Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: jruby/jruby-openssl
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d434bc622793
Choose a base ref
...
head repository: jruby/jruby-openssl
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ecfaf4a6e447
Choose a head ref
  • 20 commits
  • 16 files changed
  • 1 contributor

Commits on Nov 30, 2016

  1. Copy the full SHA
    3e1b97b View commit details
  2. Copy the full SHA
    a3ac55f View commit details
  3. fix javadoc link

    kares committed Nov 30, 2016
    Copy the full SHA
    279066e View commit details
  4. Copy the full SHA
    3190db7 View commit details
  5. Copy the full SHA
    08fecc7 View commit details
  6. Copy the full SHA
    0797b0d View commit details

Commits on Dec 1, 2016

  1. preliminary OpenSSL 1.1 (Ruby 2.4) compatibility bits

    ... mostly port of OpenSSL 1.1.0's new opaque methods for PKey types
    
    https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/55285
    kares committed Dec 1, 2016
    Copy the full SHA
    17d0549 View commit details
  2. Copy the full SHA
    d1386b1 View commit details
  3. avoid deprecated methods

    kares committed Dec 1, 2016
    Copy the full SHA
    74e742e View commit details
  4. Copy the full SHA
    7613880 View commit details
  5. Copy the full SHA
    28e08a8 View commit details
  6. Copy the full SHA
    6253685 View commit details
  7. Copy the full SHA
    3aceaab View commit details
  8. Copy the full SHA
    af60ff9 View commit details
  9. Copy the full SHA
    e197afe View commit details
  10. Copy the full SHA
    06e6800 View commit details
  11. no need to cast null

    kares committed Dec 1, 2016
    Copy the full SHA
    f5d14be View commit details
  12. Copy the full SHA
    b92e045 View commit details

Commits on Dec 2, 2016

  1. Copy the full SHA
    989ca42 View commit details
  2. Copy the full SHA
    ecfaf4a View commit details
1 change: 1 addition & 0 deletions lib/jopenssl/load.rb
Original file line number Diff line number Diff line change
@@ -27,6 +27,7 @@

if RUBY_VERSION > '2.3'
load 'jopenssl23/openssl.rb'
load 'jopenssl24.rb' if RUBY_VERSION >= '2.4'
elsif RUBY_VERSION > '2.2'
load 'jopenssl22/openssl.rb'
elsif RUBY_VERSION > '2.1'
2 changes: 0 additions & 2 deletions lib/jopenssl23/openssl/buffering.rb
Original file line number Diff line number Diff line change
@@ -132,7 +132,6 @@ def readpartial(maxlen, buf=nil)
buf.replace(ret)
ret = buf
end
raise EOFError if ret.empty?
ret
end

@@ -182,7 +181,6 @@ def read_nonblock(maxlen, buf=nil, exception: true)
buf.replace(ret)
ret = buf
end
raise EOFError if ret.empty?
ret
end

11 changes: 7 additions & 4 deletions lib/jopenssl23/openssl/cipher.rb
Original file line number Diff line number Diff line change
@@ -14,9 +14,12 @@

module OpenSSL
class Cipher
# This class is only provided for backwards compatibility. Use OpenSSL::Cipher in the future.
class Cipher < Cipher
# add warning
end

# Deprecated.
#
# This class is only provided for backwards compatibility.
# Use OpenSSL::Cipher.
class Cipher < Cipher; end
deprecate_constant :Cipher
end # Cipher
end # OpenSSL
13 changes: 4 additions & 9 deletions lib/jopenssl23/openssl/digest.rb
Original file line number Diff line number Diff line change
@@ -14,18 +14,13 @@

module OpenSSL
class Digest

# Deprecated.
#
# This class is only provided for backwards compatibility.
class Digest < Digest # :nodoc:
# Deprecated.
#
# See OpenSSL::Digest.new
def initialize(*args)
warn('Digest::Digest is deprecated; use Digest')
super(*args)
end
end
# Use OpenSSL::Digest instead.
class Digest < Digest; end # :nodoc:
deprecate_constant :Digest

end # Digest

6 changes: 2 additions & 4 deletions lib/jopenssl23/openssl/ssl.rb
Original file line number Diff line number Diff line change
@@ -108,10 +108,8 @@ class SSLContext
#
# You can get a list of valid methods with OpenSSL::SSL::SSLContext::METHODS
def initialize(version = nil)
INIT_VARS.each { |v| instance_variable_set v, nil }
self.options = self.options | OpenSSL::SSL::OP_ALL
return unless version
self.ssl_version = version
self.options |= OpenSSL::SSL::OP_ALL
self.ssl_version = version if version
end unless defined? JRUBY_VERSION # JRuby: handled in "native" Java

##
112 changes: 112 additions & 0 deletions lib/jopenssl24.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
# frozen_string_literal: false

