Merge ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 into ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel
- Git
- lp:~lucaskanashiro/ubuntu/+source/ruby-net-ssh
- jammy-fix-openssl-3
- Merge into ubuntu/jammy-devel
Status: | Needs review | ||||
---|---|---|---|---|---|
Proposed branch: | ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 | ||||
Merge into: | ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel | ||||
Diff against target: |
848 lines (+764/-1) 12 files modified
debian/changelog (+8/-0) debian/control (+2/-1) debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch (+134/-0) debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch (+68/-0) debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch (+103/-0) debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch (+106/-0) debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch (+46/-0) debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch (+147/-0) debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch (+70/-0) debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch (+65/-0) debian/patches/series (+8/-0) debian/ruby-tests.rake (+7/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Utkarsh Gupta (community) | Approve | ||
git-ubuntu import | Pending | ||
Review via email: mp+421795@code.launchpad.net |
Commit message
Description of the change
Fix OpenSSL 3 issues in Jammy (LP: #1964025). This was fixed in version 1:7.0.0~beta1-2 in kinetic, and now I am backporting the upstream patch set to fix it in Jammy. This issue is making vagrant unusable, and some user are complaining about it.
PPA with proposed package:
https:/
autopkgtest result:
autopkgtest [19:06:49]: @@@@@@@
gem2deb-test-runner PASS
Lucas Kanashiro (lucaskanashiro) wrote : | # |
So far there is no regression because of new ruby-net-ssh in kinetic, and I do not expect any TBH. It did not migrate yet because of the long test queue we have at the moment, so I am not worried about it.
Lucas Kanashiro (lucaskanashiro) wrote : | # |
However, since you mentioned the version string, I think I'll use 1:6.1.0-3ubuntu0.1 instead of 1:6.1.0-3ubuntu1. Thanks for making me revisit this :)
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Package uploaded:
Uploading ruby-net-
Uploading ruby-net-
Uploading ruby-net-
Unmerged commits
- 8257009... by Lucas Kanashiro
-
update-maintainer
- 81cb3cd... by Lucas Kanashiro
-
Update changelog
- 1c25ff2... by Lucas Kanashiro
-
d/ruby-tests.rake: use custom openssl config file if using openssl 3
This will allow the usage of legacy ciphers during tests, not breaking a
bunch of them. - 2108453... by Lucas Kanashiro
-
Backport upstream patches to support OpenSSL 3 (LP: #1964025)
Origin: backport, https:/
/github. com/net- ssh/net- ssh/pull/ 864 - 7363613... by Antonio Terceiro
-
1:6.1.0-3 (patches unapplied)
Imported using git-ubuntu import.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 9d13b4e..ef64464 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,11 @@ | |||
6 | 1 | ruby-net-ssh (1:6.1.0-3ubuntu0.1) jammy; urgency=medium | ||
7 | 2 | |||
8 | 3 | * d/p/openssl-3/*.patch: backport upstream patches to support OpenSSL 3 | ||
9 | 4 | (LP: #1964025). | ||
10 | 5 | * d/ruby-tests.rake: use custom OpenSSL config file if using OpenSSL 3. | ||
11 | 6 | |||
12 | 7 | -- Lucas Kanashiro <kanashiro@ubuntu.com> Mon, 09 May 2022 18:44:20 -0300 | ||
13 | 8 | |||
14 | 1 | ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium | 9 | ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium |
15 | 2 | 10 | ||
16 | 3 | * Team upload | 11 | * Team upload |
17 | diff --git a/debian/control b/debian/control | |||
18 | index 62920fb..2483e6d 100644 | |||
19 | --- a/debian/control | |||
20 | +++ b/debian/control | |||
21 | @@ -1,7 +1,8 @@ | |||
22 | 1 | Source: ruby-net-ssh | 1 | Source: ruby-net-ssh |
23 | 2 | Section: ruby | 2 | Section: ruby |
24 | 3 | Priority: optional | 3 | Priority: optional |
26 | 4 | Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
27 | 5 | XSBC-Original-Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org> | ||
28 | 5 | Uploaders: Lucas Nussbaum <lucas@debian.org>, | 6 | Uploaders: Lucas Nussbaum <lucas@debian.org>, |
29 | 6 | Paul van Tilburg <paulvt@debian.org>, | 7 | Paul van Tilburg <paulvt@debian.org>, |
30 | 7 | David Suárez <david.sephirot@gmail.com> | 8 | David Suárez <david.sephirot@gmail.com> |
31 | diff --git a/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch | |||
32 | 8 | new file mode 100644 | 9 | new file mode 100644 |
33 | index 0000000..0c63bee | |||
34 | --- /dev/null | |||
35 | +++ b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch | |||
36 | @@ -0,0 +1,134 @@ | |||
37 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
38 | 2 | Date: Fri, 8 Apr 2022 09:49:06 +0200 | ||
39 | 3 | Subject: Generate all DSA keys with 1024 bits | ||
40 | 4 | |||
41 | 5 | 512bits keys are refused in newer OpenSSL libraries as too weak. | ||
42 | 6 | |||
43 | 7 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
44 | 8 | --- | ||
45 | 9 | test/authentication/methods/test_hostbased.rb | 2 +- | ||
46 | 10 | test/authentication/methods/test_publickey.rb | 2 +- | ||
47 | 11 | test/authentication/test_agent.rb | 12 ++++++------ | ||
48 | 12 | test/authentication/test_key_manager.rb | 4 ++-- | ||
49 | 13 | test/integration/test_agent.rb | 2 +- | ||
50 | 14 | 5 files changed, 11 insertions(+), 11 deletions(-) | ||
51 | 15 | |||
52 | 16 | Origin: backport, https://github.com/net-ssh/net-ssh/commit/6364a20037fe8 | ||
