Ubuntu
ruby-net-ssh package

Merge ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3 into ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/ruby-net-ssh
  3. jammy-fix-openssl-3
  4. Merge into ubuntu/jammy-devel
Proposed by Lucas Kanashiro
Status: Needs review
Proposed branch: ~lucaskanashiro/ubuntu/+source/ruby-net-ssh:jammy-fix-openssl-3
Merge into: ubuntu/+source/ruby-net-ssh:ubuntu/jammy-devel
Diff against target: 848 lines (+764/-1)
12 files modified
debian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch (+134/-0)
debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch (+68/-0)
debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch (+103/-0)
debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch (+106/-0)
debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch (+46/-0)
debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch (+147/-0)
debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch (+70/-0)
debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch (+65/-0)
debian/patches/series (+8/-0)
debian/ruby-tests.rake (+7/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta (community) Approve
git-ubuntu import Pending
Review via email: mp+421795@code.launchpad.net

Description of the change

Fix OpenSSL 3 issues in Jammy (LP: #1964025). This was fixed in version 1:7.0.0~beta1-2 in kinetic, and now I am backporting the upstream patch set to fix it in Jammy. This issue is making vagrant unusable, and some user are complaining about it.

PPA with proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/openssl3/+packages

autopkgtest result:

autopkgtest [19:06:49]: @@@@@@@@@@@@@@@@@@@@ summary
gem2deb-test-runner PASS

To post a comment you must log in.
Revision history for this message
Utkarsh Gupta (utkarsh) :
review: Approve
Reply
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Well,

 ruby-net-ssh | 1:6.1.0-2 | jammy/universe | source, all
 ruby-net-ssh | 1:6.1.0-2 | kinetic/universe | source, all
 ruby-net-ssh | 1:7.0.0~beta1-2 | kinetic-proposed/universe | source, all

Hopefully 7.0.0~beta1-2 will migrate soon otherwise version in Jammy will be greater than in Kinetic.

Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

So far there is no regression because of new ruby-net-ssh in kinetic, and I do not expect any TBH. It did not migrate yet because of the long test queue we have at the moment, so I am not worried about it.

Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

However, since you mentioned the version string, I think I'll use 1:6.1.0-3ubuntu0.1 instead of 1:6.1.0-3ubuntu1. Thanks for making me revisit this :)

Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Package uploaded:

Uploading ruby-net-ssh_6.1.0-3ubuntu0.1.dsc
Uploading ruby-net-ssh_6.1.0-3ubuntu0.1.debian.tar.xz
Uploading ruby-net-ssh_6.1.0-3ubuntu0.1_source.changes

Reply

Unmerged commits

8257009... by Lucas Kanashiro

update-maintainer

81cb3cd... by Lucas Kanashiro

Update changelog

1c25ff2... by Lucas Kanashiro

d/ruby-tests.rake: use custom openssl config file if using openssl 3

This will allow the usage of legacy ciphers during tests, not breaking a
bunch of them.

2108453... by Lucas Kanashiro

Backport upstream patches to support OpenSSL 3 (LP: #1964025)

Origin: backport, https://github.com/net-ssh/net-ssh/pull/864

7363613... by Antonio Terceiro

1:6.1.0-3 (patches unapplied)

