |
| 43 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 44 | +--- |
| 45 | + test/authentication/methods/test_hostbased.rb | 2 +- |
| 46 | + test/authentication/methods/test_publickey.rb | 2 +- |
| 47 | + test/authentication/test_agent.rb | 12 ++++++------ |
| 48 | + test/authentication/test_key_manager.rb | 4 ++-- |
| 49 | + test/integration/test_agent.rb | 2 +- |
| 50 | + 5 files changed, 11 insertions(+), 11 deletions(-) |
| 51 | + |
| 52 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/6364a20037fe8 |
| 53 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 54 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 55 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 56 | +Last-Updated: 2022-05-09 |
| 57 | + |
| 58 | +diff --git a/test/authentication/methods/test_hostbased.rb b/test/authentication/methods/test_hostbased.rb |
| 59 | +index 4fbd37a..957a83e 100644 |
| 60 | +--- a/test/authentication/methods/test_hostbased.rb |
| 61 | ++++ b/test/authentication/methods/test_hostbased.rb |
| 62 | +@@ -76,7 +76,7 @@ module Authentication |
| 63 | + |
| 64 | + @@keys = nil |
| 65 | + def keys |
| 66 | +- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] |
| 67 | ++ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] |
| 68 | + end |
| 69 | + |
| 70 | + def key_manager(options={}) |
| 71 | +diff --git a/test/authentication/methods/test_publickey.rb b/test/authentication/methods/test_publickey.rb |
| 72 | +index 8f2cc73..449f74d 100644 |
| 73 | +--- a/test/authentication/methods/test_publickey.rb |
| 74 | ++++ b/test/authentication/methods/test_publickey.rb |
| 75 | +@@ -128,7 +128,7 @@ module Authentication |
| 76 | + |
| 77 | + @@keys = nil |
| 78 | + def keys |
| 79 | +- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] |
| 80 | ++ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] |
| 81 | + end |
| 82 | + |
| 83 | + def key_manager(options={}) |
| 84 | +diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb |
| 85 | +index 81ca477..42cc215 100644 |
| 86 | +--- a/test/authentication/test_agent.rb |
| 87 | ++++ b/test/authentication/test_agent.rb |
| 88 | +@@ -119,7 +119,7 @@ module Authentication |
| 89 | + |
| 90 | + def test_identities_should_augment_identities_with_comment_field |
| 91 | + key1 = key |
| 92 | +- key2 = OpenSSL::PKey::DSA.new(512) |
| 93 | ++ key2 = OpenSSL::PKey::DSA.new(1024) |
| 94 | + |
| 95 | + socket.expect do |s, type, buffer| |
| 96 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
| 97 | +@@ -135,9 +135,9 @@ module Authentication |
| 98 | + |
| 99 | + def test_identities_should_ignore_unimplemented_ones |
| 100 | + key1 = key |
| 101 | +- key2 = OpenSSL::PKey::DSA.new(512) |
| 102 | ++ key2 = OpenSSL::PKey::DSA.new(1024) |
| 103 | + key2.to_blob[0..5] = 'badkey' |
| 104 | +- key3 = OpenSSL::PKey::DSA.new(512) |
| 105 | ++ key3 = OpenSSL::PKey::DSA.new(1024) |
| 106 | + |
| 107 | + socket.expect do |s, type, buffer| |
| 108 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
| 109 | +@@ -155,7 +155,7 @@ module Authentication |
| 110 | + def test_identities_should_ignore_invalid_ones |
| 111 | + key1 = key |
| 112 | + key2_bad = Net::SSH::Buffer.new("") |
| 113 | +- key3 = OpenSSL::PKey::DSA.new(512) |
| 114 | ++ key3 = OpenSSL::PKey::DSA.new(1024) |
| 115 | + |
| 116 | + socket.expect do |s, type, buffer| |
| 117 | + assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type |
| 118 | +@@ -251,7 +251,7 @@ module Authentication |
| 119 | + end |
| 120 | + |
| 121 | + def test_add_dsa_identity |
| 122 | +- dsa = OpenSSL::PKey::DSA.new(512) |
| 123 | ++ dsa = OpenSSL::PKey::DSA.new(1024) |
| 124 | + socket.expect do |s,type,buffer| |
| 125 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
| 126 | + assert_equal buffer.read_string, "ssh-dss" |
| 127 | +@@ -270,7 +270,7 @@ module Authentication |
| 128 | + end |
| 129 | + |
| 130 | + def test_add_dsa_cert_identity |
| 131 | +- cert = make_cert(OpenSSL::PKey::DSA.new(512)) |
| 132 | ++ cert = make_cert(OpenSSL::PKey::DSA.new(1024)) |
| 133 | + socket.expect do |s,type,buffer| |
| 134 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
| 135 | + assert_equal buffer.read_string, "ssh-dss-cert-v01@openssh.com" |
| 136 | +diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb |
| 137 | +index c40779f..5f38d73 100644 |
| 138 | +--- a/test/authentication/test_key_manager.rb |
| 139 | ++++ b/test/authentication/test_key_manager.rb |