53 | 17 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
54 | 18 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
55 | 19 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
56 | 20 | Last-Updated: 2022-05-09 | ||
57 | 21 | |||
58 | 22 | diff --git a/test/authentication/methods/test_hostbased.rb b/test/authentication/methods/test_hostbased.rb | ||
59 | 23 | index 4fbd37a..957a83e 100644 | ||
60 | 24 | --- a/test/authentication/methods/test_hostbased.rb | ||
61 | 25 | +++ b/test/authentication/methods/test_hostbased.rb | ||
62 | 26 | @@ -76,7 +76,7 @@ module Authentication | ||
63 | 27 | |||
64 | 28 | @@keys = nil | ||
65 | 29 | def keys | ||
66 | 30 | - @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] | ||
67 | 31 | + @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] | ||
68 | 32 | end | ||
69 | 33 | |||
70 | 34 | def key_manager(options={}) | ||
71 | 35 | diff --git a/test/authentication/methods/test_publickey.rb b/test/authentication/methods/test_publickey.rb | ||
72 | 36 | index 8f2cc73..449f74d 100644 | ||
73 | 37 | --- a/test/authentication/methods/test_publickey.rb | ||
74 | 38 | +++ b/test/authentication/methods/test_publickey.rb | ||
75 | 39 | @@ -128,7 +128,7 @@ module Authentication | ||
76 | 40 | |||
77 | 41 | @@keys = nil | ||
78 | 42 | def keys | ||
79 | 43 | - @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)] | ||
80 | 44 | + @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)] | ||
81 | 45 | end | ||
82 | 46 | |||
83 | 47 | def key_manager(options={}) | ||
84 | 48 | diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb | ||
85 | 49 | index 81ca477..42cc215 100644 | ||
86 | 50 | --- a/test/authentication/test_agent.rb | ||
87 | 51 | +++ b/test/authentication/test_agent.rb | ||
88 | 52 | @@ -119,7 +119,7 @@ module Authentication | ||
89 | 53 | |||
90 | 54 | def test_identities_should_augment_identities_with_comment_field | ||
91 | 55 | key1 = key | ||
92 | 56 | - key2 = OpenSSL::PKey::DSA.new(512) | ||
93 | 57 | + key2 = OpenSSL::PKey::DSA.new(1024) | ||
94 | 58 | |||
95 | 59 | socket.expect do |s, type, buffer| | ||
96 | 60 | assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type | ||
97 | 61 | @@ -135,9 +135,9 @@ module Authentication | ||
98 | 62 | |||
99 | 63 | def test_identities_should_ignore_unimplemented_ones | ||
100 | 64 | key1 = key | ||
101 | 65 | - key2 = OpenSSL::PKey::DSA.new(512) | ||
102 | 66 | + key2 = OpenSSL::PKey::DSA.new(1024) | ||
103 | 67 | key2.to_blob[0..5] = 'badkey' | ||
104 | 68 | - key3 = OpenSSL::PKey::DSA.new(512) | ||
105 | 69 | + key3 = OpenSSL::PKey::DSA.new(1024) | ||
106 | 70 | |||
107 | 71 | socket.expect do |s, type, buffer| | ||
108 | 72 | assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type | ||
109 | 73 | @@ -155,7 +155,7 @@ module Authentication | ||
110 | 74 | def test_identities_should_ignore_invalid_ones | ||
111 | 75 | key1 = key | ||
112 | 76 | key2_bad = Net::SSH::Buffer.new("") | ||
113 | 77 | - key3 = OpenSSL::PKey::DSA.new(512) | ||
114 | 78 | + key3 = OpenSSL::PKey::DSA.new(1024) | ||
115 | 79 | |||
116 | 80 | socket.expect do |s, type, buffer| | ||
117 | 81 | assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type | ||
118 | 82 | @@ -251,7 +251,7 @@ module Authentication | ||
119 | 83 | end | ||
120 | 84 | |||
121 | 85 | def test_add_dsa_identity | ||
122 | 86 | - dsa = OpenSSL::PKey::DSA.new(512) | ||
123 | 87 | + dsa = OpenSSL::PKey::DSA.new(1024) | ||
124 | 88 | socket.expect do |s,type,buffer| | ||
125 | 89 | assert_equal SSH2_AGENT_ADD_IDENTITY, type | ||
126 | 90 | assert_equal buffer.read_string, "ssh-dss" | ||
127 | 91 | @@ -270,7 +270,7 @@ module Authentication | ||
128 | 92 | end | ||
129 | 93 | |||
130 | 94 | def test_add_dsa_cert_identity | ||
131 | 95 | - cert = make_cert(OpenSSL::PKey::DSA.new(512)) | ||
132 | 96 | + cert = make_cert(OpenSSL::PKey::DSA.new(1024)) | ||
133 | 97 | socket.expect do |s,type,buffer| | ||
134 | 98 | assert_equal SSH2_AGENT_ADD_IDENTITY, type | ||
135 | 99 | assert_equal buffer.read_string, "ssh-dss-cert-v01@openssh.com" | ||
136 | 100 | diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb | ||
137 | 101 | index c40779f..5f38d73 100644 | ||
138 | 102 | --- a/test/authentication/test_key_manager.rb | ||
139 | 103 | +++ b/test/authentication/test_key_manager.rb | ||
140 | 104 | @@ -317,7 +317,7 @@ module Authentication | ||
141 | 105 | cert.critical_options = {} | ||
142 | 106 | cert.extensions = {} | ||
143 | 107 | cert.reserved = '' | ||
144 | 108 | - cert.sign!(OpenSSL::PKey::DSA.new(512)) | ||
145 | 109 | + cert.sign!(OpenSSL::PKey::DSA.new(1024)) | ||
146 | 110 | cert | ||
147 | 111 | end | ||
148 | 112 | end | ||
149 | 113 | @@ -327,7 +327,7 @@ module Authentication | ||
150 | 114 | end | ||
151 | 115 | |||
152 | 116 | def dsa | ||
153 | 117 | - @dsa ||= OpenSSL::PKey::DSA.new(512) | ||
154 | 118 | + @dsa ||= OpenSSL::PKey::DSA.new(1024) | ||
155 | 119 | end | ||
156 | 120 | |||
157 | 121 | def ecdsa_sha2_nistp256 | ||
158 | 122 | diff --git a/test/integration/test_agent.rb b/test/integration/test_agent.rb | ||
159 | 123 | index 4045c9a..e7db62c 100644 | ||
160 | 124 | --- a/test/integration/test_agent.rb | ||
161 | 125 | +++ b/test/integration/test_agent.rb | ||
162 | 126 | @@ -19,7 +19,7 @@ class TestAgent < NetSSHTest | ||
163 | 127 | def setup | ||
164 | 128 | @keys = [ | ||
165 | 129 | OpenSSL::PKey::RSA.new(1024), | ||
166 | 130 | - OpenSSL::PKey::DSA.new(512), | ||
167 | 131 | + OpenSSL::PKey::DSA.new(1024), | ||
168 | 132 | OpenSSL::PKey::EC.new("prime256v1").generate_key | ||