# Ruby 2.4 preliminary compatibility script, loaded after all (2.3) jruby-openssl files

module OpenSSL

module SSL
class SSLContext
# OpenSSL 1.1.0 introduced "security level"
def security_level; 0 end
def security_level=(level); raise NotImplementedError end
end
end

module PKey

class DH

def set_key(pub_key, priv_key)
self.public_key = pub_key
self.priv_key = priv_key
self
end

def set_pqg(p, q, g)
self.p = p
# TODO self.q = q
if respond_to?(:q)
self.q = q
else
OpenSSL.warn "JRuby-OpenSSL does not support setting q param on #{inspect}" if q
end
self.g = g
self
end

end

class DSA

def set_key(pub_key, priv_key)
self.public_key = pub_key
self.priv_key = priv_key
self
end

def set_pqg(p, q, g)
self.p = p
self.q = q
self.g = g
self
end

end

class RSA

def set_key(n, e, d)
self.n = n
self.e = e
self.d = d
self
end

def set_factors(p, q)
self.p = p
self.q = q
self
end

def set_crt_params(dmp1, dmq1, iqmp)
self.dmp1 = dmp1
self.dmq1 = dmq1
self.iqmp = iqmp
self
end

end

# openssl/lib/openssl/pkey.rb :

class DH

remove_const :DEFAULT_512 if const_defined?(:DEFAULT_512)

DEFAULT_2048 = new <<-_end_of_pem_
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
-----END DH PARAMETERS-----
_end_of_pem_

end

remove_const :DEFAULT_TMP_DH_CALLBACK if const_defined?(:DEFAULT_TMP_DH_CALLBACK)

DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
warn "using default DH parameters." if $VERBOSE
case keylen
when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
when 2048 then OpenSSL::PKey::DH::DEFAULT_2048
else nil
end
}

end

end
51 changes: 45 additions & 6 deletions src/main/java/org/jruby/ext/openssl/OpenSSL.java
Original file line number Diff line number Diff line change
@@ -24,6 +24,7 @@
package org.jruby.ext.openssl;

import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.util.Map;

import org.jruby.CompatVersion;
@@ -216,18 +217,22 @@ static void debugStackTrace(final Ruby runtime, final Throwable e) {
if ( isDebug(runtime) ) e.printStackTrace(runtime.getOut());
}

public static void debug(final Ruby runtime, final String msg) {
if ( isDebug(runtime) ) runtime.getOut().println(msg);
public static void debug(final Ruby runtime, final CharSequence msg) {
if ( isDebug(runtime) ) runtime.getOut().println(msg.toString());
}

public static void debug(final Ruby runtime, final String msg, final Throwable e) {
if ( isDebug(runtime) ) runtime.getOut().println(msg + ' ' + e);
public static void debug(final Ruby runtime, final CharSequence msg, final Throwable e) {
if ( isDebug(runtime) ) runtime.getOut().println(msg.toString() + ' ' + e);
}

static void warn(final ThreadContext context, final String msg) {
static void warn(final ThreadContext context, final CharSequence msg) {
warn(context, RubyString.newString(context.runtime, msg));
}

static void warn(final ThreadContext context, final RubyString msg) {
warn(context, (IRubyObject) msg);
}

static void warn(final ThreadContext context, final IRubyObject msg) {
if ( warn ) context.runtime.getModule("OpenSSL").callMethod(context, "warn", msg);
}
@@ -265,7 +270,41 @@ static boolean javaOpenJDK() {
return javaName("").contains("OpenJDK");
}

//
// shared secure-random :

private static boolean tryContextSecureRandom = true;

static SecureRandom getSecureRandom(final Ruby runtime) {
return getSecureRandom(runtime, false);
}


static SecureRandom getSecureRandom(final Ruby runtime, final boolean nullByDefault) {
if ( tryContextSecureRandom ) {
SecureRandom random = getSecureRandomFrom(runtime.getCurrentContext());
if ( random != null ) return random;
}
return nullByDefault ? null : new SecureRandom();
}

static SecureRandom getSecureRandomFrom(final ThreadContext context) {
if ( tryContextSecureRandom ) {
try {
SecureRandom random = context.secureRandom;
if (random == null) { // public SecureRandom getSecureRandom() on 9K
random = (SecureRandom) context.getClass().getMethod("getSecureRandom").invoke(context);
}
return random;
}
catch (Throwable ex) {
tryContextSecureRandom = false;
debug(context.runtime, "JRuby-OpenSSL failed to retrieve secure random from thread-context", ex);
}
}
return null;
}

