From 938a1e6aab2db9f0aab1fbe6b1056e999b3c03f3 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Thu, 9 Jan 2025 16:01:22 +0900 Subject: [PATCH 1/4] engine: remove constants for ENGINE_METHOD_BN_MOD_EXP{,_CRT} These macros do not exist in OpenSSL 0.9.7 or later, which was released in 2002. --- ext/openssl/ossl_engine.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c index bf9b50c4c..947d500c2 100644 --- a/ext/openssl/ossl_engine.c +++ b/ext/openssl/ossl_engine.c @@ -549,12 +549,6 @@ Init_ossl_engine(void) DefEngineConst(METHOD_DSA); DefEngineConst(METHOD_DH); DefEngineConst(METHOD_RAND); -#ifdef ENGINE_METHOD_BN_MOD_EXP - DefEngineConst(METHOD_BN_MOD_EXP); -#endif -#ifdef ENGINE_METHOD_BN_MOD_EXP_CRT - DefEngineConst(METHOD_BN_MOD_EXP_CRT); -#endif DefEngineConst(METHOD_CIPHERS); DefEngineConst(METHOD_DIGESTS); DefEngineConst(METHOD_ALL); From 9db621a5c0e0100dfa2030a4413c04bed472e978 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sun, 19 Jan 2025 23:08:12 +0900 Subject: [PATCH 2/4] pkcs7: remove unnecessary const cast PKCS7_encrypt() and PKCS7_SIGNER_INFO_set() take const EVP_CIPHER and EVP_MD at least since OpenSSL 0.9.7. --- ext/openssl/ossl_pkcs7.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c index 2032e3259..e502c9542 100644 --- a/ext/openssl/ossl_pkcs7.c +++ b/ext/openssl/ossl_pkcs7.c @@ -325,7 +325,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass) BIO_free(in); rb_jump_tag(status); } - if(!(p7 = PKCS7_encrypt(x509s, in, (EVP_CIPHER*)ciph, flg))){ + if (!(p7 = PKCS7_encrypt(x509s, in, ciph, flg))) { BIO_free(in); sk_X509_pop_free(x509s, X509_free); ossl_raise(ePKCS7Error, NULL); @@ -947,7 +947,7 @@ ossl_pkcs7si_initialize(VALUE self, VALUE cert, VALUE key, VALUE digest) x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ md = ossl_evp_get_digestbyname(digest); GetPKCS7si(self, p7si); - if (!(PKCS7_SIGNER_INFO_set(p7si, x509, pkey, (EVP_MD*)md))) { + if (!(PKCS7_SIGNER_INFO_set(p7si, x509, pkey, md))) { ossl_raise(ePKCS7Error, NULL); } From 38ec6fd50e638cd4ea0803765394065d555336c3 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Tue, 14 Jan 2025 21:49:12 +0900 Subject: [PATCH 3/4] Require OpenSSL 1.1.0 or later Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) --- .github/workflows/test.yml | 1 - ext/openssl/extconf.rb | 61 +--------- ext/openssl/openssl_missing.c | 40 ------- ext/openssl/openssl_missing.h | 202 --------------------------------- ext/openssl/ossl.c | 113 ------------------ ext/openssl/ossl_engine.c | 53 --------- ext/openssl/ossl_kdf.c | 8 +- ext/openssl/ossl_pkcs12.c | 4 - ext/openssl/ossl_pkey.c | 14 +-- ext/openssl/ossl_pkey_ec.c | 2 - ext/openssl/ossl_ssl.c | 67 ----------- ext/openssl/ossl_ts.c | 7 -- ext/openssl/ossl_x509.c | 28 +---- ext/openssl/ossl_x509ext.c | 4 - ext/openssl/ossl_x509store.c | 8 -- lib/openssl/ssl.rb | 3 +- test/openssl/test_kdf.rb | 3 - test/openssl/test_pkey.rb | 2 - test/openssl/test_x509store.rb | 7 +- 19 files changed, 16 insertions(+), 611 deletions(-) delete mode 100644 ext/openssl/openssl_missing.c diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8174bbdc5..9c94c6b39 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,6 @@ jobs: name-extra: [ '' ] openssl: # https://openssl-library.org/source/ - - openssl-1.0.2u # EOL - openssl-1.1.0l # EOL - openssl-1.1.1w # EOL 2023-09-11, still used by RHEL 8 and Ubuntu 20.04 - openssl-3.0.15 # Supported until 2026-09-07 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index bcce42284..55444e94a 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -60,7 +60,6 @@ def find_openssl_library if $mswin || $mingw # required for static OpenSSL libraries - have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen()) have_library("crypt32") end @@ -77,12 +76,6 @@ def find_openssl_library return true end - # OpenSSL <= 1.0.2: libeay32.lib and ssleay32.lib. - if have_library("libeay32", "CRYPTO_malloc") && - have_library("ssleay32", "SSL_new") - return true - end - # LibreSSL: libcrypto-##.lib and libssl-##.lib, where ## is the ABI version # number. We have to find the version number out by scanning libpath. libpath = $LIBPATH.dup @@ -124,11 +117,11 @@ def find_openssl_library try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") } else is_openssl = true - checking_for("OpenSSL version >= 1.0.2") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") } + checking_for("OpenSSL version >= 1.1.0") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10100000L", "openssl/opensslv.h") } end unless version_ok - raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.9.0 is required" + raise "OpenSSL >= 1.1.0 or LibreSSL >= 3.9.0 is required" end # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h @@ -138,64 +131,20 @@ def find_openssl_library Logging::message "=== Checking for OpenSSL features... ===\n" evp_h = "openssl/evp.h".freeze -x509_h = "openssl/x509.h".freeze ts_h = "openssl/ts.h".freeze ssl_h = "openssl/ssl.h".freeze # compile options have_func("RAND_egd()", "openssl/rand.h") -if is_openssl - engines = %w{dynamic 4758cca aep atalla chil - cswift nuron sureware ubsec padlock capi gmp gost cryptodev} - engines.each { |name| - have_func("ENGINE_load_#{name}()", "openssl/engine.h") - } -end -# added in 1.1.0 -if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl - $defs.push("-DHAVE_OPAQUE_OPENSSL") -end -have_func("EVP_MD_CTX_new()", evp_h) -have_func("EVP_MD_CTX_free(NULL)", evp_h) -have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h) -have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h) -have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h) -have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h) -have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h) -have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h) -have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h) -have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h) -have_func("X509_get0_tbs_sigalg(NULL)", x509_h) -have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h) -have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h) -have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h) -have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h") -have_func("SSL_CTX_get_ciphers(NULL)", ssl_h) -have_func("X509_up_ref(NULL)", x509_h) -have_func("X509_CRL_up_ref(NULL)", x509_h) -have_func("X509_STORE_up_ref(NULL)", x509_h) -have_func("SSL_SESSION_up_ref(NULL)", ssl_h) -have_func("EVP_PKEY_up_ref(NULL)", evp_h) -have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h) -have_func("SSL_CTX_get_security_level(NULL)", ssl_h) -have_func("X509_get0_notBefore(NULL)", x509_h) -have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h) -have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h) -have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h) -have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h) -have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h) -have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h) -have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h) -have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h) +# added in 1.1.0, currently not in LibreSSL have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h) -have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h) -have_func("X509_STORE_get0_param(NULL)", x509_h) # added in 1.1.1 have_func("EVP_PKEY_check(NULL)", evp_h) have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h) have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h) +have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h) # added in 3.0.0 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h) diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c deleted file mode 100644 index 5a6d23e10..000000000 --- a/ext/openssl/openssl_missing.