169 | 133 | ] | ||
170 | 134 | @keys << Net::SSH::Authentication::ED25519::PrivKey.read(ED25519, nil) if Net::SSH::Authentication::ED25519Loader::LOADED | ||
171 | diff --git a/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch | |||
172 | 0 | new file mode 100644 | 135 | new file mode 100644 |
173 | index 0000000..2a5f342 | |||
174 | --- /dev/null | |||
175 | +++ b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch | |||
176 | @@ -0,0 +1,68 @@ | |||
177 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
178 | 2 | Date: Wed, 6 Apr 2022 18:43:57 +0200 | ||
179 | 3 | Subject: tests: Enable legacy providers if using OpenSSL 3.0 | ||
180 | 4 | |||
181 | 5 | Quite a few tests rely on outdated algorithms that have been relegated | ||
182 | 6 | to the legacy provider in OpenSSL 3.0. `rake test` now loads a custom | ||
183 | 7 | OpenSSL configuration file to enable said legacy provider, which is | ||
184 | 8 | usually disabled by default. | ||
185 | 9 | --- | ||
186 | 10 | Rakefile | 6 ++++++ | ||
187 | 11 | test/openssl3.conf | 25 +++++++++++++++++++++++++ | ||
188 | 12 | 2 files changed, 31 insertions(+) | ||
189 | 13 | create mode 100644 test/openssl3.conf | ||
190 | 14 | |||
191 | 15 | Origin: upstream, https://github.com/net-ssh/net-ssh/commit/e4ffdc07b1f0f | ||
192 | 16 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
193 | 17 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
194 | 18 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
195 | 19 | Last-Updated: 2022-05-09 | ||
196 | 20 | |||
197 | 21 | diff --git a/Rakefile b/Rakefile | ||
198 | 22 | index 0271797..3720209 100644 | ||
199 | 23 | --- a/Rakefile | ||
200 | 24 | +++ b/Rakefile | ||
201 | 25 | @@ -94,6 +94,12 @@ Rake::TestTask.new do |t| | ||
202 | 26 | t.test_files = test_files | ||
203 | 27 | end | ||
204 | 28 | |||
205 | 29 | +# We need to enable the OpenSSL 3.0 legacy providers for our test suite | ||
206 | 30 | +require 'openssl' | ||
207 | 31 | +if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" then | ||
208 | 32 | + ENV['OPENSSL_CONF'] = 'test/openssl3.conf' | ||
209 | 33 | +end | ||
210 | 34 | + | ||
211 | 35 | desc "Run tests of Net::SSH:Test" | ||
212 | 36 | Rake::TestTask.new do |t| | ||
213 | 37 | t.name = "test_test" | ||
214 | 38 | diff --git a/test/openssl3.conf b/test/openssl3.conf | ||
215 | 39 | new file mode 100644 | ||
216 | 40 | index 0000000..79bae9a | ||
217 | 41 | --- /dev/null | ||
218 | 42 | +++ b/test/openssl3.conf | ||
219 | 43 | @@ -0,0 +1,25 @@ | ||
220 | 44 | +openssl_conf = openssl_init | ||
221 | 45 | + | ||
222 | 46 | +[openssl_init] | ||
223 | 47 | +ssl_conf = ssl_sect | ||
224 | 48 | +providers = provider_sect | ||
225 | 49 | + | ||
226 | 50 | +[provider_sect] | ||
227 | 51 | +default = default_sect | ||
228 | 52 | +legacy = legacy_sect | ||
229 | 53 | + | ||
230 | 54 | +[default_sect] | ||
231 | 55 | +activate = 1 | ||
232 | 56 | + | ||
233 | 57 | +[legacy_sect] | ||
234 | 58 | +activate = 1 | ||
235 | 59 | + | ||
236 | 60 | +[ssl_sect] | ||
237 | 61 | +system_default = system_default_sect | ||
238 | 62 | + | ||
239 | 63 | +[system_default_sect] | ||
240 | 64 | +CipherString = DEFAULT@SECLEVEL=0 | ||
241 | 65 | +# system_default = system_default_sect | ||
242 | 66 | +# | ||
243 | 67 | +# [system_default_sect] | ||
244 | 68 | +# Options = UnsafeLegacyRenegotiation | ||
245 | diff --git a/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch | |||
246 | 0 | new file mode 100644 | 69 | new file mode 100644 |
247 | index 0000000..328ee32 | |||
248 | --- /dev/null | |||
249 | +++ b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch | |||
250 | @@ -0,0 +1,103 @@ | |||
251 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
252 | 2 | Date: Fri, 8 Apr 2022 09:32:24 +0200 | ||
253 | 3 | Subject: buffer: create RSA keys by loading PEM data directly | ||
254 | 4 | |||
255 | 5 | The OpenSSL 3.0 changes don't allow for us to modify the private key | ||
256 | 6 | details directly, and there are no dedicated constructors as of Ruby | ||
257 | 7 | 3.0, so we need to actually create a PEM certificate in-memory and load | ||
258 | 8 | that instead. | ||
259 | 9 | |||
260 | 10 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
261 | 11 | --- | ||
262 | 12 | lib/net/ssh/buffer.rb | 18 +++++++++--------- | ||
263 | 13 | test/test_buffer.rb | 16 +++++++++------- | ||
264 | 14 | test/test_known_hosts.rb | 15 +++++++-------- | ||
265 | 15 | 3 files changed, 25 insertions(+), 24 deletions(-) | ||
266 | 16 | |||
267 | 17 | Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852cab | ||
268 | 18 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
269 | 19 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
270 | 20 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
271 | 21 | Last-Updated: 2022-05-09 | ||
272 | 22 | |||
273 | 23 | diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb | ||
274 | 24 | index 0fe4e56..0384299 100644 | ||
275 | 25 | --- a/lib/net/ssh/buffer.rb | ||
276 | 26 | +++ b/lib/net/ssh/buffer.rb | ||
277 | 27 | @@ -309,15 +309,15 @@ module Net | ||
278 | 28 | key.pub_key = read_bignum | ||
279 | 29 | end | ||
280 | 30 | when /^ssh-rsa$/ | ||
281 | 31 | - key = OpenSSL::PKey::RSA.new | ||
282 | 32 | - if key.respond_to?(:set_key) | ||
283 | 33 | - e = read_bignum | ||
284 | 34 | - n = read_bignum | ||
285 | 35 | - key.set_key(n, e, nil) | ||
286 | 36 | - else | ||
287 | 37 | - key.e = read_bignum | ||
288 | 38 | - key.n = read_bignum | ||
289 | 39 | - end | ||
290 | 40 | + e = read_bignum | ||
