OpenSSL: patch

Attached is a patch for the Ruby/OpenSSL module, done against the code in the snapshot.tar.gz file as currently available from http://www.ruby-lang.org.

This patch adds functionality necessary to support SSH operations. I have also added a new method to Cipher::Cipher: called "crypt". I did this because I couldn't get the update/final stuff to work. This may have been because I do not have a complete understanding of how they are *supposed* to work. Still, I have a very hacked-together SSH client in Ruby now, using the routines provided by this patch.

Please let me know if you have any questions!

openssl.patch (10.3 KB)

···

--
Jamis Buck
jgb3@email.byu.edu
http://www.jamisbuck.org/jamis

ruby -h | ruby -e 'a=[];readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/) {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

Hi,

In message <40CB365B.3000409@email.byu.edu>,

Attached is a patch for the Ruby/OpenSSL module, done against the code
in the snapshot.tar.gz file as currently available from
http://www.ruby-lang.org.

Thanks a lot. Your patch seems a good solution. It will be
applied when the CVS service's back.

But a question. In ossl_pkey_dh.c, you made
dh_bignum_accessors without using OSSL_PKEY_BN and
DEF_OSSL_PKEY_BN. Does these macro have any problem?

This patch adds functionality necessary to support SSH operations. I
have also added a new method to Cipher::Cipher: called "crypt". I did
this because I couldn't get the update/final stuff to work. This may
have been because I do not have a complete understanding of how they are
*supposed* to work.

Cipher#update and Cipher#final return a String; it is a set
of streamable interface. I feel that Cipher#crypt may be
added if you need a block specific interface.

  require "openssl"
  bf = OpenSSL::Cipher::Cipher.new("bf")
  bf.encrypt
  bf.key = "0123456789abcdef"
  bf.iv = "01234567"
  ciphertext = ""
  ciphertext << bf.update("line 1\n")
  ciphertext << bf.update("line 2\n")
  ciphertext << bf.final
  p ciphertext

Still, I have a very hacked-together SSH client in
Ruby now, using the routines provided by this patch.

I look forward to reading it:)

regards,

···

`Jamis Buck <jgb3@email.byu.edu>' wrote:

--
gotoyuzo

Jamis Buck wrote:
> --
> Jamis Buck
> jgb3@email.byu.edu
> http://www.jamisbuck.org/jamis

> ruby -h | ruby -e
> 'a=[];readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/)
> {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

This signature is amazing! How long did it take you to come up with that? and what motivated you?

···

--
John Long

GOTOU Yuuzou wrote:

Thanks a lot. Your patch seems a good solution. It will be
applied when the CVS service's back.

But a question. In ossl_pkey_dh.c, you made
dh_bignum_accessors without using OSSL_PKEY_BN and
DEF_OSSL_PKEY_BN. Does these macro have any problem?

Hah! Forget I did that. I wrote those before I discovered the OSSL_PKEY_BN macros. I discovered them later and then used them (in the rsa and dsa modules). If you'd like, I'll fix the ossl_pkey_dh.c file and resubmit the patch. Let me know.

Cipher#update and Cipher#final return a String; it is a set
of streamable interface. I feel that Cipher#crypt may be
added if you need a block specific interface.

[snip]

Hmm. I tried all that, and it wouldn't give me the answer that the ssh server expected. Using Cipher#crypt, however, did (and it should, since it is modeled from the OpenSSH code).

Still, I have a very hacked-together SSH client in Ruby now, using the routines provided by this patch.

I look forward to reading it:)

I'm refactoring all of the (Net::SSH) code now, to make it more robust. I'm hoping to have something worthwhile to report in a few weeks.

Thanks!

···

--
Jamis Buck
jgb3@email.byu.edu
http://www.jamisbuck.org/jamis

ruby -h | ruby -e 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/) {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

I'd blame this this as motivation:
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?japh
it's pretty common for perlers to have such signatures.

But I dunno whether obfuscated code is a good advertisement for ruby. :wink:

···

* "John W. Long" <ng@johnwlong.com> wrote:

> --
> Jamis Buck
> jgb3@email.byu.edu
> http://www.jamisbuck.org/jamis
> ruby -h | ruby -e
> 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/)
> {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'
This signature is amazing! How long did it take you to come up with
that? and what motivated you?