| 140 | +@@ -317,7 +317,7 @@ module Authentication |
| 141 | + cert.critical_options = {} |
| 142 | + cert.extensions = {} |
| 143 | + cert.reserved = '' |
| 144 | +- cert.sign!(OpenSSL::PKey::DSA.new(512)) |
| 145 | ++ cert.sign!(OpenSSL::PKey::DSA.new(1024)) |
| 146 | + cert |
| 147 | + end |
| 148 | + end |
| 149 | +@@ -327,7 +327,7 @@ module Authentication |
| 150 | + end |
| 151 | + |
| 152 | + def dsa |
| 153 | +- @dsa ||= OpenSSL::PKey::DSA.new(512) |
| 154 | ++ @dsa ||= OpenSSL::PKey::DSA.new(1024) |
| 155 | + end |
| 156 | + |
| 157 | + def ecdsa_sha2_nistp256 |
| 158 | +diff --git a/test/integration/test_agent.rb b/test/integration/test_agent.rb |
| 159 | +index 4045c9a..e7db62c 100644 |
| 160 | +--- a/test/integration/test_agent.rb |
| 161 | ++++ b/test/integration/test_agent.rb |
| 162 | +@@ -19,7 +19,7 @@ class TestAgent < NetSSHTest |
| 163 | + def setup |
| 164 | + @keys = [ |
| 165 | + OpenSSL::PKey::RSA.new(1024), |
| 166 | +- OpenSSL::PKey::DSA.new(512), |
| 167 | ++ OpenSSL::PKey::DSA.new(1024), |
| 168 | + OpenSSL::PKey::EC.new("prime256v1").generate_key |
| 169 | + ] |
| 170 | + @keys << Net::SSH::Authentication::ED25519::PrivKey.read(ED25519, nil) if Net::SSH::Authentication::ED25519Loader::LOADED |
| 171 | diff --git a/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
| 172 | new file mode 100644 |
| 173 | index 0000000..2a5f342 |
| 174 | --- /dev/null |
| 175 | +++ b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
| 176 | @@ -0,0 +1,68 @@ |
| 177 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 178 | +Date: Wed, 6 Apr 2022 18:43:57 +0200 |
| 179 | +Subject: tests: Enable legacy providers if using OpenSSL 3.0 |
| 180 | + |
| 181 | +Quite a few tests rely on outdated algorithms that have been relegated |
| 182 | +to the legacy provider in OpenSSL 3.0. `rake test` now loads a custom |
| 183 | +OpenSSL configuration file to enable said legacy provider, which is |
| 184 | +usually disabled by default. |
| 185 | +--- |
| 186 | + Rakefile | 6 ++++++ |
| 187 | + test/openssl3.conf | 25 +++++++++++++++++++++++++ |
| 188 | + 2 files changed, 31 insertions(+) |
| 189 | + create mode 100644 test/openssl3.conf |
| 190 | + |
| 191 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/e4ffdc07b1f0f |
| 192 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 193 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 194 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 195 | +Last-Updated: 2022-05-09 |
| 196 | + |
| 197 | +diff --git a/Rakefile b/Rakefile |
| 198 | +index 0271797..3720209 100644 |
| 199 | +--- a/Rakefile |
| 200 | ++++ b/Rakefile |
| 201 | +@@ -94,6 +94,12 @@ Rake::TestTask.new do |t| |
| 202 | + t.test_files = test_files |
| 203 | + end |
| 204 | + |
| 205 | ++# We need to enable the OpenSSL 3.0 legacy providers for our test suite |
| 206 | ++require 'openssl' |
| 207 | ++if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" then |
| 208 | ++ ENV['OPENSSL_CONF'] = 'test/openssl3.conf' |
| 209 | ++end |
| 210 | ++ |
| 211 | + desc "Run tests of Net::SSH:Test" |
| 212 | + Rake::TestTask.new do |t| |
| 213 | + t.name = "test_test" |
| 214 | +diff --git a/test/openssl3.conf b/test/openssl3.conf |
| 215 | +new file mode 100644 |
| 216 | +index 0000000..79bae9a |
| 217 | +--- /dev/null |
| 218 | ++++ b/test/openssl3.conf |
| 219 | +@@ -0,0 +1,25 @@ |
| 220 | ++openssl_conf = openssl_init |
| 221 | ++ |
| 222 | ++[openssl_init] |
| 223 | ++ssl_conf = ssl_sect |
| 224 | ++providers = provider_sect |
| 225 | ++ |
| 226 | ++[provider_sect] |
| 227 | ++default = default_sect |
| 228 | ++legacy = legacy_sect |
| 229 | ++ |
| 230 | ++[default_sect] |
| 231 | ++activate = 1 |
| 232 | ++ |
| 233 | ++[legacy_sect] |
| 234 | ++activate = 1 |
| 235 | ++ |
| 236 | ++[ssl_sect] |
| 237 | ++system_default = system_default_sect |
| 238 | ++ |
| 239 | ++[system_default_sect] |
| 240 | ++CipherString = DEFAULT@SECLEVEL=0 |
| 241 | ++# system_default = system_default_sect |
| 242 | ++# |
| 243 | ++# [system_default_sect] |
| 244 | ++# Options = UnsafeLegacyRenegotiation |
| 245 | diff --git a/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
| 246 | new file mode 100644 |
| 247 | index 0000000..328ee32 |
| 248 | --- /dev/null |
| 249 | +++ b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
| 250 | @@ -0,0 +1,103 @@ |