291 | 41 | + n = read_bignum | ||
292 | 42 | + | ||
293 | 43 | + asn1 = OpenSSL::ASN1::Sequence([ | ||
294 | 44 | + OpenSSL::ASN1::Integer(n), | ||
295 | 45 | + OpenSSL::ASN1::Integer(e) | ||
296 | 46 | + ]) | ||
297 | 47 | + | ||
298 | 48 | + key = OpenSSL::PKey::RSA.new(asn1.to_der) | ||
299 | 49 | when /^ssh-ed25519$/ | ||
300 | 50 | Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'") | ||
301 | 51 | key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self) | ||
302 | 52 | diff --git a/test/test_buffer.rb b/test/test_buffer.rb | ||
303 | 53 | index e1fcbd2..b74e2f1 100644 | ||
304 | 54 | --- a/test/test_buffer.rb | ||
305 | 55 | +++ b/test/test_buffer.rb | ||
306 | 56 | @@ -336,13 +336,15 @@ class TestBuffer < NetSSHTest | ||
307 | 57 | def test_write_rsa_key_should_write_argument_to_end_of_buffer | ||
308 | 58 | buffer = new("start") | ||
309 | 59 | |||
310 | 60 | - key = OpenSSL::PKey::RSA.new | ||
311 | 61 | - if key.respond_to?(:set_key) | ||
312 | 62 | - key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) | ||
313 | 63 | - else | ||
314 | 64 | - key.e = 0xffeeddccbbaa9988 | ||
315 | 65 | - key.n = 0x7766554433221100 | ||
316 | 66 | - end | ||
317 | 67 | + n = 0x7766554433221100 | ||
318 | 68 | + e = 0xffeeddccbbaa9988 | ||
319 | 69 | + | ||
320 | 70 | + asn1 = OpenSSL::ASN1::Sequence([ | ||
321 | 71 | + OpenSSL::ASN1::Integer(n), | ||
322 | 72 | + OpenSSL::ASN1::Integer(e) | ||
323 | 73 | + ]) | ||
324 | 74 | + | ||
325 | 75 | + key = OpenSSL::PKey::RSA.new(asn1.to_der) | ||
326 | 76 | |||
327 | 77 | buffer.write_key(key) | ||
328 | 78 | assert_equal "start\0\0\0\7ssh-rsa\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00", buffer.to_s | ||
329 | 79 | diff --git a/test/test_known_hosts.rb b/test/test_known_hosts.rb | ||
330 | 80 | index 6b1fda6..187f6ac 100644 | ||
331 | 81 | --- a/test/test_known_hosts.rb | ||
332 | 82 | +++ b/test/test_known_hosts.rb | ||
333 | 83 | @@ -132,13 +132,12 @@ class TestKnownHosts < NetSSHTest | ||
334 | 84 | end | ||
335 | 85 | |||
336 | 86 | def rsa_key | ||
337 | 87 | - key = OpenSSL::PKey::RSA.new | ||
338 | 88 | - if key.respond_to?(:set_key) | ||
339 | 89 | - key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil) | ||
340 | 90 | - else | ||
341 | 91 | - key.e = 0xffeeddccbbaa9988 | ||
342 | 92 | - key.n = 0x7766554433221100 | ||
343 | 93 | - end | ||
344 | 94 | - key | ||
345 | 95 | + n = 0x7766554433221100 | ||
346 | 96 | + e = 0xffeeddccbbaa9988 | ||
347 | 97 | + asn1 = OpenSSL::ASN1::Sequence([ | ||
348 | 98 | + OpenSSL::ASN1::Integer(n), | ||
349 | 99 | + OpenSSL::ASN1::Integer(e) | ||
350 | 100 | + ]) | ||
351 | 101 | + OpenSSL::PKey::RSA.new(asn1.to_der) | ||
352 | 102 | end | ||
353 | 103 | end | ||
354 | diff --git a/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch | |||
355 | 0 | new file mode 100644 | 104 | new file mode 100644 |
356 | index 0000000..c29b87c | |||
357 | --- /dev/null | |||
358 | +++ b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch | |||
359 | @@ -0,0 +1,106 @@ | |||
360 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
361 | 2 | Date: Fri, 8 Apr 2022 09:32:24 +0200 | ||
362 | 3 | Subject: buffer: create DSA keys by loading PEM data directly | ||
363 | 4 | |||
364 | 5 | The OpenSSL 3.0 changes don't allow for us to modify the private key | ||
365 | 6 | details directly, and there are no dedicated constructors as of Ruby | ||
366 | 7 | 3.0, so we need to actually create a PEM certificate in-memory and load | ||
367 | 8 | that instead. | ||
368 | 9 | |||
369 | 10 | To add insult to injury, contrary to other types of keys such as RSA, we | ||
370 | 11 | need to actually build the full PEM data and not just pack the numbers | ||
371 | 12 | in a simple sequence, making the code even a bit more complicated. | ||
372 | 13 | |||
373 | 14 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
374 | 15 | --- | ||
375 | 16 | lib/net/ssh/buffer.rb | 31 ++++++++++++++++++------------- | ||
376 | 17 | test/test_buffer.rb | 28 ++++++++++++++++++---------- | ||
377 | 18 | 2 files changed, 36 insertions(+), 23 deletions(-) | ||
378 | 19 | |||
379 | 20 | Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852 | ||
380 | 21 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
381 | 22 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
382 | 23 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
383 | 24 | Last-Updated: 2022-05-09 | ||
384 | 25 | |||
385 | 26 | diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb | ||
386 | 27 | index 0384299..5a7dff0 100644 | ||
387 | 28 | --- a/lib/net/ssh/buffer.rb | ||
388 | 29 | +++ b/lib/net/ssh/buffer.rb | ||
389 | 30 | @@ -295,19 +295,24 @@ module Net | ||
390 | 31 | when /^(.*)-cert-v01@openssh\.com$/ | ||
391 | 32 | key = Net::SSH::Authentication::Certificate.read_certblob(self, $1) | ||
392 | 33 | when /^ssh-dss$/ | ||
393 | 34 | - key = OpenSSL::PKey::DSA.new | ||
394 | 35 | - if key.respond_to?(:set_pqg) | ||
395 | 36 | - key.set_pqg(read_bignum, read_bignum, read_bignum) | ||
396 | 37 | - else | ||
397 | 38 | - key.p = read_bignum | ||
398 | 39 | - key.q = read_bignum | ||
399 | 40 | - key.g = read_bignum | ||
400 | 41 | - end | ||
401 | 42 | - if key.respond_to?(:set_key) | ||
402 | 43 | - key.set_key(read_bignum, nil) | ||
403 | 44 | - else | ||
404 | 45 | - key.pub_key = read_bignum | ||
405 | 46 | - end | ||
406 | 47 | + p = read_bignum | ||
407 | 48 | + q = read_bignum | ||
408 | 49 | + g = read_bignum | ||
409 | 50 | + pub_key = read_bignum | ||
410 | 51 | + | ||