John W. Long wrote:

Jamis Buck wrote:
> --
> Jamis Buck
> jgb3@email.byu.edu
> http://www.jamisbuck.org/jamis

> ruby -h | ruby -e
> 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/)
> {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

This signature is amazing! How long did it take you to come up with that? and what motivated you?

Hynek has it right -- it was inspired by the myriad "japh" sigs ("Just Another Perl Hacker"). And it took me far too long to come up with than I needed to spend on it. :wink:

Hynek is also right on another point: whereas Perl is more prone to obfuscation, one of the goals of Ruby is clarity. Thus, obfuscated sigs in Ruby are harder to generate than in Perl (IMO), and don't exactly encourage newbies to leap into Ruby. However, that doesn't keep some of us from writing them anyway... :wink:

···

--
Jamis Buck
jgb3@email.byu.edu
http://www.jamisbuck.org/jamis

ruby -h | ruby -e 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/) {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

Unfortunately, I've previously only posted to c.l.r from work, where I use
Google for usenet. So my nifty Ruby signature, which appears when I post from
my home newsreader, has not been seen on this newsgroup until now, even though
I've been using it since November.

···

--
Karl von Laudermann - karlvonl(a)rcn.com - http://www.geocities.com/~karlvonl
#!/usr/bin/env ruby
c=" .,:;i|+=ahHME8";def l(a,b,c)x=b-a;y=c-a;Math.sqrt(x*x+y*y)end;25.times{|y|
50.times{|x|print(l(12,x/2,y)<=12?((c[l(8,x/2,y).to_i]||36).chr):" ")};puts""}

can't wait to see that :slight_smile: I can think of several uses right off the top of my head.

cheers,
Mark

···

On Jun 13, 2004, at 4:50 PM, Jamis Buck wrote:

Still, I have a very hacked-together SSH client in Ruby now, using the routines provided by this patch.

I look forward to reading it:)

I'm refactoring all of the (Net::SSH) code now, to make it more robust. I'm hoping to have something worthwhile to report in a few weeks.

In message <40CCE7F9.2050500@email.byu.edu>,

GOTOU Yuuzou wrote:
> But a question. In ossl_pkey_dh.c, you made
> dh_bignum_accessors without using OSSL_PKEY_BN and
> DEF_OSSL_PKEY_BN. Does these macro have any problem?

Hah! Forget I did that. I wrote those before I discovered the
OSSL_PKEY_BN macros. I discovered them later and then used them (in the
rsa and dsa modules). If you'd like, I'll fix the ossl_pkey_dh.c file
and resubmit the patch. Let me know.

I did it. No need to re-post.

Hmm. I tried all that, and it wouldn't give me the answer that the ssh
server expected. Using Cipher#crypt, however, did (and it should, since
it is modeled from the OpenSSH code).

Hmm, Can I leave the decision to you?

regards,

···

`Jamis Buck <jgb3@email.byu.edu>' wrote:

--
gotoyuzo

Hehe, mine can even do cool graphics :wink:
(you need ImageMagick's display to see it)

···

On Tue, Jun 15, 2004 at 10:13:07PM +0900, Jamis Buck wrote:

John W. Long wrote:
>Jamis Buck wrote:
> > --
> > Jamis Buck
> > jgb3@email.byu.edu
> > http://www.jamisbuck.org/jamis
>
> > ruby -h | ruby -e
> > 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/)
> > {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'
>
>This signature is amazing! How long did it take you to come up with
>that? and what motivated you?

Hynek has it right -- it was inspired by the myriad "japh" sigs ("Just
Another Perl Hacker"). And it took me far too long to come up with than
I needed to spend on it. :wink:

Hynek is also right on another point: whereas Perl is more prone to
obfuscation, one of the goals of Ruby is clarity. Thus, obfuscated sigs
in Ruby are harder to generate than in Perl (IMO), and don't exactly
encourage newbies to leap into Ruby. However, that doesn't keep some of
us from writing them anyway... :wink:

--
ruby -rcomplex -e'c,m,w,h=Complex(-0.75,0.13),50,150,100;puts "P6\n#{w} #{h}\n255";(0...h).each{|j|(0...w).each{|i|n,
z=0,Complex(0.9*i/w,0.9*j/h);while n<=m&&(z-c).abs<3;z=z*z+c;n+=1 end;print [10+n*15,0,rand*99].pack("C*")}}'|display