| 251 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 252 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
| 253 | +Subject: buffer: create RSA keys by loading PEM data directly |
| 254 | + |
| 255 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
| 256 | +details directly, and there are no dedicated constructors as of Ruby |
| 257 | +3.0, so we need to actually create a PEM certificate in-memory and load |
| 258 | +that instead. |
| 259 | + |
| 260 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 261 | +--- |
| 262 | + lib/net/ssh/buffer.rb | 18 +++++++++--------- |
| 263 | + test/test_buffer.rb | 16 +++++++++------- |
| 264 | + test/test_known_hosts.rb | 15 +++++++-------- |
| 265 | + 3 files changed, 25 insertions(+), 24 deletions(-) |
| 266 | + |
| 267 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852cab |
| 268 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 269 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 270 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 271 | +Last-Updated: 2022-05-09 |
| 272 | + |
| 273 | +diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb |
| 274 | +index 0fe4e56..0384299 100644 |
| 275 | +--- a/lib/net/ssh/buffer.rb |
| 276 | ++++ b/lib/net/ssh/buffer.rb |
| 277 | +@@ -309,15 +309,15 @@ module Net |
| 278 | + key.pub_key = read_bignum |
| 279 | + end |
| 280 | + when /^ssh-rsa$/ |
| 281 | +- key = OpenSSL::PKey::RSA.new |
| 282 | +- if key.respond_to?(:set_key) |
| 283 | +- e = read_bignum |
| 284 | +- n = read_bignum |
| 285 | +- key.set_key(n, e, nil) |
| 286 | +- else |
| 287 | +- key.e = read_bignum |
| 288 | +- key.n = read_bignum |
| 289 | +- end |
| 290 | ++ e = read_bignum |
| 291 | ++ n = read_bignum |
| 292 | ++ |
| 293 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
| 294 | ++ OpenSSL::ASN1::Integer(n), |
| 295 | ++ OpenSSL::ASN1::Integer(e) |
| 296 | ++ ]) |
| 297 | ++ |
| 298 | ++ key = OpenSSL::PKey::RSA.new(asn1.to_der) |
| 299 | + when /^ssh-ed25519$/ |
| 300 | + Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'") |
| 301 | + key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self) |
| 302 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
| 303 | +index e1fcbd2..b74e2f1 100644 |
| 304 | +--- a/test/test_buffer.rb |
| 305 | ++++ b/test/test_buffer.rb |
| 306 | +@@ -336,13 +336,15 @@ class TestBuffer < NetSSHTest |
| 307 | + def test_write_rsa_key_should_write_argument_to_end_of_buffer |
| 308 | + buffer = new("start") |
| 309 | + |
| 310 | +- key = OpenSSL::PKey::RSA.new |
| 311 | +- if key.respond_to?(:set_key) |
| 312 | +- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) |
| 313 | +- else |
| 314 | +- key.e = 0xffeeddccbbaa9988 |
| 315 | +- key.n = 0x7766554433221100 |
| 316 | +- end |
| 317 | ++ n = 0x7766554433221100 |
| 318 | ++ e = 0xffeeddccbbaa9988 |
| 319 | ++ |
| 320 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
| 321 | ++ OpenSSL::ASN1::Integer(n), |
| 322 | ++ OpenSSL::ASN1::Integer(e) |
| 323 | ++ ]) |
| 324 | ++ |
| 325 | ++ key = OpenSSL::PKey::RSA.new(asn1.to_der) |
| 326 | + |
| 327 | + buffer.write_key(key) |
| 328 | + assert_equal "start\0\0\0\7ssh-rsa\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00", buffer.to_s |
| 329 | +diff --git a/test/test_known_hosts.rb b/test/test_known_hosts.rb |
| 330 | +index 6b1fda6..187f6ac 100644 |
| 331 | +--- a/test/test_known_hosts.rb |
| 332 | ++++ b/test/test_known_hosts.rb |
| 333 | +@@ -132,13 +132,12 @@ class TestKnownHosts < NetSSHTest |
| 334 | + end |
| 335 | + |
| 336 | + def rsa_key |
| 337 | +- key = OpenSSL::PKey::RSA.new |
| 338 | +- if key.respond_to?(:set_key) |
| 339 | +- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) |
| 340 | +- else |
| 341 | +- key.e = 0xffeeddccbbaa9988 |
| 342 | +- key.n = 0x7766554433221100 |
| 343 | +- end |
| 344 | +- key |
| 345 | ++ n = 0x7766554433221100 |
| 346 | ++ e = 0xffeeddccbbaa9988 |
| 347 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
| 348 | ++ OpenSSL::ASN1::Integer(n), |
| 349 | ++ OpenSSL::ASN1::Integer(e) |
| 350 | ++ ]) |
| 351 | ++ OpenSSL::PKey::RSA.new(asn1.to_der) |
| 352 | + end |
| 353 | + end |
| 354 | diff --git a/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
| 355 | new file mode 100644 |
| 356 | index 0000000..c29b87c |
| 357 | --- /dev/null |
| 358 | +++ b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
| 359 | @@ -0,0 +1,106 @@ |
| 360 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 361 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