Imported using git-ubuntu import.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 9d13b4e..ef64464 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1ruby-net-ssh (1:6.1.0-3ubuntu0.1) jammy; urgency=medium
2
3 * d/p/openssl-3/*.patch: backport upstream patches to support OpenSSL 3
4 (LP: #1964025).
5 * d/ruby-tests.rake: use custom OpenSSL config file if using OpenSSL 3.
6
7 -- Lucas Kanashiro <kanashiro@ubuntu.com> Mon, 09 May 2022 18:44:20 -0300
8
1ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium9ruby-net-ssh (1:6.1.0-3) unstable; urgency=medium
210
3 * Team upload11 * Team upload
diff --git a/debian/control b/debian/control
index 62920fb..2483e6d 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: ruby-net-ssh1Source: ruby-net-ssh
2Section: ruby2Section: ruby
3Priority: optional3Priority: optional
4Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
5Uploaders: Lucas Nussbaum <lucas@debian.org>,6Uploaders: Lucas Nussbaum <lucas@debian.org>,
6 Paul van Tilburg <paulvt@debian.org>,7 Paul van Tilburg <paulvt@debian.org>,
7 David Suárez <david.sephirot@gmail.com>8 David Suárez <david.sephirot@gmail.com>
diff --git a/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch
8new file mode 1006449new file mode 100644
index 0000000..0c63bee
--- /dev/null
+++ b/debian/patches/openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch
@@ -0,0 +1,134 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Fri, 8 Apr 2022 09:49:06 +0200
3Subject: Generate all DSA keys with 1024 bits
4
5512bits keys are refused in newer OpenSSL libraries as too weak.
6
7Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
8---
9 test/authentication/methods/test_hostbased.rb | 2 +-
10 test/authentication/methods/test_publickey.rb | 2 +-
11 test/authentication/test_agent.rb | 12 ++++++------
12 test/authentication/test_key_manager.rb | 4 ++--
13 test/integration/test_agent.rb | 2 +-
14 5 files changed, 11 insertions(+), 11 deletions(-)
15
16Origin: backport, https://github.com/net-ssh/net-ssh/commit/6364a20037fe8
17Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
18Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
19Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
20Last-Updated: 2022-05-09
21
22diff --git a/test/authentication/methods/test_hostbased.rb b/test/authentication/methods/test_hostbased.rb
23index 4fbd37a..957a83e 100644
24--- a/test/authentication/methods/test_hostbased.rb
25+++ b/test/authentication/methods/test_hostbased.rb
26@@ -76,7 +76,7 @@ module Authentication
27
28 @@keys = nil
29 def keys
30- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)]
31+ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)]
32 end
33
34 def key_manager(options={})
35diff --git a/test/authentication/methods/test_publickey.rb b/test/authentication/methods/test_publickey.rb
36index 8f2cc73..449f74d 100644
37--- a/test/authentication/methods/test_publickey.rb
38+++ b/test/authentication/methods/test_publickey.rb
39@@ -128,7 +128,7 @@ module Authentication
40
41 @@keys = nil
42 def keys
43- @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)]
44+ @@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(1024)]
45 end
46
47 def key_manager(options={})
48diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb
49index 81ca477..42cc215 100644
50--- a/test/authentication/test_agent.rb
51+++ b/test/authentication/test_agent.rb
52@@ -119,7 +119,7 @@ module Authentication
53
54 def test_identities_should_augment_identities_with_comment_field
55 key1 = key
56- key2 = OpenSSL::PKey::DSA.new(512)
57+ key2 = OpenSSL::PKey::DSA.new(1024)
58
59 socket.expect do |s, type, buffer|
60 assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type
61@@ -135,9 +135,9 @@ module Authentication
62
63 def test_identities_should_ignore_unimplemented_ones
64 key1 = key
65- key2 = OpenSSL::PKey::DSA.new(512)
66+ key2 = OpenSSL::PKey::DSA.new(1024)
67 key2.to_blob[0..5] = 'badkey'
68- key3 = OpenSSL::PKey::DSA.new(512)
69+ key3 = OpenSSL::PKey::DSA.new(1024)
70
71 socket.expect do |s, type, buffer|
72 assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type
73@@ -155,7 +155,7 @@ module Authentication
74 def test_identities_should_ignore_invalid_ones
75 key1 = key
76 key2_bad = Net::SSH::Buffer.new("")
77- key3 = OpenSSL::PKey::DSA.new(512)
78+ key3 = OpenSSL::PKey::DSA.new(1024)
79