Hi,

At Tue, 15 Jun 2004 22:13:07 +0900,
Jamis Buck wrote in [ruby-talk:103666]:

Hynek is also right on another point: whereas Perl is more prone to
obfuscation, one of the goals of Ruby is clarity. Thus, obfuscated sigs
in Ruby are harder to generate than in Perl (IMO), and don't exactly
encourage newbies to leap into Ruby. However, that doesn't keep some of
us from writing them anyway... :wink:

http://jarp.jin.gr.jp/ruby/jarh.rb

···

--
Nobu Nakada

Karl von Laudermann wrote:

Unfortunately, I've previously only posted to c.l.r from work, where I use Google for usenet. So my nifty Ruby signature, which appears when I post from my home newsreader, has not been seen on this newsgroup until now, even though I've been using it since November.

Amazing. That is nifty.

···

--
John

that's cool. Yet, it's missing the word ruby somewhere in the image :wink:

···

il Wed, 16 Jun 2004 22:07:06 -0400, Karl von Laudermann <karlvonl@rcn.com.invalid> ha scritto::

Unfortunately, I've previously only posted to c.l.r from work, where I use
Google for usenet. So my nifty Ruby signature, which appears when I post from
my home newsreader, has not been seen on this newsgroup until now, even though
I've been using it since November.

Mark Hubbart wrote:

can't wait to see that :slight_smile: I can think of several uses right off the top of my head.

I'm glad I'm not the only one that wants this. It's been a pretty challenging project! I've wanted this for some time, and I finally decided that it wasn't going to happen if I just kept waiting for someone else to do it. :slight_smile: I'm a little nervous about releasing it to the general public, since (as I've stressed before) cryptography is not by strong point, by any stretch of the imagination, and reading through the SSH specs has really emphasized that for me. I've sure learned a ton about it in the last 3 weeks, though! :slight_smile:

I finished refactoring my existing code just a few minutes ago. Now I've got the transport layer about 80% done and a proof-of-concept user-authentication service written (meaning it's really only about 10% done). To be written: the connection service, which (when finished) will be the real "meat and potatoes" of Net::SSH, since that will be the service that allows you to execute programs (for instance) on the remote host. Once that's done I'll probably bundle it up and release it, with the caveat that it's still experimental. At that point, I would REALLY appreciate feedback (and patches, preferably).

Also, I'm kind of lost as to how to write test cases for something like this. It's hard to (for instance) force the server to send something unexpected without writing your own server... :frowning: Any tips?

···

--
Jamis Buck
jgb3@email.byu.edu
http://www.jamisbuck.org/jamis

ruby -h | ruby -e 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/) {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

GOTOU Yuuzou wrote:

In message <40CCE7F9.2050500@email.byu.edu>,

GOTOU Yuuzou wrote:

But a question. In ossl_pkey_dh.c, you made
dh_bignum_accessors without using OSSL_PKEY_BN and
DEF_OSSL_PKEY_BN. Does these macro have any problem?

Hah! Forget I did that. I wrote those before I discovered the OSSL_PKEY_BN macros. I discovered them later and then used them (in the rsa and dsa modules). If you'd like, I'll fix the ossl_pkey_dh.c file and resubmit the patch. Let me know.

I did it. No need to re-post.

One other thing: I was advised off-list that the "crypt" method I added is unecessary, and I have verified that this is true. My problem was that I was not setting the padding. By setting the padding on the cipher to 0, I can use update/final without any problems. I.e.:

   c = OpenSSL::Cipher::Cipher.new(...)
   c.encrypt
   c.key = ...
   c.iv = ...
   c.padding = 0 # <-- this is what I was missing

   v = c.update( .... ) << c.final
   p v

So... if you haven't already applied the patch, I can send you another one. Or you can just remove the definition of that "crypt" method I added.