| 362 | +Subject: buffer: create DSA keys by loading PEM data directly |
| 363 | + |
| 364 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
| 365 | +details directly, and there are no dedicated constructors as of Ruby |
| 366 | +3.0, so we need to actually create a PEM certificate in-memory and load |
| 367 | +that instead. |
| 368 | + |
| 369 | +To add insult to injury, contrary to other types of keys such as RSA, we |
| 370 | +need to actually build the full PEM data and not just pack the numbers |
| 371 | +in a simple sequence, making the code even a bit more complicated. |
| 372 | + |
| 373 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 374 | +--- |
| 375 | + lib/net/ssh/buffer.rb | 31 ++++++++++++++++++------------- |
| 376 | + test/test_buffer.rb | 28 ++++++++++++++++++---------- |
| 377 | + 2 files changed, 36 insertions(+), 23 deletions(-) |
| 378 | + |
| 379 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852 |
| 380 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 381 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 382 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 383 | +Last-Updated: 2022-05-09 |
| 384 | + |
| 385 | +diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb |
| 386 | +index 0384299..5a7dff0 100644 |
| 387 | +--- a/lib/net/ssh/buffer.rb |
| 388 | ++++ b/lib/net/ssh/buffer.rb |
| 389 | +@@ -295,19 +295,24 @@ module Net |
| 390 | + when /^(.*)-cert-v01@openssh\.com$/ |
| 391 | + key = Net::SSH::Authentication::Certificate.read_certblob(self, $1) |
| 392 | + when /^ssh-dss$/ |
| 393 | +- key = OpenSSL::PKey::DSA.new |
| 394 | +- if key.respond_to?(:set_pqg) |
| 395 | +- key.set_pqg(read_bignum, read_bignum, read_bignum) |
| 396 | +- else |
| 397 | +- key.p = read_bignum |
| 398 | +- key.q = read_bignum |
| 399 | +- key.g = read_bignum |
| 400 | +- end |
| 401 | +- if key.respond_to?(:set_key) |
| 402 | +- key.set_key(read_bignum, nil) |
| 403 | +- else |
| 404 | +- key.pub_key = read_bignum |
| 405 | +- end |
| 406 | ++ p = read_bignum |
| 407 | ++ q = read_bignum |
| 408 | ++ g = read_bignum |
| 409 | ++ pub_key = read_bignum |
| 410 | ++ |
| 411 | ++ asn1 = OpenSSL::ASN1::Sequence.new([ |
| 412 | ++ OpenSSL::ASN1::Sequence.new([ |
| 413 | ++ OpenSSL::ASN1::ObjectId.new('DSA'), |
| 414 | ++ OpenSSL::ASN1::Sequence.new([ |
| 415 | ++ OpenSSL::ASN1::Integer.new(p), |
| 416 | ++ OpenSSL::ASN1::Integer.new(q), |
| 417 | ++ OpenSSL::ASN1::Integer.new(g) |
| 418 | ++ ]), |
| 419 | ++ ]), |
| 420 | ++ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) |
| 421 | ++ ]) |
| 422 | ++ |
| 423 | ++ key = OpenSSL::PKey::DSA.new(asn1.to_der) |
| 424 | + when /^ssh-rsa$/ |
| 425 | + e = read_bignum |
| 426 | + n = read_bignum |
| 427 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
| 428 | +index b74e2f1..f75a729 100644 |
| 429 | +--- a/test/test_buffer.rb |
| 430 | ++++ b/test/test_buffer.rb |
| 431 | +@@ -318,16 +318,24 @@ class TestBuffer < NetSSHTest |
| 432 | + def test_write_dss_key_should_write_argument_to_end_of_buffer |
| 433 | + buffer = new("start") |
| 434 | + |
| 435 | +- key = OpenSSL::PKey::DSA.new |
| 436 | +- if key.respond_to?(:set_pqg) |
| 437 | +- key.set_pqg(0xffeeddccbbaa9988, 0x7766554433221100, 0xffddbb9977553311) |
| 438 | +- key.set_key(0xeeccaa8866442200, nil) |
| 439 | +- else |
| 440 | +- key.p = 0xffeeddccbbaa9988 |
| 441 | +- key.q = 0x7766554433221100 |
| 442 | +- key.g = 0xffddbb9977553311 |
| 443 | +- key.pub_key = 0xeeccaa8866442200 |
| 444 | +- end |
| 445 | ++ p = 0xffeeddccbbaa9988 |
| 446 | ++ q = 0x7766554433221100 |
| 447 | ++ g = 0xffddbb9977553311 |
| 448 | ++ pub_key = 0xeeccaa8866442200 |
| 449 | ++ |
| 450 | ++ asn1 = OpenSSL::ASN1::Sequence.new([ |
| 451 | ++ OpenSSL::ASN1::Sequence.new([ |
| 452 | ++ OpenSSL::ASN1::ObjectId.new('DSA'), |
| 453 | ++ OpenSSL::ASN1::Sequence.new([ |
| 454 | ++ OpenSSL::ASN1::Integer.new(p), |
| 455 | ++ OpenSSL::ASN1::Integer.new(q), |
| 456 | ++ OpenSSL::ASN1::Integer.new(g) |
| 457 | ++ ]), |
| 458 | ++ ]), |
| 459 | ++ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) |
| 460 | ++ ]) |
| 461 | ++ |
| 462 | ++ key = OpenSSL::PKey::DSA.new(asn1.to_der) |
| 463 | + |
| 464 | + buffer.write_key(key) |
| 465 | + assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s |
| 466 | diff --git a/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