80 socket.expect do |s, type, buffer|
81 assert_equal SSH2_AGENT_REQUEST_IDENTITIES, type
82@@ -251,7 +251,7 @@ module Authentication
83 end
84
85 def test_add_dsa_identity
86- dsa = OpenSSL::PKey::DSA.new(512)
87+ dsa = OpenSSL::PKey::DSA.new(1024)
88 socket.expect do |s,type,buffer|
89 assert_equal SSH2_AGENT_ADD_IDENTITY, type
90 assert_equal buffer.read_string, "ssh-dss"
91@@ -270,7 +270,7 @@ module Authentication
92 end
93
94 def test_add_dsa_cert_identity
95- cert = make_cert(OpenSSL::PKey::DSA.new(512))
96+ cert = make_cert(OpenSSL::PKey::DSA.new(1024))
97 socket.expect do |s,type,buffer|
98 assert_equal SSH2_AGENT_ADD_IDENTITY, type
99 assert_equal buffer.read_string, "ssh-dss-cert-v01@openssh.com"
100diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb
101index c40779f..5f38d73 100644
102--- a/test/authentication/test_key_manager.rb
103+++ b/test/authentication/test_key_manager.rb
104@@ -317,7 +317,7 @@ module Authentication
105 cert.critical_options = {}
106 cert.extensions = {}
107 cert.reserved = ''
108- cert.sign!(OpenSSL::PKey::DSA.new(512))
109+ cert.sign!(OpenSSL::PKey::DSA.new(1024))
110 cert
111 end
112 end
113@@ -327,7 +327,7 @@ module Authentication
114 end
115
116 def dsa
117- @dsa ||= OpenSSL::PKey::DSA.new(512)
118+ @dsa ||= OpenSSL::PKey::DSA.new(1024)
119 end
120
121 def ecdsa_sha2_nistp256
122diff --git a/test/integration/test_agent.rb b/test/integration/test_agent.rb
123index 4045c9a..e7db62c 100644
124--- a/test/integration/test_agent.rb
125+++ b/test/integration/test_agent.rb
126@@ -19,7 +19,7 @@ class TestAgent < NetSSHTest
127 def setup
128 @keys = [
129 OpenSSL::PKey::RSA.new(1024),
130- OpenSSL::PKey::DSA.new(512),
131+ OpenSSL::PKey::DSA.new(1024),
132 OpenSSL::PKey::EC.new("prime256v1").generate_key
133 ]
134 @keys << Net::SSH::Authentication::ED25519::PrivKey.read(ED25519, nil) if Net::SSH::Authentication::ED25519Loader::LOADED
diff --git a/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch
0new file mode 100644135new file mode 100644
index 0000000..2a5f342
--- /dev/null
+++ b/debian/patches/openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch
@@ -0,0 +1,68 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Wed, 6 Apr 2022 18:43:57 +0200
3Subject: tests: Enable legacy providers if using OpenSSL 3.0
4
5Quite a few tests rely on outdated algorithms that have been relegated
6to the legacy provider in OpenSSL 3.0. `rake test` now loads a custom
7OpenSSL configuration file to enable said legacy provider, which is
8usually disabled by default.
9---
10 Rakefile | 6 ++++++
11 test/openssl3.conf | 25 +++++++++++++++++++++++++
12 2 files changed, 31 insertions(+)
13 create mode 100644 test/openssl3.conf
14
15Origin: upstream, https://github.com/net-ssh/net-ssh/commit/e4ffdc07b1f0f
16Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
17Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
18Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
19Last-Updated: 2022-05-09
20
21diff --git a/Rakefile b/Rakefile
22index 0271797..3720209 100644
23--- a/Rakefile
24+++ b/Rakefile
25@@ -94,6 +94,12 @@ Rake::TestTask.new do |t|
26 t.test_files = test_files
27 end
28
29+# We need to enable the OpenSSL 3.0 legacy providers for our test suite
30+require 'openssl'
31+if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3" then
32+ ENV['OPENSSL_CONF'] = 'test/openssl3.conf'
33+end
34+
35 desc "Run tests of Net::SSH:Test"
36 Rake::TestTask.new do |t|
37 t.name = "test_test"
38diff --git a/test/openssl3.conf b/test/openssl3.conf
39new file mode 100644
40index 0000000..79bae9a
41--- /dev/null
42+++ b/test/openssl3.conf
43@@ -0,0 +1,25 @@
44+openssl_conf = openssl_init
45+
46+[openssl_init]
47+ssl_conf = ssl_sect
48+providers = provider_sect
49+
50+[provider_sect]
51+default = default_sect
52+legacy = legacy_sect
53+
54+[default_sect]
55+activate = 1
56+
57+[legacy_sect]
58+activate = 1
59+
60+[ssl_sect]
61+system_default = system_default_sect
62+
63+[system_default_sect]
64+CipherString = DEFAULT@SECLEVEL=0
65+# system_default = system_default_sect
66+#
67+# [system_default_sect]
68+# Options = UnsafeLegacyRenegotiation
diff --git a/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch
0new file mode 10064469new file mode 100644
index 0000000..328ee32
--- /dev/null
+++ b/debian/patches/openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch
@@ -0,0 +1,103 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Fri, 8 Apr 2022 09:32:24 +0200
3Subject: buffer: create RSA keys by loading PEM data directly
4
5The OpenSSL 3.0 changes don't allow for us to modify the private key
6details directly, and there are no dedicated constructors as of Ruby
73.0, so we need to actually create a PEM certificate in-memory and load
8that instead.
9
10Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
11---
12 lib/net/ssh/buffer.rb | 18 +++++++++---------
13 test/test_buffer.rb | 16 +++++++++-------
14 test/test_known_hosts.rb | 15 +++++++--------
15 3 files changed, 25 insertions(+), 24 deletions(-)
16
17Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852cab
18Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
19Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
20Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
21Last-Updated: 2022-05-09
22
23diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb
24index 0fe4e56..0384299 100644
25--- a/lib/net/ssh/buffer.rb
26+++ b/lib/net/ssh/buffer.rb
27@@ -309,15 +309,15 @@ module Net
28 key.pub_key = read_bignum
29 end
30 when /^ssh-rsa$/
31- key = OpenSSL::PKey::RSA.new
32- if key.respond_to?(:set_key)
33- e = read_bignum
34- n = read_bignum
35- key.set_key(n, e, nil)
36- else
37- key.e = read_bignum
38- key.n = read_bignum
39- end
40+ e = read_bignum
41+ n = read_bignum
42+
43+ asn1 = OpenSSL::ASN1::Sequence([
44+ OpenSSL::ASN1::Integer(n),
45+ OpenSSL::ASN1::Integer(e)
46+ ])
47+
48+ key = OpenSSL::PKey::RSA.new(asn1.to_der)
49 when /^ssh-ed25519$/
50 Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
51 key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
52diff --git a/test/test_buffer.rb b/test/test_buffer.rb
53index e1fcbd2..b74e2f1 100644
54--- a/test/test_buffer.rb
55+++ b/test/test_buffer.rb
56@@ -336,13 +336,15 @@ class TestBuffer < NetSSHTest
57 def test_write_rsa_key_should_write_argument_to_end_of_buffer
58 buffer = new("start")
59
60- key = OpenSSL::PKey::RSA.new
61- if key.respond_to?(:set_key)
62- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil)
63- else
64- key.e = 0xffeeddccbbaa9988
65- key.n = 0x7766554433221100
66- end
67+ n = 0x7766554433221100
68+ e = 0xffeeddccbbaa9988
69+
70+ asn1 = OpenSSL::ASN1::Sequence([
71+ OpenSSL::ASN1::Integer(n),
72+ OpenSSL::ASN1::Integer(e)
73+ ])
74+
75+ key = OpenSSL::PKey::RSA.new(asn1.to_der)
76
77 buffer.write_key(key)
78 assert_equal "start\0\0\0\7ssh-rsa\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00", buffer.to_s
79diff --git a/test/test_known_hosts.rb b/test/test_known_hosts.rb
80index 6b1fda6..187f6ac 100644
81--- a/test/test_known_hosts.rb
82+++ b/test/test_known_hosts.rb
83@@ -132,13 +132,12 @@ class TestKnownHosts < NetSSHTest
84 end
85
86 def rsa_key
87- key = OpenSSL::PKey::RSA.new
88- if key.respond_to?(:set_key)
89- key.set_key(0x7766554433221100, 0xffeeddccbbaa9988, nil)
90- else
91- key.e = 0xffeeddccbbaa9988
92- key.n = 0x7766554433221100
93- end
94- key
95+ n = 0x7766554433221100
96+ e = 0xffeeddccbbaa9988
97+ asn1 = OpenSSL::ASN1::Sequence([
98+ OpenSSL::ASN1::Integer(n),
99+ OpenSSL::ASN1::Integer(e)
100+ ])
101+ OpenSSL::PKey::RSA.new(asn1.to_der)
102 end
103 end
diff --git a/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch
0new file mode 100644104new file mode 100644
index 0000000..c29b87c
--- /dev/null
+++ b/debian/patches/openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch
@@ -0,0 +1,106 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Fri, 8 Apr 2022 09:32:24 +0200
3Subject: buffer: create DSA keys by loading PEM data directly
4
5The OpenSSL 3.0 changes don't allow for us to modify the private key
6details directly, and there are no dedicated constructors as of Ruby
73.0, so we need to actually create a PEM certificate in-memory and load
8that instead.
9
10To add insult to injury, contrary to other types of keys such as RSA, we
11need to actually build the full PEM data and not just pack the numbers
12in a simple sequence, making the code even a bit more complicated.
13
14Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
15---
16 lib/net/ssh/buffer.rb | 31 ++++++++++++++++++-------------
17 test/test_buffer.rb | 28 ++++++++++++++++++----------
18 2 files changed, 36 insertions(+), 23 deletions(-)
19
20Origin: upstream, https://github.com/net-ssh/net-ssh/commit/406063de2852
21Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
22Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
23Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
24Last-Updated: 2022-05-09
25
26diff --git a/lib/net/ssh/buffer.rb b/lib/net/ssh/buffer.rb
27index 0384299..5a7dff0 100644
28--- a/lib/net/ssh/buffer.rb
29+++ b/lib/net/ssh/buffer.rb
30@@ -295,19 +295,24 @@ module Net
31 when /^(.*)-cert-v01@openssh\.com$/
32 key = Net::SSH::Authentication::Certificate.read_certblob(self, $1)
33 when /^ssh-dss$/
34- key = OpenSSL::PKey::DSA.new
35- if key.respond_to?(:set_pqg)
36- key.set_pqg(read_bignum, read_bignum, read_bignum)
37- else
38- key.p = read_bignum
39- key.q = read_bignum
40- key.g = read_bignum
41- end
42- if key.respond_to?(:set_key)
43- key.set_key(read_bignum, nil)
44- else
45- key.pub_key = read_bignum
46- end
47+ p = read_bignum
48+ q = read_bignum
49+ g = read_bignum
50+ pub_key = read_bignum
51+
52+ asn1 = OpenSSL::ASN1::Sequence.new([
53+ OpenSSL::ASN1::Sequence.new([
54+ OpenSSL::ASN1::ObjectId.new('DSA'),
55+ OpenSSL::ASN1::Sequence.new([
56+ OpenSSL::ASN1::Integer.new(p),
57+ OpenSSL::ASN1::Integer.new(q),
58+ OpenSSL::ASN1::Integer.new(g)
59+ ]),
60+ ]),
61+ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der)
62+ ])
63+
64+ key = OpenSSL::PKey::DSA.new(asn1.to_der)
65 when /^ssh-rsa$/
66 e = read_bignum
67 n = read_bignum
68diff --git a/test/test_buffer.rb b/test/test_buffer.rb
69index b74e2f1..f75a729 100644
70--- a/test/test_buffer.rb
71+++ b/test/test_buffer.rb
72@@ -318,16 +318,24 @@ class TestBuffer < NetSSHTest
73 def test_write_dss_key_should_write_argument_to_end_of_buffer
74 buffer = new("start")
75
76- key = OpenSSL::PKey::DSA.new
77- if key.respond_to?(:set_pqg)
78- key.set_pqg(0xffeeddccbbaa9988, 0x7766554433221100, 0xffddbb9977553311)
79- key.set_key(0xeeccaa8866442200, nil)
80- else
81- key.p = 0xffeeddccbbaa9988
82- key.q = 0x7766554433221100
83- key.g = 0xffddbb9977553311
84- key.pub_key = 0xeeccaa8866442200
85- end
86+ p = 0xffeeddccbbaa9988
87+ q = 0x7766554433221100
88+ g = 0xffddbb9977553311
89+ pub_key = 0xeeccaa8866442200
90+
91+ asn1 = OpenSSL::ASN1::Sequence.new([
92+ OpenSSL::ASN1::Sequence.new([
93+ OpenSSL::ASN1::ObjectId.new('DSA'),
94+ OpenSSL::ASN1::Sequence.new([
95+ OpenSSL::ASN1::Integer.new(p),
96+ OpenSSL::ASN1::Integer.new(q),
97+ OpenSSL::ASN1::Integer.new(g)
98+ ]),
99+ ]),
100+ OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der)
101+ ])
102+
103+ key = OpenSSL::PKey::DSA.new(asn1.to_der)
104
105 buffer.write_key(key)
106 assert_equal "start\0\0\0\7ssh-dss\0\0\0\011\0\xff\xee\xdd\xcc\xbb\xaa\x99\x88\0\0\0\010\x77\x66\x55\x44\x33\x22\x11\x00\0\0\0\011\0\xff\xdd\xbb\x99\x77\x55\x33\x11\0\0\0\011\0\xee\xcc\xaa\x88\x66\x44\x22\x00", buffer.to_s
diff --git a/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch
0new file mode 100644107new file mode 100644
index 0000000..438cdba
--- /dev/null
+++ b/debian/patches/openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch
@@ -0,0 +1,46 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Fri, 8 Apr 2022 09:32:24 +0200
3Subject: transport: create EC keys by loading PEM data directly
4
5The OpenSSL 3.0 changes don't allow for us to modify the private key
6details directly, and there are no dedicated constructors as of Ruby
73.0, so we need to actually create a PEM certificate in-memory and load
8that instead.
9
10Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
11---
12 lib/net/ssh/transport/openssl.rb | 14 +++++++++++---
13 1 file changed, 11 insertions(+), 3 deletions(-)
14
15Origin: upstream, https://github.com/net-ssh/net-ssh/commit/4de6831dea
16Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
17Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
18Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
19Last-Updated: 2022-05-09
20
21diff --git a/lib/net/ssh/transport/openssl.rb b/lib/net/ssh/transport/openssl.rb
22index 0581dd5..c5ff2fb 100644
23--- a/lib/net/ssh/transport/openssl.rb
24+++ b/lib/net/ssh/transport/openssl.rb
25@@ -147,10 +147,18 @@ module OpenSSL
26
27 public_key_oct = buffer.read_string
28 begin
29- key = OpenSSL::PKey::EC.new(OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key])
30- group = key.group
31+ curvename = OpenSSL::PKey::EC::CurveNameAlias[curve_name_in_key]
32+ group = OpenSSL::PKey::EC::Group.new(curvename)