···

`Jamis Buck <jgb3@email.byu.edu>' wrote:

--
Jamis Buck
jgb3@email.byu.edu
http://www.jamisbuck.org/jamis

ruby -h | ruby -e 'a=;readlines.join.scan(/-(.)\[e|Kk(\S*)|le.l(..)e|#!(\S*)/) {|r| a << r.compact.first };puts "\n>#{a.join(%q/ /)}<\n\n"'

Very entertaining! Are all these yours? If you are collecting
them from other people, you may add mine if you wish:

   str = "aa tut Rnrehoec Jykusbrh"; srand 0; 0.upto(999) {|i|
   x = rand(23); str[x,2] = str[x,2].reverse! }; puts str

Hal

···

nobu.nokada@softhome.net wrote:

http://jarp.jin.gr.jp/ruby/jarh.rb

weite your own server too? :))

···

il Mon, 14 Jun 2004 12:37:43 +0900, Jamis Buck <jgb3@email.byu.edu> ha scritto::

Also, I'm kind of lost as to how to write test cases for something like
this. It's hard to (for instance) force the server to send something
unexpected without writing your own server... :frowning: Any tips?

In message <40CD9A0B.5020608@email.byu.edu>,

···

`Jamis Buck <jgb3@email.byu.edu>' wrote:

One other thing: I was advised off-list that the "crypt" method I added
is unecessary, and I have verified that this is true. My problem was
that I was not setting the padding. By setting the padding on the cipher
to 0, I can use update/final without any problems. I.e.:

   c = OpenSSL::Cipher::Cipher.new(...)
   c.encrypt
   c.key = ...
   c.iv = ...
   c.padding = 0 # <-- this is what I was missing

   v = c.update( .... ) << c.final
   p v

So... if you haven't already applied the patch, I can send you another
one. Or you can just remove the definition of that "crypt" method I added.

No problem. ossl_cipher.c was rolled back.

BTW, I'd like to change the type of the argument of Cipher#padding=.
It should take a boolean but an integer. (patch is attaced.)

# I'll add a workaround to treat backward compatibility if
# it is applied to Ruby 1.8.

regards,

--
gotoyuzo

--- ext/openssl/ossl_cipher.c 17 Sep 2003 09:05:02 -0000 1.4
+++ ext/openssl/ossl_cipher.c 14 Jun 2004 13:34:32 -0000
@@ -315,13 +282,16 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
static VALUE
ossl_cipher_set_padding(VALUE self, VALUE padding)
{
-#if defined(HAVE_ST_FLAGS)
+#if defined(HAVE_ST_FLAGS) || OPENSSL_VERSION_NUMBER >= 0x0090702fL
+ /*
+ * EVP_CIPHER_CTX_set_padding existed in an earlier versions of openssl.
+ * I don't know the exact version number, but it does exist in 0x0090702fL.
+ */
     EVP_CIPHER_CTX *ctx;

     GetCipher(self, ctx);
-
- if (EVP_CIPHER_CTX_set_padding(ctx, NUM2INT(padding)) != 1)
- ossl_raise(eCipherError, NULL);
+ if (EVP_CIPHER_CTX_set_padding(ctx, RTEST(padding)) != 1)
+ ossl_raise(eCipherError, NULL);
#else
     rb_notimplement();
#endif

Hal Fulton wrote:

···

nobu.nokada@softhome.net wrote:

http://jarp.jin.gr.jp/ruby/jarh.rb

Very entertaining! Are all these yours? If you are collecting
them from other people, you may add mine if you wish:

  str = "aa tut Rnrehoec Jykusbrh"; srand 0; 0.upto(999) {|i|
  x = rand(23); str[x,2] = str[x,2].reverse! }; puts str

Hal

Hmm, I wonder why it does not work in Ruby 1.6.8, it prints

R etJrbrhnotc uhaaku esy

Is it because rand() differs so much in 1.8?

Gennady.

I have just made my first signature

"J t ycuahR ksneuhetorbar".scan(/#{'(.)'*6}/).transpose.join
#=> "Just another Ruby hacker"

You are also welcome to add that sig too.. :wink:

···

On Tuesday 15 June 2004 20:44, Hal Fulton wrote:

nobu.nokada@softhome.net wrote:
> http://jarp.jin.gr.jp/ruby/jarh.rb

Very entertaining! Are all these yours? If you are collecting
them from other people, you may add mine if you wish:

   str = "aa tut Rnrehoec Jykusbrh"; srand 0; 0.upto(999) {|i|
   x = rand(23); str[x,2] = str[x,2].reverse! }; puts str

--
Simon Strandgaard