| 467 | new file mode 100644 |
| 468 | index 0000000..438cdba |
| 469 | --- /dev/null |
| 470 | +++ b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
| 471 | @@ -0,0 +1,46 @@ |
| 472 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 473 | +Date: Fri, 8 Apr 2022 09:32:24 +0200 |
| 474 | +Subject: transport: create EC keys by loading PEM data directly |
| 475 | + |
| 476 | +The OpenSSL 3.0 changes don't allow for us to modify the private key |
| 477 | +details directly, and there are no dedicated constructors as of Ruby |
| 478 | +3.0, so we need to actually create a PEM certificate in-memory and load |
| 479 | +that instead. |
| 480 | + |
| 481 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 482 | +--- |
| 483 | + lib/net/ssh/transport/openssl.rb | 14 +++++++++++--- |
| 484 | + 1 file changed, 11 insertions(+), 3 deletions(-) |
| 485 | + |
| 486 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/4de6831dea |
| 487 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 488 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 489 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 490 | +Last-Updated: 2022-05-09 |
| 491 | + |
| 492 | +diff --git a/lib/net/ssh/transport/openssl.rb b/lib/net/ssh/transport/openssl.rb |
| 493 | +index 0581dd5..c5ff2fb 100644 |
| 494 | +--- a/lib/net/ssh/transport/openssl.rb |
| 495 | ++++ b/lib/net/ssh/transport/openssl.rb |
| 496 | +@@ -147,10 +147,18 @@ module OpenSSL |
| 497 | + |
| 498 | + public_key_oct = buffer.read_string |
| 499 | + begin |
| 500 | +- key = OpenSSL::PKey::EC.new(OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key]) |
| 501 | +- group = key.group |
| 502 | ++ curvename = OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key] |
| 503 | ++ group = OpenSSL::PKey::EC::Group.new(curvename) |
| 504 | + point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_oct, 2)) |
| 505 | +- key.public_key = point |
| 506 | ++ asn1 = OpenSSL::ASN1::Sequence([ |
| 507 | ++ OpenSSL::ASN1::Sequence([ |
| 508 | ++ OpenSSL::ASN1::ObjectId("id-ecPublicKey"), |
| 509 | ++ OpenSSL::ASN1::ObjectId(curvename) |
| 510 | ++ ]), |
| 511 | ++ OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed)) |
| 512 | ++ ]) |
| 513 | ++ |
| 514 | ++ key = OpenSSL::PKey::EC.new(asn1.to_der) |
| 515 | + |
| 516 | + return key |
| 517 | + rescue OpenSSL::PKey::ECError |
| 518 | diff --git a/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
| 519 | new file mode 100644 |
| 520 | index 0000000..93a87c0 |
| 521 | --- /dev/null |
| 522 | +++ b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
| 523 | @@ -0,0 +1,147 @@ |
| 524 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 525 | +Date: Mon, 11 Apr 2022 16:25:39 +0200 |
| 526 | +Subject: Use OpenSSL::PKey::EC.generate static method |
| 527 | + |
| 528 | +Migrate all instances of the pattern EC.new(foo).generate_key to |
| 529 | +EC.generate(foo), as the old pattern isn't supported when using OpenSSL |
| 530 | +3.0, since one is not allowed to mess with the internal data of already |
| 531 | +created objects now. |
| 532 | + |
| 533 | +The new API has been introduced in Ruby 2.4. |
| 534 | + |
| 535 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 536 | +--- |
| 537 | + lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | 2 +- |
| 538 | + test/authentication/test_agent.rb | 4 ++-- |
| 539 | + test/authentication/test_key_manager.rb | 6 +++--- |
| 540 | + test/test_buffer.rb | 6 +++--- |
| 541 | + test/transport/kex/test_curve25519_sha256.rb | 2 +- |
| 542 | + test/transport/kex/test_ecdh_sha2_nistp256.rb | 4 ++-- |
| 543 | + 6 files changed, 12 insertions(+), 12 deletions(-) |
| 544 | + |
| 545 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/8729d47045b |
| 546 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 547 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 548 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 549 | +Last-Updated: 2022-05-09 |
| 550 | + |
| 551 | +diff --git a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
| 552 | +index 84d0e4a..a0b2d73 100644 |
| 553 | +--- a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
| 554 | ++++ b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb |
| 555 | +@@ -18,7 +18,7 @@ module Net |
| 556 | + private |
| 557 | + |
| 558 | + def generate_key #:nodoc: |
| 559 | +- OpenSSL::PKey::EC.new(curve_name).generate_key |