33 point = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_oct, 2))
34- key.public_key = point
35+ asn1 = OpenSSL::ASN1::Sequence([
36+ OpenSSL::ASN1::Sequence([
37+ OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
38+ OpenSSL::ASN1::ObjectId(curvename)
39+ ]),
40+ OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
41+ ])
42+
43+ key = OpenSSL::PKey::EC.new(asn1.to_der)
44
45 return key
46 rescue OpenSSL::PKey::ECError
diff --git a/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch
0new file mode 10064447new file mode 100644
index 0000000..93a87c0
--- /dev/null
+++ b/debian/patches/openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch
@@ -0,0 +1,147 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Mon, 11 Apr 2022 16:25:39 +0200
3Subject: Use OpenSSL::PKey::EC.generate static method
4
5Migrate all instances of the pattern EC.new(foo).generate_key to
6EC.generate(foo), as the old pattern isn't supported when using OpenSSL
73.0, since one is not allowed to mess with the internal data of already
8created objects now.
9
10The new API has been introduced in Ruby 2.4.
11
12Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
13---
14 lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb | 2 +-
15 test/authentication/test_agent.rb | 4 ++--
16 test/authentication/test_key_manager.rb | 6 +++---
17 test/test_buffer.rb | 6 +++---
18 test/transport/kex/test_curve25519_sha256.rb | 2 +-
19 test/transport/kex/test_ecdh_sha2_nistp256.rb | 4 ++--
20 6 files changed, 12 insertions(+), 12 deletions(-)
21
22Origin: backport, https://github.com/net-ssh/net-ssh/commit/8729d47045b
23Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
24Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
25Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
26Last-Updated: 2022-05-09
27
28diff --git a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb
29index 84d0e4a..a0b2d73 100644
30--- a/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb
31+++ b/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb
32@@ -18,7 +18,7 @@ module Net
33 private
34
35 def generate_key #:nodoc:
36- OpenSSL::PKey::EC.new(curve_name).generate_key
37+ OpenSSL::PKey::EC.generate(curve_name)
38 end
39
40 # compute shared secret from server's public key and client's private key
41diff --git a/test/authentication/test_agent.rb b/test/authentication/test_agent.rb
42index 42cc215..253317f 100644
43--- a/test/authentication/test_agent.rb
44+++ b/test/authentication/test_agent.rb
45@@ -286,7 +286,7 @@ module Authentication
46 end
47
48 def test_add_ecdsa_identity
49- ecdsa = OpenSSL::PKey::EC.new("prime256v1").generate_key
50+ ecdsa = OpenSSL::PKey::EC.generate("prime256v1")
51 socket.expect do |s,type,buffer|
52 assert_equal SSH2_AGENT_ADD_IDENTITY, type
53 assert_equal buffer.read_string, "ecdsa-sha2-nistp256"
54@@ -303,7 +303,7 @@ module Authentication
55 end
56
57 def test_add_ecdsa_cert_identity
58- cert = make_cert(OpenSSL::PKey::EC.new("prime256v1").generate_key)
59+ cert = make_cert(OpenSSL::PKey::EC.generate("prime256v1"))
60 socket.expect do |s,type,buffer|
61 assert_equal SSH2_AGENT_ADD_IDENTITY, type
62 assert_equal buffer.read_string, "ecdsa-sha2-nistp256-cert-v01@openssh.com"
63diff --git a/test/authentication/test_key_manager.rb b/test/authentication/test_key_manager.rb
64index 5f38d73..06a4594 100644
65--- a/test/authentication/test_key_manager.rb
66+++ b/test/authentication/test_key_manager.rb
67@@ -331,15 +331,15 @@ module Authentication
68 end
69
70 def ecdsa_sha2_nistp256
71- @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.new('prime256v1').generate_key
72+ @ecdsa_sha2_nistp256 ||= OpenSSL::PKey::EC.generate('prime256v1')
73 end
74
75 def ecdsa_sha2_nistp384
76- @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.new('secp384r1').generate_key
77+ @ecdsa_sha2_nistp384 ||= OpenSSL::PKey::EC.generate('secp384r1')
78 end
79
80 def ecdsa_sha2_nistp521
81- @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.new('secp521r1').generate_key
82+ @ecdsa_sha2_nistp521 ||= OpenSSL::PKey::EC.generate('secp521r1')
83 end
84
85 def rsa_pk
86diff --git a/test/test_buffer.rb b/test/test_buffer.rb
87index f75a729..57b98e5 100644
88--- a/test/test_buffer.rb
89+++ b/test/test_buffer.rb
90@@ -456,7 +456,7 @@ class TestBuffer < NetSSHTest
91 end
92
93 def random_ecdsa_sha2_nistp256