411 | 52 | + asn1 = OpenSSL::ASN1::Sequence.new([ | ||
412 | 53 | + OpenSSL::ASN1::Sequence.new([ | ||
413 | 54 | + OpenSSL::ASN1::ObjectId.new('DSA'), | ||
414 | 55 | + OpenSSL::ASN1::Sequence.new([ | ||
415 | 56 | + OpenSSL::ASN1::Integer.new(p), | ||
416 | 57 | + OpenSSL::ASN1::Integer.new(q), | ||
417 | 58 | + OpenSSL::ASN1::Integer.new(g) | ||
418 | 59 | + ]), | ||
419 | 60 | + ]), | ||
420 | 61 | + OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) | ||
421 | 62 | + ]) | ||
422 | 63 | + | ||
423 | 64 | + key = OpenSSL::PKey::DSA.new(asn1.to_der) | ||
424 | 65 | when /^ssh-rsa$/ | ||
425 | 66 | e = read_bignum | ||
426 | 67 | n = read_bignum | ||
427 | 68 | diff --git a/test/test_buffer.rb b/test/test_buffer.rb | ||
428 | 69 | index b74e2f1..f75a729 100644 | ||
429 | 70 | --- a/test/test_buffer.rb | ||
430 | 71 | +++ b/test/test_buffer.rb | ||
431 | 72 | @@ -318,16 +318,24 @@ class TestBuffer < NetSSHTest | ||
432 | 73 | def test_write_dss_key_should_write_argument_to_end_of_buffer | ||
433 | 74 | buffer = new("start") | ||
434 | 75 | |||
435 | 76 | - key = OpenSSL::PKey::DSA.new | ||
436 | 77 | - if key.respond_to?(:set_pqg) | ||
437 | 78 | - key.set_pqg(0xffeeddccbbaa9988, 0x7766554433221100, 0xffddbb9977553311) | ||
438 | 79 | - key.set_key(0xeeccaa8866442200, nil) | ||
439 | 80 | - else | ||
440 | 81 | - key.p = 0xffeeddccbbaa9988 | ||
441 | 82 | - key.q = 0x7766554433221100 | ||
442 | 83 | - key.g = 0xffddbb9977553311 | ||
443 | 84 | - key.pub_key = 0xeeccaa8866442200 | ||
444 | 85 | - end | ||
445 | 86 | + p = 0xffeeddccbbaa9988 | ||
446 | 87 | + q = 0x7766554433221100 | ||
447 | 88 | + g = 0xffddbb9977553311 | ||
448 | 89 | + pub_key = 0xeeccaa8866442200 | ||
449 | 90 | + | ||
450 | 91 | + asn1 = OpenSSL::ASN1::Sequence.new([ | ||
451 | 92 | + OpenSSL::ASN1::Sequence.new([ | ||
452 | 93 | + OpenSSL::ASN1::ObjectId.new('DSA'), | ||
453 | 94 | + OpenSSL::ASN1::Sequence.new([ | ||
454 | 95 | + OpenSSL::ASN1::Integer.new(p), | ||
455 | 96 | + OpenSSL::ASN1::Integer.new(q), | ||
456 | 97 | + OpenSSL::ASN1::Integer.new(g) | ||
457 | 98 | + ]), | ||
458 | 99 | + ]), | ||
459 | 100 | + OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der) | ||
460 | 101 | + ]) | ||
461 | 102 | + | ||
462 | 103 | + key = OpenSSL::PKey::DSA.new(asn1.to_der) | ||
463 | 104 | |||
464 | 105 | buffer.write_key(key) | ||
465 | 106 | assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s | ||
466 | diff --git a/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch | |||
467 | 0 | new file mode 100644 | 107 | new file mode 100644 |
468 | index 0000000..438cdba | |||
469 | --- /dev/null | |||
470 | +++ b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch | |||
471 | @@ -0,0 +1,46 @@ | |||
472 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
473 | 2 | Date: Fri, 8 Apr 2022 09:32:24 +0200 | ||
474 | 3 | Subject: transport: create EC keys by loading PEM data directly | ||
475 | 4 | |||
476 | 5 | The OpenSSL 3.0 changes don't allow for us to modify the private key | ||
477 | 6 | details directly, and there are no dedicated constructors as of Ruby | ||
478 | 7 | 3.0, so we need to actually create a PEM certificate in-memory and load | ||
479 | 8 | that instead. | ||
480 | 9 | |||
481 | 10 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
482 | 11 | --- | ||
483 | 12 | lib/net/ssh/transport/openssl.rb | 14 +++++++++++--- | ||
484 | 13 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
485 | 14 | |||
486 | 15 | Origin: upstream, https://github.com/net-ssh/net-ssh/commit/4de6831dea | ||
487 | 16 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
488 | 17 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
489 | 18 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
490 | 19 | Last-Updated: 2022-05-09 | ||
491 | 20 | |||
492 | 21 | diff --git a/lib/net/ssh/transport/openssl.rb b/lib/net/ssh/transport/openssl.rb | ||
493 | 22 | index 0581dd5..c5ff2fb 100644 | ||
494 | 23 | --- a/lib/net/ssh/transport/openssl.rb | ||
495 | 24 | +++ b/lib/net/ssh/transport/openssl.rb | ||
496 | 25 | @@ -147,10 +147,18 @@ module OpenSSL | ||
497 | 26 | |||
498 | 27 | public_key_oct = buffer.read_string | ||
499 | 28 | begin | ||
500 | 29 | - key = OpenSSL::PKey::EC.new(OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key]) | ||
501 | 30 | - group = key.group | ||
502 | 31 | + curvename = OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key] | ||
503 | 32 | + group = OpenSSL::PKey::EC::Group.new(curvename) | ||
504 | 33 | point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_oct, 2)) | ||
505 | 34 | - key.public_key = point | ||
506 | 35 | + asn1 = OpenSSL::ASN1::Sequence([ | ||
507 | 36 | + OpenSSL::ASN1::Sequence([ | ||
508 | 37 | + OpenSSL::ASN1::ObjectId("id-ecPublicKey"), | ||
509 | 38 | + OpenSSL::ASN1::ObjectId(curvename) | ||
510 | 39 | + ]), | ||
511 | 40 | + OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed)) | ||
512 | 41 | + ]) | ||
513 | 42 | + | ||
514 | 43 | + key = OpenSSL::PKey::EC.new(asn1.to_der) | ||
515 | 44 | |||
516 | 45 | return key | ||
517 | 46 | rescue OpenSSL::PKey::ECError | ||
518 | diff --git a/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch | |||
519 | 0 | new file mode 100644 | 47 | new file mode 100644 |
520 | index 0000000..93a87c0 | |||
521 | --- /dev/null | |||
522 | +++ b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch | |||
523 | @@ -0,0 +1,147 @@ | |||
524 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
525 | 2 | Date: Mon, 11 Apr 2022 16:25:39 +0200 | ||