| 560 | ++ OpenSSL::PKey::EC.generate(curve_name) |
| 561 | + end |
| 562 | + |
| 563 | + # compute shared secret from server's public key and client's private key |
| 564 | +diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb |
| 565 | +index 42cc215..253317f 100644 |
| 566 | +--- a/test/authentication/test_agent.rb |
| 567 | ++++ b/test/authentication/test_agent.rb |
| 568 | +@@ -286,7 +286,7 @@ module Authentication |
| 569 | + end |
| 570 | + |
| 571 | + def test_add_ecdsa_identity |
| 572 | +- ecdsa = OpenSSL::PKey::EC.new("prime256v1").generate_key |
| 573 | ++ ecdsa = OpenSSL::PKey::EC.generate("prime256v1") |
| 574 | + socket.expect do |s,type,buffer| |
| 575 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
| 576 | + assert_equal buffer.read_string, "ecdsa-sha2-nistp256" |
| 577 | +@@ -303,7 +303,7 @@ module Authentication |
| 578 | + end |
| 579 | + |
| 580 | + def test_add_ecdsa_cert_identity |
| 581 | +- cert = make_cert(OpenSSL::PKey::EC.new("prime256v1").generate_key) |
| 582 | ++ cert = make_cert(OpenSSL::PKey::EC.generate("prime256v1")) |
| 583 | + socket.expect do |s,type,buffer| |
| 584 | + assert_equal SSH2_AGENT_ADD_IDENTITY, type |
| 585 | + assert_equal buffer.read_string, "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
| 586 | +diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb |
| 587 | +index 5f38d73..06a4594 100644 |
| 588 | +--- a/test/authentication/test_key_manager.rb |
| 589 | ++++ b/test/authentication/test_key_manager.rb |
| 590 | +@@ -331,15 +331,15 @@ module Authentication |
| 591 | + end |
| 592 | + |
| 593 | + def ecdsa_sha2_nistp256 |
| 594 | +- @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
| 595 | ++ @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.generate('prime256v1') |
| 596 | + end |
| 597 | + |
| 598 | + def ecdsa_sha2_nistp384 |
| 599 | +- @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.new('secp384r1').generate_key |
| 600 | ++ @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.generate('secp384r1') |
| 601 | + end |
| 602 | + |
| 603 | + def ecdsa_sha2_nistp521 |
| 604 | +- @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.new('secp521r1').generate_key |
| 605 | ++ @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.generate('secp521r1') |
| 606 | + end |
| 607 | + |
| 608 | + def rsa_pk |
| 609 | +diff --git a/test/test_buffer.rb b/test/test_buffer.rb |
| 610 | +index f75a729..57b98e5 100644 |
| 611 | +--- a/test/test_buffer.rb |
| 612 | ++++ b/test/test_buffer.rb |
| 613 | +@@ -456,7 +456,7 @@ class TestBuffer < NetSSHTest |
| 614 | + end |
| 615 | + |
| 616 | + def random_ecdsa_sha2_nistp256 |
| 617 | +- k = OpenSSL::PKey::EC.new('prime256v1').generate_key |
| 618 | ++ k = OpenSSL::PKey::EC.generate('prime256v1') |
| 619 | + buffer = Net::SSH::Buffer.from(:string, 'nistp256', |
| 620 | + :string, k.public_key.to_bn.to_s(2)) |
| 621 | + key = yield(buffer) |
| 622 | +@@ -465,7 +465,7 @@ class TestBuffer < NetSSHTest |
| 623 | + end |
| 624 | + |
| 625 | + def random_ecdsa_sha2_nistp384 |
| 626 | +- k = OpenSSL::PKey::EC.new('secp384r1').generate_key |
| 627 | ++ k = OpenSSL::PKey::EC.generate('secp384r1') |
| 628 | + buffer = Net::SSH::Buffer.from(:string, 'nistp384', |
| 629 | + :string, k.public_key.to_bn.to_s(2)) |
| 630 | + key = yield(buffer) |
| 631 | +@@ -474,7 +474,7 @@ class TestBuffer < NetSSHTest |
| 632 | + end |
| 633 | + |
| 634 | + def random_ecdsa_sha2_nistp521 |
| 635 | +- k = OpenSSL::PKey::EC.new('secp521r1').generate_key |
| 636 | ++ k = OpenSSL::PKey::EC.generate('secp521r1') |
| 637 | + buffer = Net::SSH::Buffer.from(:string, 'nistp521', |
| 638 | + :string, k.public_key.to_bn.to_s(2)) |
| 639 | + key = yield(buffer) |
| 640 | +diff --git a/test/transport/kex/test_curve25519_sha256.rb b/test/transport/kex/test_curve25519_sha256.rb |
| 641 | +index 8177a38..d990019 100644 |
| 642 | +--- a/test/transport/kex/test_curve25519_sha256.rb |
| 643 | ++++ b/test/transport/kex/test_curve25519_sha256.rb |
| 644 | +@@ -111,7 +111,7 @@ unless ENV['NET_SSH_NO_ED25519'] |
| 645 | + end |
| 646 | + |
| 647 | + def server_host_key |
| 648 | +- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
| 649 | ++ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') |
| 650 | + end |
| 651 | + |
| 652 | + def packet_data |
| 653 | +diff --git a/test/transport/kex/test_ecdh_sha2_nistp256.rb b/test/transport/kex/test_ecdh_sha2_nistp256.rb |