94- k = OpenSSL::PKey::EC.new('prime256v1').generate_key
95+ k = OpenSSL::PKey::EC.generate('prime256v1')
96 buffer = Net::SSH::Buffer.from(:string, 'nistp256',
97 :string, k.public_key.to_bn.to_s(2))
98 key = yield(buffer)
99@@ -465,7 +465,7 @@ class TestBuffer < NetSSHTest
100 end
101
102 def random_ecdsa_sha2_nistp384
103- k = OpenSSL::PKey::EC.new('secp384r1').generate_key
104+ k = OpenSSL::PKey::EC.generate('secp384r1')
105 buffer = Net::SSH::Buffer.from(:string, 'nistp384',
106 :string, k.public_key.to_bn.to_s(2))
107 key = yield(buffer)
108@@ -474,7 +474,7 @@ class TestBuffer < NetSSHTest
109 end
110
111 def random_ecdsa_sha2_nistp521
112- k = OpenSSL::PKey::EC.new('secp521r1').generate_key
113+ k = OpenSSL::PKey::EC.generate('secp521r1')
114 buffer = Net::SSH::Buffer.from(:string, 'nistp521',
115 :string, k.public_key.to_bn.to_s(2))
116 key = yield(buffer)
117diff --git a/test/transport/kex/test_curve25519_sha256.rb b/test/transport/kex/test_curve25519_sha256.rb
118index 8177a38..d990019 100644
119--- a/test/transport/kex/test_curve25519_sha256.rb
120+++ b/test/transport/kex/test_curve25519_sha256.rb
121@@ -111,7 +111,7 @@ unless ENV['NET_SSH_NO_ED25519']
122 end
123
124 def server_host_key
125- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key
126+ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1')
127 end
128
129 def packet_data
130diff --git a/test/transport/kex/test_ecdh_sha2_nistp256.rb b/test/transport/kex/test_ecdh_sha2_nistp256.rb
131index 932d8d7..a2ed6b4 100644
132--- a/test/transport/kex/test_ecdh_sha2_nistp256.rb
133+++ b/test/transport/kex/test_ecdh_sha2_nistp256.rb
134@@ -109,11 +109,11 @@ module Transport
135 end
136
137 def server_key
138- @server_key ||= OpenSSL::PKey::EC.new(ecparam).generate_key
139+ @server_key ||= OpenSSL::PKey::EC.generate(ecparam)
140 end
141
142 def server_host_key
143- @server_host_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key
144+ @server_host_key ||= OpenSSL::PKey::EC.generate('prime256v1')
145 end
146
147 def packet_data
diff --git a/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch
0new file mode 100644148new file mode 100644
index 0000000..623e2e6
--- /dev/null
+++ b/debian/patches/openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch
@@ -0,0 +1,70 @@
1From: Simon Chopin <simon.chopin@canonical.com>
2Date: Mon, 11 Apr 2022 16:04:08 +0200
3Subject: diffie-hellman: create the key by generating the PEM file
4
5This makes the code compatible with OpenSSL 3.0. However, an issue with
6this is that it is not possible anymore to ensure a specific size for
7the private key, as indicated in the inline comment.
8
9v2: avoid PKey.generate_key on older releases (< 2.7)
10
11Co-authored-by: Lucas Kanashiro <lucas.kanashiro@canonical.com>
12---
13 .../transport/kex/diffie_hellman_group1_sha1.rb | 36 +++++++++++-----------
14 1 file changed, 18 insertions(+), 18 deletions(-)
15
16Origin: backport, https://github.com/net-ssh/net-ssh/commit/8929562bec
17Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
18Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
19Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
20Last-Updated: 2022-05-09
21
22diff --git a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb
23index 34af18b..a78b5d5 100644
24--- a/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb
25+++ b/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb
26@@ -59,26 +59,26 @@ module Net
27
28 # Generate a DH key with a private key consisting of the given
29 # number of bytes.
30- def generate_key #:nodoc:
31- dh = OpenSSL::PKey::DH.new
32-
33- if dh.respond_to?(:set_pqg)
34- p, g = get_parameters
35- dh.set_pqg(p, nil, g)
36+ def generate_key # :nodoc:
37+ p, g = get_parameters
38+
39+ asn1 = OpenSSL::ASN1::Sequence(
40+ [
41+ OpenSSL::ASN1::Integer(p),
42+ OpenSSL::ASN1::Integer(g)
43+ ]
44+ )
45+
46+ dh_params = OpenSSL::PKey::DH.new(asn1.to_der)
47+ # XXX No private key size check! In theory the latter call should work but fails on OpenSSL 3.0 as
48+ # dh_paramgen_subprime_len is now reserved for DHX algorithm
49+ # key = OpenSSL::PKey.generate_key(dh_params, "dh_paramgen_subprime_len" => data[:need_bytes]/8)
50+ if OpenSSL::PKey.respond_to?(:generate_key)
51+ OpenSSL::PKey.generate_key(dh_params)
52 else
53- dh.p, dh.g = get_parameters
54- end
55-
56- dh.generate_key!