526 | 3 | Subject: Use OpenSSL::PKey::EC.generate static method | ||
527 | 4 | |||
528 | 5 | Migrate all instances of the pattern EC.new(foo).generate_key to | ||
529 | 6 | EC.generate(foo), as the old pattern isn't supported when using OpenSSL | ||
530 | 7 | 3.0, since one is not allowed to mess with the internal data of already | ||
531 | 8 | created objects now. | ||
532 | 9 | |||
533 | 10 | The new API has been introduced in Ruby 2.4. | ||
534 | 11 | |||
535 | 12 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
536 | 13 | --- | ||
537 | 14 | lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | 2 +- | ||
538 | 15 | test/authentication/test_agent.rb | 4 ++-- | ||
539 | 16 | test/authentication/test_key_manager.rb | 6 +++--- | ||
540 | 17 | test/test_buffer.rb | 6 +++--- | ||
541 | 18 | test/transport/kex/test_curve25519_sha256.rb | 2 +- | ||
542 | 19 | test/transport/kex/test_ecdh_sha2_nistp256.rb | 4 ++-- | ||
543 | 20 | 6 files changed, 12 insertions(+), 12 deletions(-) | ||
544 | 21 | |||
545 | 22 | Origin: backport, https://github.com/net-ssh/net-ssh/commit/8729d47045b | ||
546 | 23 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
547 | 24 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
548 | 25 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
549 | 26 | Last-Updated: 2022-05-09 | ||
550 | 27 | |||
551 | 28 | diff --git a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | ||
552 | 29 | index 84d0e4a..a0b2d73 100644 | ||
553 | 30 | --- a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | ||
554 | 31 | +++ b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | ||
555 | 32 | @@ -18,7 +18,7 @@ module Net | ||
556 | 33 | private | ||
557 | 34 | |||
558 | 35 | def generate_key #:nodoc: | ||
559 | 36 | - OpenSSL::PKey::EC.new(curve_name).generate_key | ||
560 | 37 | + OpenSSL::PKey::EC.generate(curve_name) | ||
561 | 38 | end | ||
562 | 39 | |||
563 | 40 | # compute shared secret from server's public key and client's private key | ||
564 | 41 | diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb | ||
565 | 42 | index 42cc215..253317f 100644 | ||
566 | 43 | --- a/test/authentication/test_agent.rb | ||
567 | 44 | +++ b/test/authentication/test_agent.rb | ||
568 | 45 | @@ -286,7 +286,7 @@ module Authentication | ||
569 | 46 | end | ||
570 | 47 | |||
571 | 48 | def test_add_ecdsa_identity | ||
572 | 49 | - ecdsa = OpenSSL::PKey::EC.new("prime256v1").generate_key | ||
573 | 50 | + ecdsa = OpenSSL::PKey::EC.generate("prime256v1") | ||
574 | 51 | socket.expect do |s,type,buffer| | ||
575 | 52 | assert_equal SSH2_AGENT_ADD_IDENTITY, type | ||
576 | 53 | assert_equal buffer.read_string, "ecdsa-sha2-nistp256" | ||
577 | 54 | @@ -303,7 +303,7 @@ module Authentication | ||
578 | 55 | end | ||
579 | 56 | |||
580 | 57 | def test_add_ecdsa_cert_identity | ||
581 | 58 | - cert = make_cert(OpenSSL::PKey::EC.new("prime256v1").generate_key) | ||
582 | 59 | + cert = make_cert(OpenSSL::PKey::EC.generate("prime256v1")) | ||
583 | 60 | socket.expect do |s,type,buffer| | ||
584 | 61 | assert_equal SSH2_AGENT_ADD_IDENTITY, type | ||
585 | 62 | assert_equal buffer.read_string, "ecdsa-sha2-nistp256-cert-v01@openssh.com" | ||
586 | 63 | diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb | ||
587 | 64 | index 5f38d73..06a4594 100644 | ||
588 | 65 | --- a/test/authentication/test_key_manager.rb | ||
589 | 66 | +++ b/test/authentication/test_key_manager.rb | ||
590 | 67 | @@ -331,15 +331,15 @@ module Authentication | ||
591 | 68 | end | ||
592 | 69 | |||
593 | 70 | def ecdsa_sha2_nistp256 | ||
594 | 71 | - @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.new('prime256v1').generate_key | ||
595 | 72 | + @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.generate('prime256v1') | ||
596 | 73 | end | ||
597 | 74 | |||
598 | 75 | def ecdsa_sha2_nistp384 | ||
599 | 76 | - @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.new('secp384r1').generate_key | ||
600 | 77 | + @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.generate('secp384r1') | ||
601 | 78 | end | ||
602 | 79 | |||
603 | 80 | def ecdsa_sha2_nistp521 | ||
604 | 81 | - @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.new('secp521r1').generate_key | ||
605 | 82 | + @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.generate('secp521r1') | ||
606 | 83 | end | ||
607 | 84 | |||
608 | 85 | def rsa_pk | ||
609 | 86 | diff --git a/test/test_buffer.rb b/test/test_buffer.rb | ||
610 | 87 | index f75a729..57b98e5 100644 | ||
611 | 88 | --- a/test/test_buffer.rb | ||
612 | 89 | +++ b/test/test_buffer.rb | ||
613 | 90 | @@ -456,7 +456,7 @@ class TestBuffer < NetSSHTest | ||
614 | 91 | end | ||
615 | 92 | |||
616 | 93 | def random_ecdsa_sha2_nistp256 | ||
617 | 94 | - k = OpenSSL::PKey::EC.new('prime256v1').generate_key | ||
618 | 95 | + k = OpenSSL::PKey::EC.generate('prime256v1') | ||
619 | 96 | buffer = Net::SSH::Buffer.from(:string, 'nistp256', | ||
620 | 97 | :string, k.public_key.to_bn.to_s(2)) | ||
621 | 98 | key = yield(buffer) | ||
622 | 99 | @@ -465,7 +465,7 @@ class TestBuffer < NetSSHTest | ||
623 | 100 | end | ||
624 | 101 | |||
625 | 102 | def random_ecdsa_sha2_nistp384 | ||
626 | 103 | - k = OpenSSL::PKey::EC.new('secp384r1').generate_key | ||
627 | 104 | + k = OpenSSL::PKey::EC.generate('secp384r1') | ||
628 | 105 | buffer = Net::SSH::Buffer.from(:string, 'nistp384', | ||
629 | 106 | :string, k.public_key.to_bn.to_s(2)) | ||
630 | 107 | key = yield(buffer) | ||
631 | 108 | @@ -474,7 +474,7 @@ class TestBuffer < NetSSHTest | ||
632 | 109 | end | ||
633 | 110 | |||