| 654 | +index 932d8d7..a2ed6b4 100644 |
| 655 | +--- a/test/transport/kex/test_ecdh_sha2_nistp256.rb |
| 656 | ++++ b/test/transport/kex/test_ecdh_sha2_nistp256.rb |
| 657 | +@@ -109,11 +109,11 @@ module Transport |
| 658 | + end |
| 659 | + |
| 660 | + def server_key |
| 661 | +- @server_key ||= OpenSSL::PKey::EC.new(ecparam).generate_key |
| 662 | ++ @server_key ||= OpenSSL::PKey::EC.generate(ecparam) |
| 663 | + end |
| 664 | + |
| 665 | + def server_host_key |
| 666 | +- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key |
| 667 | ++ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') |
| 668 | + end |
| 669 | + |
| 670 | + def packet_data |
| 671 | diff --git a/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
| 672 | new file mode 100644 |
| 673 | index 0000000..623e2e6 |
| 674 | --- /dev/null |
| 675 | +++ b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
| 676 | @@ -0,0 +1,70 @@ |
| 677 | +From: Simon Chopin <simon.chopin@canonical.com> |
| 678 | +Date: Mon, 11 Apr 2022 16:04:08 +0200 |
| 679 | +Subject: diffie-hellman: create the key by generating the PEM file |
| 680 | + |
| 681 | +This makes the code compatible with OpenSSL 3.0. However, an issue with |
| 682 | +this is that it is not possible anymore to ensure a specific size for |
| 683 | +the private key, as indicated in the inline comment. |
| 684 | + |
| 685 | +v2: avoid PKey.generate_key on older releases (< 2.7) |
| 686 | + |
| 687 | +Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> |
| 688 | +--- |
| 689 | + .../transport/kex/diffie_hellman_group1_sha1.rb | 36 +++++++++++----------- |
| 690 | + 1 file changed, 18 insertions(+), 18 deletions(-) |
| 691 | + |
| 692 | +Origin: backport, https://github.com/net-ssh/net-ssh/commit/8929562bec |
| 693 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 694 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 695 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 696 | +Last-Updated: 2022-05-09 |
| 697 | + |
| 698 | +diff --git a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
| 699 | +index 34af18b..a78b5d5 100644 |
| 700 | +--- a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
| 701 | ++++ b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb |
| 702 | +@@ -59,26 +59,26 @@ module Net |
| 703 | + |
| 704 | + # Generate a DH key with a private key consisting of the given |
| 705 | + # number of bytes. |
| 706 | +- def generate_key #:nodoc: |
| 707 | +- dh = OpenSSL::PKey::DH.new |
| 708 | +- |
| 709 | +- if dh.respond_to?(:set_pqg) |
| 710 | +- p, g = get_parameters |
| 711 | +- dh.set_pqg(p, nil, g) |
| 712 | ++ def generate_key # :nodoc: |
| 713 | ++ p, g = get_parameters |
| 714 | ++ |
| 715 | ++ asn1 = OpenSSL::ASN1::Sequence( |
| 716 | ++ [ |
| 717 | ++ OpenSSL::ASN1::Integer(p), |
| 718 | ++ OpenSSL::ASN1::Integer(g) |
| 719 | ++ ] |
| 720 | ++ ) |
| 721 | ++ |
| 722 | ++ dh_params = OpenSSL::PKey::DH.new(asn1.to_der) |
| 723 | ++ # XXX No private key size check! In theory the latter call should work but fails on OpenSSL 3.0 as |
| 724 | ++ # dh_paramgen_subprime_len is now reserved for DHX algorithm |
| 725 | ++ # key = OpenSSL::PKey.generate_key(dh_params, "dh_paramgen_subprime_len" => data[:need_bytes]/8) |
| 726 | ++ if OpenSSL::PKey.respond_to?(:generate_key) |
| 727 | ++ OpenSSL::PKey.generate_key(dh_params) |
| 728 | + else |
| 729 | +- dh.p, dh.g = get_parameters |
| 730 | +- end |
| 731 | +- |
| 732 | +- dh.generate_key! |
| 733 | +- until dh.valid? && dh.priv_key.num_bytes == data[:need_bytes] |
| 734 | +- if dh.respond_to?(:set_key) |
| 735 | +- dh.set_key(nil, OpenSSL::BN.rand(data[:need_bytes] * 8)) |
| 736 | +- else |
| 737 | +- dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8) |
| 738 | +- end |
| 739 | +- dh.generate_key! |
| 740 | ++ dh_params.generate_key! |
| 741 | ++ dh_params |
| 742 | + end |
| 743 | +- dh |
| 744 | + end |
| 745 | + |
| 746 | + # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the |
| 747 | diff --git a/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
| 748 | new file mode 100644 |
| 749 | index 0000000..4e393ca |
| 750 | --- /dev/null |
| 751 | +++ b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
| 752 | @@ -0,0 +1,65 @@ |
| 753 | +From: Florian Wininger <fw.centrale@gmail.com> |
| 754 | +Date: Fri, 29 Apr 2022 14:19:55 +0200 |
| 755 | +Subject: Fix unit tests for OpenSSL 3 |
| 756 | + |