57- until dh.valid? && dh.priv_key.num_bytes == data[:need_bytes]
58- if dh.respond_to?(:set_key)
59- dh.set_key(nil, OpenSSL::BN.rand(data[:need_bytes] * 8))
60- else
61- dh.priv_key = OpenSSL::BN.rand(data[:need_bytes] * 8)
62- end
63- dh.generate_key!
64+ dh_params.generate_key!
65+ dh_params
66 end
67- dh
68 end
69
70 # Send the KEXDH_INIT message, and expect the KEXDH_REPLY. Return the
diff --git a/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch
0new file mode 10064471new file mode 100644
index 0000000..4e393ca
--- /dev/null
+++ b/debian/patches/openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch
@@ -0,0 +1,65 @@
1From: Florian Wininger <fw.centrale@gmail.com>
2Date: Fri, 29 Apr 2022 14:19:55 +0200
3Subject: Fix unit tests for OpenSSL 3
4
5---
6 test/common.rb | 12 ++++++++++++
7 test/transport/kex/test_diffie_hellman_group1_sha1.rb | 2 +-
8 test/transport/test_algorithms.rb | 2 +-
9 3 files changed, 14 insertions(+), 2 deletions(-)
10
11Origin: upstream, https://github.com/net-ssh/net-ssh/commit/395f0cd4029c
12Bug-Upstream: https://github.com/net-ssh/net-ssh/issues/843
13Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025
14Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
15Last-Updated: 2022-05-09
16
17diff --git a/test/common.rb b/test/common.rb
18index 8ae521c..db97d60 100644
19--- a/test/common.rb
20+++ b/test/common.rb
21@@ -46,6 +46,18 @@ def P(*args)
22 Net::SSH::Packet.new(Net::SSH::Buffer.from(*args))
23 end
24
25+# DH key generate with OpenSSL::PKey::DH.new(512).to_pem
26+def dh_512bits_bn
27+ OpenSSL::PKey::DH.new(
28+ <<~DH_KEY
29+ -----BEGIN DH PARAMETERS-----
30+ MEYCQQDkZMgCTieW40x/bmCpf6m1XHERNnyOodot21UsJkCidr+T6aAcy/Oz4mWo
31+ aYudmZZLQz7jhz0Ut2VQUw0Nz033AgEC
32+ -----END DH PARAMETERS-----
33+ DH_KEY
34+ ).p
35+end
36+
37 class NetSSHTest < Minitest::Test
38 def assert_nothing_raised(&block)
39 yield
40diff --git a/test/transport/kex/test_diffie_hellman_group1_sha1.rb b/test/transport/kex/test_diffie_hellman_group1_sha1.rb
41index be51720..d621de6 100644
42--- a/test/transport/kex/test_diffie_hellman_group1_sha1.rb
43+++ b/test/transport/kex/test_diffie_hellman_group1_sha1.rb
44@@ -134,7 +134,7 @@ module Transport
45 end
46
47 def server_dh_pubkey
48- @server_dh_pubkey ||= bn(1234567890)
49+ @server_dh_pubkey ||= OpenSSL::BN.new(dh_512bits_bn, 10)
50 end
51
52 def shared_secret
53diff --git a/test/transport/test_algorithms.rb b/test/transport/test_algorithms.rb
54index 105f3af..7eb50aa 100644
55--- a/test/transport/test_algorithms.rb
56+++ b/test/transport/test_algorithms.rb
57@@ -368,7 +368,7 @@ module Transport
58 end
59
60 def shared_secret
61- @shared_secret ||= OpenSSL::BN.new("1234567890", 10)
62+ @shared_secret ||= dh_512bits_bn
63 end
64
65 def session_id
diff --git a/debian/patches/series b/debian/patches/series
index cb8efb3..f7fd3ea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,9 @@
10001-openssl-DSA-don-t-hardcode-expected-signature-size.patch10001-openssl-DSA-don-t-hardcode-expected-signature-size.patch
2openssl-3/0002-Generate-all-DSA-keys-with-1024-bits.patch
3openssl-3/0003-tests-Enable-legacy-providers-if-using-OpenSSL-3.0.patch
4openssl-3/0004-buffer-create-RSA-keys-by-loading-PEM-data-directly.patch
5openssl-3/0005-buffer-create-DSA-keys-by-loading-PEM-data-directly.patch
6openssl-3/0006-transport-create-EC-keys-by-loading-PEM-data-directl.patch
7openssl-3/0007-Use-OpenSSL-PKey-EC.generate-static-method.patch
8openssl-3/0008-diffie-hellman-create-the-key-by-generating-the-PEM-.patch
9openssl-3/0009-Fix-unit-tests-for-OpenSSL-3.patch
diff --git a/debian/ruby-tests.rake b/debian/ruby-tests.rake
index 751fecc..38479eb 100644
--- a/debian/ruby-tests.rake
+++ b/debian/ruby-tests.rake
@@ -3,5 +3,12 @@ require 'gem2deb/rake/testtask'
3# Unfortunately this also disables 'ed25519' tests.3# Unfortunately this also disables 'ed25519' tests.
4ENV['NET_SSH_NO_ED25519'] = '1'4ENV['NET_SSH_NO_ED25519'] = '1'
55
6# Some tests rely no ciphers which are considered legacy in OpenSSL 3. For now,
7# let's use the custom config file to enable them and make the tests pass.
8require 'openssl'
9if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3"
10 ENV['OPENSSL_CONF'] = Dir.pwd + '/test/openssl3.conf'
11end
12
6Gem2Deb::Rake::TestTask.new do |t|13Gem2Deb::Rake::TestTask.new do |t|
7end14end

Subscribers

People subscribed via source and target branches