634 | 111 | def random_ecdsa_sha2_nistp521 | ||
635 | 112 | - k = OpenSSL::PKey::EC.new('secp521r1').generate_key | ||
636 | 113 | + k = OpenSSL::PKey::EC.generate('secp521r1') | ||
637 | 114 | buffer = Net::SSH::Buffer.from(:string, 'nistp521', | ||
638 | 115 | :string, k.public_key.to_bn.to_s(2)) | ||
639 | 116 | key = yield(buffer) | ||
640 | 117 | diff --git a/test/transport/kex/test_curve25519_sha256.rb b/test/transport/kex/test_curve25519_sha256.rb | ||
641 | 118 | index 8177a38..d990019 100644 | ||
642 | 119 | --- a/test/transport/kex/test_curve25519_sha256.rb | ||
643 | 120 | +++ b/test/transport/kex/test_curve25519_sha256.rb | ||
644 | 121 | @@ -111,7 +111,7 @@ unless ENV['NET_SSH_NO_ED25519'] | ||
645 | 122 | end | ||
646 | 123 | |||
647 | 124 | def server_host_key | ||
648 | 125 | - @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key | ||
649 | 126 | + @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') | ||
650 | 127 | end | ||
651 | 128 | |||
652 | 129 | def packet_data | ||
653 | 130 | diff --git a/test/transport/kex/test_ecdh_sha2_nistp256.rb b/test/transport/kex/test_ecdh_sha2_nistp256.rb | ||
654 | 131 | index 932d8d7..a2ed6b4 100644 | ||
655 | 132 | --- a/test/transport/kex/test_ecdh_sha2_nistp256.rb | ||
656 | 133 | +++ b/test/transport/kex/test_ecdh_sha2_nistp256.rb | ||
657 | 134 | @@ -109,11 +109,11 @@ module Transport | ||
658 | 135 | end | ||
659 | 136 | |||
660 | 137 | def server_key | ||
661 | 138 | - @server_key ||= OpenSSL::PKey::EC.new(ecparam).generate_key | ||
662 | 139 | + @server_key ||= OpenSSL::PKey::EC.generate(ecparam) | ||
663 | 140 | end | ||
664 | 141 | |||
665 | 142 | def server_host_key | ||
666 | 143 | - @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key | ||
667 | 144 | + @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1') | ||
668 | 145 | end | ||
669 | 146 | |||
670 | 147 | def packet_data | ||
671 | diff --git a/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch | |||
672 | 0 | new file mode 100644 | 148 | new file mode 100644 |
673 | index 0000000..623e2e6 | |||
674 | --- /dev/null | |||
675 | +++ b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch | |||
676 | @@ -0,0 +1,70 @@ | |||
677 | 1 | From: Simon Chopin <simon.chopin@canonical.com> | ||
678 | 2 | Date: Mon, 11 Apr 2022 16:04:08 +0200 | ||
679 | 3 | Subject: diffie-hellman: create the key by generating the PEM file | ||
680 | 4 | |||
681 | 5 | This makes the code compatible with OpenSSL 3.0. However, an issue with | ||
682 | 6 | this is that it is not possible anymore to ensure a specific size for | ||
683 | 7 | the private key, as indicated in the inline comment. | ||
684 | 8 | |||
685 | 9 | v2: avoid PKey.generate_key on older releases (< 2.7) | ||
686 | 10 | |||
687 | 11 | Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com> | ||
688 | 12 | --- | ||
689 | 13 | .../transport/kex/diffie_hellman_group1_sha1.rb | 36 +++++++++++----------- | ||
690 | 14 | 1 file changed, 18 insertions(+), 18 deletions(-) | ||
691 | 15 | |||
692 | 16 | Origin: backport, https://github.com/net-ssh/net-ssh/commit/8929562bec | ||
693 | 17 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
694 | 18 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
695 | 19 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
696 | 20 | Last-Updated: 2022-05-09 | ||
697 | 21 | |||
698 | 22 | diff --git a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb | ||
699 | 23 | index 34af18b..a78b5d5 100644 | ||
700 | 24 | --- a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb | ||
701 | 25 | +++ b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb | ||
702 | 26 | @@ -59,26 +59,26 @@ module Net | ||
703 | 27 | |||
704 | 28 | # Generate a DH key with a private key consisting of the given | ||
705 | 29 | # number of bytes. | ||
706 | 30 | - def generate_key #:nodoc: | ||
707 | 31 | - dh = OpenSSL::PKey::DH.new | ||
708 | 32 | - | ||
709 | 33 | - if dh.respond_to?(:set_pqg) | ||
710 | 34 | - p, g = get_parameters | ||
711 | 35 | - dh.set_pqg(p, nil, g) | ||
712 | 36 | + def generate_key # :nodoc: | ||
713 | 37 | + p, g = get_parameters | ||
714 | 38 | + | ||
715 | 39 | + asn1 = OpenSSL::ASN1::Sequence( | ||
716 | 40 | + [ | ||
717 | 41 | + OpenSSL::ASN1::Integer(p), | ||
718 | 42 | + OpenSSL::ASN1::Integer(g) | ||
719 | 43 | + ] | ||
720 | 44 | + ) | ||
721 | 45 | + | ||
722 | 46 | + dh_params = OpenSSL::PKey::DH.new(asn1.to_der) | ||
723 | 47 | + # XXX No private key size check! In theory the latter call should work but fails on OpenSSL 3.0 as | ||
724 | 48 | + # dh_paramgen_subprime_len is now reserved for DHX algorithm | ||
725 | 49 | + # key = OpenSSL::PKey.generate_key(dh_params, "dh_paramgen_subprime_len" => data[:need_bytes]/8) | ||
726 | 50 | + if OpenSSL::PKey.respond_to?(:generate_key) | ||
727 | 51 | + OpenSSL::PKey.generate_key(dh_params) | ||
728 | 52 | else | ||
729 | 53 | - dh.p, dh.g = get_parameters | ||
730 | 54 | - end | ||
731 | 55 | - | ||
732 | 56 | - dh.generate_key! | ||
733 | 57 | - until dh.valid? && dh.priv_key.num_bytes == data[:need_bytes] | ||
734 | 58 | - if dh.respond_to?(:set_key) | ||
735 | 59 | - dh.set_key(nil, OpenSSL::BN.rand(data[:need_bytes] * 8)) | ||
736 | 60 | - else | ||
737 | 61 | - dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8) | ||
738 | 62 | - end | ||
739 | 63 | - dh.generate_key! | ||
740 | 64 | + dh_params.generate_key! | ||
741 | 65 | + dh_params | ||
742 | 66 | end | ||
743 | 67 | - dh | ||
744 | 68 | end | ||
745 | 69 | |||
746 | 70 | # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the | ||