// internals

static IRubyObject to_der_if_possible(final ThreadContext context, IRubyObject obj) {
if ( ! obj.respondsTo("to_der")) return obj;
14 changes: 5 additions & 9 deletions src/main/java/org/jruby/ext/openssl/PKey.java
Original file line number Diff line number Diff line change
@@ -32,15 +32,7 @@
import java.io.InputStreamReader;
import java.io.StringReader;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.*;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
@@ -263,6 +255,10 @@ static boolean verify(final String signAlg, final PublicKey publicKey, final Byt
return signature.verify(sign.getUnsafeBytes(), sign.getBegin(), sign.getRealSize());
}

static SecureRandom getSecureRandom(final Ruby runtime) {
return OpenSSL.getSecureRandom(runtime);
}

// shared Helpers for PKeyRSA / PKEyDSA :

protected PrivateKey tryPKCS8EncodedKey(final Ruby runtime, final KeyFactory keyFactory, final byte[] encodedKey) {
25 changes: 7 additions & 18 deletions src/main/java/org/jruby/ext/openssl/PKeyDH.java
Original file line number Diff line number Diff line change
@@ -93,17 +93,6 @@ public static RaiseException newDHError(Ruby runtime, String message) {
return Utils.newError(runtime, _PKey(runtime).getClass("DHError"), message);
}

private static SecureRandom _secureRandom;

private static SecureRandom getSecureRandom() {
SecureRandom rand;
if ((rand = _secureRandom) != null) {
return rand;
}
// FIXME: do we want a particular algorithm / provider? BC?
return _secureRandom = new SecureRandom();
}

// transient because: we do not want these value serialized (insecure)
// volatile because: permits unsynchronized reads in some cases
private transient volatile BigInteger dh_p;
@@ -201,7 +190,7 @@ public static BigInteger generateX(BigInteger p, int limit) {
if (limit < 0) throw new IllegalArgumentException("invalid limit");

BigInteger x;
SecureRandom secureRandom = getSecureRandom();
SecureRandom secureRandom = new SecureRandom();
// adapting algorithm from org.bouncycastle.crypto.generators.DHKeyGeneratorHelper,
// which seems a little stronger (?) than OpenSSL's (OSSL just generates a random,
// while BC generates a random potential prime [for limit > 0], though it's not
@@ -252,11 +241,11 @@ public synchronized IRubyObject generate_key() {
@JRubyMethod(name = "compute_key")
public synchronized IRubyObject compute_key(IRubyObject other_pub_key) {
BigInteger x, y, p;
if ((y = BN.getBigInteger(other_pub_key)) == null) {
if ((y = BN.asBigInteger(other_pub_key)) == null) {
throw getRuntime().newArgumentError("invalid public key");
}
if ((x = this.dh_x) == null || (p = this.dh_p) == null) {
throw newDHError(getRuntime(), "can't compute key");
throw newDHError(getRuntime(), "incomplete DH");
}
int plen;
if ((plen = p.bitLength()) == 0 || plen > OPENSSL_DH_MAX_MODULUS_BITS) {
@@ -362,7 +351,7 @@ public IRubyObject get_p() {

@JRubyMethod(name = "p=")
public synchronized IRubyObject set_p(IRubyObject arg) {
this.dh_p = BN.getBigInteger(arg);
this.dh_p = BN.asBigInteger(arg);
return arg;
}

@@ -374,7 +363,7 @@ public IRubyObject get_g() {

@JRubyMethod(name = "g=")
public synchronized IRubyObject set_g(IRubyObject arg) {
this.dh_g = BN.getBigInteger(arg);
this.dh_g = BN.asBigInteger(arg);
return arg;
}

@@ -394,7 +383,7 @@ public PublicKey getPublicKey() {

@JRubyMethod(name = "pub_key=")
public synchronized IRubyObject set_pub_key(IRubyObject arg) {
this.dh_y = BN.getBigInteger(arg);
this.dh_y = BN.asBigInteger(arg);
return arg;
}

@@ -414,7 +403,7 @@ public PrivateKey getPrivateKey() {

@JRubyMethod(name = "priv_key=")
public synchronized IRubyObject set_priv_key(IRubyObject arg) {
this.dh_x = BN.getBigInteger(arg);
this.dh_x = BN.asBigInteger(arg);
return arg;
}

2 changes: 1 addition & 1 deletion src/main/java/org/jruby/ext/openssl/PKeyDSA.java
Original file line number Diff line number Diff line change
@@ -136,7 +136,7 @@ private static PKeyDSA dsaGenerate(final Ruby runtime,
PKeyDSA dsa, int keySize) throws RaiseException {
try {
KeyPairGenerator gen = SecurityHelper.getKeyPairGenerator("DSA");
gen.initialize(keySize, new SecureRandom());
gen.initialize(keySize, getSecureRandom(runtime));
KeyPair pair = gen.generateKeyPair();
dsa.privateKey = (DSAPrivateKey) pair.getPrivate();
dsa.publicKey = (DSAPublicKey) pair.getPublic();
Loading