| 757 | +--- |
| 758 | + test/common.rb | 12 ++++++++++++ |
| 759 | + test/transport/kex/test_diffie_hellman_group1_sha1.rb | 2 +- |
| 760 | + test/transport/test_algorithms.rb | 2 +- |
| 761 | + 3 files changed, 14 insertions(+), 2 deletions(-) |
| 762 | + |
| 763 | +Origin: upstream, https://github.com/net-ssh/net-ssh/commit/395f0cd4029c |
| 764 | +Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 |
| 765 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 |
| 766 | +Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> |
| 767 | +Last-Updated: 2022-05-09 |
| 768 | + |
| 769 | +diff --git a/test/common.rb b/test/common.rb |
| 770 | +index 8ae521c..db97d60 100644 |
| 771 | +--- a/test/common.rb |
| 772 | ++++ b/test/common.rb |
| 773 | +@@ -46,6 +46,18 @@ def P(*args) |
| 774 | + Net::SSH::Packet.new(Net::SSH::Buffer.from(*args)) |
| 775 | + end |
| 776 | + |
| 777 | ++# DH key generate with OpenSSL::PKey::DH.new(512).to_pem |
| 778 | ++def dh_512bits_bn |
| 779 | ++ OpenSSL::PKey::DH.new( |
| 780 | ++ <<~DH_KEY |
| 781 | ++ -----BEGIN DH PARAMETERS----- |
| 782 | ++ MEYCQQDkZMgCTieW40x/bmCpf6m1XHERNnyOodot21UsJkCidr+T6aAcy/Oz4mWo |
| 783 | ++ aYudmZZLQz7jhz0Ut2VQUw0Nz033AgEC |
| 784 | ++ -----END DH PARAMETERS----- |
| 785 | ++ DH_KEY |
| 786 | ++ ).p |
| 787 | ++end |
| 788 | ++ |
| 789 | + class NetSSHTest < Minitest::Test |
| 790 | + def assert_nothing_raised(&block) |
| 791 | + yield |
| 792 | +diff --git a/test/transport/kex/test_diffie_hellman_group1_sha1.rb b/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
| 793 | +index be51720..d621de6 100644 |
| 794 | +--- a/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
| 795 | ++++ b/test/transport/kex/test_diffie_hellman_group1_sha1.rb |
| 796 | +@@ -134,7 +134,7 @@ module Transport |
| 797 | + end |
| 798 | + |
| 799 | + def server_dh_pubkey |
| 800 | +- @server_dh_pubkey ||= bn(1234567890) |
| 801 | ++ @server_dh_pubkey ||= OpenSSL::BN.new(dh_512bits_bn, 10) |
| 802 | + end |
| 803 | + |
| 804 | + def shared_secret |
| 805 | +diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb |
| 806 | +index 105f3af..7eb50aa 100644 |
| 807 | +--- a/test/transport/test_algorithms.rb |
| 808 | ++++ b/test/transport/test_algorithms.rb |
| 809 | +@@ -368,7 +368,7 @@ module Transport |
| 810 | + end |
| 811 | + |
| 812 | + def shared_secret |
| 813 | +- @shared_secret ||= OpenSSL::BN.new("1234567890", 10) |
| 814 | ++ @shared_secret ||= dh_512bits_bn |
| 815 | + end |
| 816 | + |
| 817 | + def session_id |
| 818 | diff --git a/debian/patches/series b/debian/patches/series |
| 819 | index cb8efb3..f7fd3ea 100644 |
| 820 | --- a/debian/patches/series |
| 821 | +++ b/debian/patches/series |
| 822 | @@ -1 +1,9 @@ |
| 823 | 0001-openssl-DSA-don-t-hardcode-expected-signature-size.patch |
| 824 | +openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch |
| 825 | +openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch |
| 826 | +openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch |
| 827 | +openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch |
| 828 | +openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch |
| 829 | +openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch |
| 830 | +openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch |
| 831 | +openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch |
| 832 | diff --git a/debian/ruby-tests.rake b/debian/ruby-tests.rake |
| 833 | index 751fecc..38479eb 100644 |
| 834 | --- a/debian/ruby-tests.rake |
| 835 | +++ b/debian/ruby-tests.rake |
| 836 | @@ -3,5 +3,12 @@ require 'gem2deb/rake/testtask' |
| 837 | # Unfortunately this also disables 'ed25519' tests. |
| 838 | ENV['NET_SSH_NO_ED25519'] = '1' |
| 839 | |
| 840 | +# Some tests rely no ciphers which are considered legacy in OpenSSL 3. For now, |
| 841 | +# let's use the custom config file to enable them and make the tests pass. |
| 842 | +require 'openssl' |
| 843 | +if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" |
| 844 | + ENV['OPENSSL_CONF'] = Dir.pwd + '/test/openssl3.conf' |
| 845 | +end |
| 846 | + |
| 847 | Gem2Deb::Rake::TestTask.new do |t| |
| 848 | end |
Well,
ruby-net-ssh | 1:6.1.0-2 | jammy/universe | source, all
ruby-net-ssh | 1:6.1.0-2 | kinetic/universe | source, all
ruby-net-ssh | 1:7.0.0~beta1-2 | kinetic-
Hopefully 7.0.0~beta1-2 will migrate soon otherwise version in Jammy will be greater than in Kinetic.