747 | diff --git a/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch | |||
748 | 0 | new file mode 100644 | 71 | new file mode 100644 |
749 | index 0000000..4e393ca | |||
750 | --- /dev/null | |||
751 | +++ b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch | |||
752 | @@ -0,0 +1,65 @@ | |||
753 | 1 | From: Florian Wininger <fw.centrale@gmail.com> | ||
754 | 2 | Date: Fri, 29 Apr 2022 14:19:55 +0200 | ||
755 | 3 | Subject: Fix unit tests for OpenSSL 3 | ||
756 | 4 | |||
757 | 5 | --- | ||
758 | 6 | test/common.rb | 12 ++++++++++++ | ||
759 | 7 | test/transport/kex/test_diffie_hellman_group1_sha1.rb | 2 +- | ||
760 | 8 | test/transport/test_algorithms.rb | 2 +- | ||
761 | 9 | 3 files changed, 14 insertions(+), 2 deletions(-) | ||
762 | 10 | |||
763 | 11 | Origin: upstream, https://github.com/net-ssh/net-ssh/commit/395f0cd4029c | ||
764 | 12 | Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843 | ||
765 | 13 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025 | ||
766 | 14 | Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com> | ||
767 | 15 | Last-Updated: 2022-05-09 | ||
768 | 16 | |||
769 | 17 | diff --git a/test/common.rb b/test/common.rb | ||
770 | 18 | index 8ae521c..db97d60 100644 | ||
771 | 19 | --- a/test/common.rb | ||
772 | 20 | +++ b/test/common.rb | ||
773 | 21 | @@ -46,6 +46,18 @@ def P(*args) | ||
774 | 22 | Net::SSH::Packet.new(Net::SSH::Buffer.from(*args)) | ||
775 | 23 | end | ||
776 | 24 | |||
777 | 25 | +# DH key generate with OpenSSL::PKey::DH.new(512).to_pem | ||
778 | 26 | +def dh_512bits_bn | ||
779 | 27 | + OpenSSL::PKey::DH.new( | ||
780 | 28 | + <<~DH_KEY | ||
781 | 29 | + -----BEGIN DH PARAMETERS----- | ||
782 | 30 | + MEYCQQDkZMgCTieW40x/bmCpf6m1XHERNnyOodot21UsJkCidr+T6aAcy/Oz4mWo | ||
783 | 31 | + aYudmZZLQz7jhz0Ut2VQUw0Nz033AgEC | ||
784 | 32 | + -----END DH PARAMETERS----- | ||
785 | 33 | + DH_KEY | ||
786 | 34 | + ).p | ||
787 | 35 | +end | ||
788 | 36 | + | ||
789 | 37 | class NetSSHTest < Minitest::Test | ||
790 | 38 | def assert_nothing_raised(&block) | ||
791 | 39 | yield | ||
792 | 40 | diff --git a/test/transport/kex/test_diffie_hellman_group1_sha1.rb b/test/transport/kex/test_diffie_hellman_group1_sha1.rb | ||
793 | 41 | index be51720..d621de6 100644 | ||
794 | 42 | --- a/test/transport/kex/test_diffie_hellman_group1_sha1.rb | ||
795 | 43 | +++ b/test/transport/kex/test_diffie_hellman_group1_sha1.rb | ||
796 | 44 | @@ -134,7 +134,7 @@ module Transport | ||
797 | 45 | end | ||
798 | 46 | |||
799 | 47 | def server_dh_pubkey | ||
800 | 48 | - @server_dh_pubkey ||= bn(1234567890) | ||
801 | 49 | + @server_dh_pubkey ||= OpenSSL::BN.new(dh_512bits_bn, 10) | ||
802 | 50 | end | ||
803 | 51 | |||
804 | 52 | def shared_secret | ||
805 | 53 | diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb | ||
806 | 54 | index 105f3af..7eb50aa 100644 | ||
807 | 55 | --- a/test/transport/test_algorithms.rb | ||
808 | 56 | +++ b/test/transport/test_algorithms.rb | ||
809 | 57 | @@ -368,7 +368,7 @@ module Transport | ||
810 | 58 | end | ||
811 | 59 | |||
812 | 60 | def shared_secret | ||
813 | 61 | - @shared_secret ||= OpenSSL::BN.new("1234567890", 10) | ||
814 | 62 | + @shared_secret ||= dh_512bits_bn | ||
815 | 63 | end | ||
816 | 64 | |||
817 | 65 | def session_id | ||
818 | diff --git a/debian/patches/series b/debian/patches/series | |||
819 | index cb8efb3..f7fd3ea 100644 | |||
820 | --- a/debian/patches/series | |||
821 | +++ b/debian/patches/series | |||
822 | @@ -1 +1,9 @@ | |||
823 | 1 | 0001-openssl-DSA-don-t-hardcode-expected-signature-size.patch | 1 | 0001-openssl-DSA-don-t-hardcode-expected-signature-size.patch |
824 | 2 | openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch | ||
825 | 3 | openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch | ||
826 | 4 | openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch | ||
827 | 5 | openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch | ||
828 | 6 | openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch | ||
829 | 7 | openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch | ||
830 | 8 | openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch | ||
831 | 9 | openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch | ||
832 | diff --git a/debian/ruby-tests.rake b/debian/ruby-tests.rake | |||
833 | index 751fecc..38479eb 100644 | |||
834 | --- a/debian/ruby-tests.rake | |||
835 | +++ b/debian/ruby-tests.rake | |||
836 | @@ -3,5 +3,12 @@ require 'gem2deb/rake/testtask' | |||
837 | 3 | # Unfortunately this also disables 'ed25519' tests. | 3 | # Unfortunately this also disables 'ed25519' tests. |
838 | 4 | ENV['NET_SSH_NO_ED25519'] = '1' | 4 | ENV['NET_SSH_NO_ED25519'] = '1' |
839 | 5 | 5 | ||
840 | 6 | # Some tests rely no ciphers which are considered legacy in OpenSSL 3. For now, | ||
841 | 7 | # let's use the custom config file to enable them and make the tests pass. | ||
842 | 8 | require 'openssl' | ||
843 | 9 | if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" | ||
844 | 10 | ENV['OPENSSL_CONF'] = Dir.pwd + '/test/openssl3.conf' | ||
845 | 11 | end | ||
846 | 12 | |||
847 | 6 | Gem2Deb::Rake::TestTask.new do |t| | 13 | Gem2Deb::Rake::TestTask.new do |t| |
848 | 7 | end | 14 | end |
Well,
ruby-net-ssh | 1:6.1.0-2 | jammy/universe | source, all proposed/ universe | source, all
ruby-net-ssh | 1:6.1.0-2 | kinetic/universe | source, all
ruby-net-ssh | 1:7.0.0~beta1-2 | kinetic-
Hopefully 7.0.0~beta1-2 will migrate soon otherwise version in Jammy will be greater than in Kinetic.