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * 'OpenSSL for Ruby' project - * Copyright (C) 2001-2002 Michal Rokos - * All rights reserved. - */ -/* - * This program is licensed under the same licence as Ruby. - * (See the file 'COPYING'.) - */ -#include RUBY_EXTCONF_H - -#include /* memcpy() */ -#include - -#include "openssl_missing.h" - -/*** added in 1.1.0 ***/ -#if !defined(HAVE_X509_CRL_GET0_SIGNATURE) -void -ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg) -{ - if (psig != NULL) - *psig = crl->signature; - if (palg != NULL) - *palg = crl->sig_alg; -} -#endif - -#if !defined(HAVE_X509_REQ_GET0_SIGNATURE) -void -ossl_X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg) -{ - if (psig != NULL) - *psig = req->signature; - if (palg != NULL) - *palg = req->sig_alg; -} -#endif diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 0711f924e..eb5eaa6cf 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -12,204 +12,6 @@ #include "ruby/config.h" -/* added in 1.1.0 */ -#if !defined(HAVE_EVP_MD_CTX_NEW) -# define EVP_MD_CTX_new EVP_MD_CTX_create -#endif - -#if !defined(HAVE_EVP_MD_CTX_FREE) -# define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif - -#if !defined(HAVE_X509_STORE_GET_EX_DATA) -# define X509_STORE_get_ex_data(x, idx) \ - CRYPTO_get_ex_data(&(x)->ex_data, (idx)) -#endif - -#if !defined(HAVE_X509_STORE_SET_EX_DATA) -# define X509_STORE_set_ex_data(x, idx, data) \ - CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data)) -#endif - -#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index) -# define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \ - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \ - (newf), (dupf), (freef)) -#endif - -#if !defined(HAVE_X509_CRL_GET0_SIGNATURE) -void ossl_X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **); -# define X509_CRL_get0_signature ossl_X509_CRL_get0_signature -#endif - -#if !defined(HAVE_X509_REQ_GET0_SIGNATURE) -void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **); -# define X509_REQ_get0_signature ossl_X509_REQ_get0_signature -#endif - -#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER) -# define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber) -#endif - -#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE) -# define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate) -#endif - -#if !defined(HAVE_X509_GET0_TBS_SIGALG) -# define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature) -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED) -# define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted) -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_CERT) -# define X509_STORE_CTX_get0_cert(x) ((x)->cert) -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN) -# define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx) -#endif - -#if !defined(HAVE_OCSP_SINGLERESP_GET0_ID) -# define OCSP_SINGLERESP_get0_id(s) ((s)->certId) -#endif - -#if !defined(HAVE_SSL_CTX_GET_CIPHERS) -# define SSL_CTX_get_ciphers(ctx) ((ctx)->cipher_list) -#endif - -#if !defined(HAVE_X509_UP_REF) -# define X509_up_ref(x) \ - CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509) -#endif - -#if !defined(HAVE_X509_CRL_UP_REF) -# define X509_CRL_up_ref(x) \ - CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_CRL); -#endif - -#if !defined(HAVE_X509_STORE_UP_REF) -# define X509_STORE_up_ref(x) \ - CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_STORE); -#endif - -#if !defined(HAVE_SSL_SESSION_UP_REF) -# define SSL_SESSION_up_ref(x) \ - CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_SSL_SESSION); -#endif - -#if !defined(HAVE_EVP_PKEY_UP_REF) -# define EVP_PKEY_up_ref(x) \ - CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY); -#endif - -#if !defined(HAVE_OPAQUE_OPENSSL) -#define IMPL_PKEY_GETTER(_type, _name) \ -static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \ - return pkey->pkey._name; } -#define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \ -static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2) { \ - if (a1) *a1 = obj->a1; \ - if (a2) *a2 = obj->a2; } \ -static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \ - if (_fail_cond) return 0; \ - BN_clear_free(obj->a1); obj->a1 = a1; \ - BN_clear_free(obj->a2); obj->a2 = a2; \ - return 1; } -#define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \ -static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \ - if (a1) *a1 = obj->a1; \ - if (a2) *a2 = obj->a2; \ - if (a3) *a3 = obj->a3; } \ -static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2, BIGNUM *a3) { \ - if (_fail_cond) return 0; \ - BN_clear_free(obj->a1); obj->a1 = a1; \ - BN_clear_free(obj->a2); obj->a2 = a2; \ - BN_clear_free(obj->a3); obj->a3 = a3; \ - return 1; } - -#if !defined(OPENSSL_NO_RSA) -IMPL_PKEY_GETTER(RSA, rsa) -IMPL_KEY_ACCESSOR3(RSA, key, n, e, d, (n == obj->n || e == obj->e || (obj->d && d == obj->d))) -IMPL_KEY_ACCESSOR2(RSA, factors, p, q, (p == obj->p || q == obj->q)) -IMPL_KEY_ACCESSOR3(RSA, crt_params, dmp1, dmq1, iqmp, (dmp1 == obj->dmp1 || dmq1 == obj->dmq1 || iqmp == obj->iqmp)) -#endif - -#if !defined(OPENSSL_NO_DSA) -IMPL_PKEY_GETTER(DSA, dsa) -IMPL_KEY_ACCESSOR2(DSA, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key))) -IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g)) -#endif - -#if !defined(OPENSSL_NO_DH) -IMPL_PKEY_GETTER(DH, dh) -IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key))) -IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || (obj->q && q == obj->q) || g == obj->g)) -static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; } -#endif - -#if !defined(OPENSSL_NO_EC) -IMPL_PKEY_GETTER(EC_KEY, ec) -#endif - -#undef IMPL_PKEY_GETTER -#undef IMPL_KEY_ACCESSOR2 -#undef IMPL_KEY_ACCESSOR3 -#endif /* HAVE_OPAQUE_OPENSSL */ - -#if !defined(EVP_CTRL_AEAD_GET_TAG) -# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG -# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG -# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN -#endif - -#if !defined(HAVE_X509_GET0_NOTBEFORE) -# define X509_get0_notBefore(x) X509_get_notBefore(x) -# define X509_get0_notAfter(x) X509_get_notAfter(x) -# define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x) -# define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x) -# define X509_set1_notBefore(x, t) X509_set_notBefore(x, t) -# define X509_set1_notAfter(x, t) X509_set_notAfter(x, t) -# define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t) -# define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t) -#endif - -#if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION) -# define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version) -#endif - -#if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS) -# define TS_STATUS_INFO_get0_status(a) ((a)->status) -#endif - -#if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT) -# define TS_STATUS_INFO_get0_text(a) ((a)->text) -#endif - -#if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO) -# define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info) -#endif - -#if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS) -# define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts)) -#endif - -#if !defined(HAVE_TS_VERIFY_CTX_SET_STORE) -# define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str)) -#endif - -#if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS) -# define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f)) -#endif - -#if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB) -# define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \ - (ctx)->time_cb = (callback); \ - (ctx)->time_cb_data = (dta); \ - } while (0) -#endif - /* added in 3.0.0 */ #if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS) # define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts) @@ -224,11 +26,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec) * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0. */ #ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX -# ifdef HAVE_EVP_MD_CTX_PKEY_CTX # define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x) -# else -# define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx -# endif #endif #ifndef HAVE_EVP_PKEY_EQ diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index a9bfc6bdc..3bdb18e10 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -10,13 +10,6 @@ #include "ossl.h" #include /* for ossl_raise */ -/* OpenSSL >= 1.1.0 and LibreSSL >= 2.9.0 */ -#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000 -# define HAVE_OPENSSL_110_THREADING_API -#else -# include -#endif - /* * Data Conversion */ @@ -463,97 +456,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) #endif } -#if !defined(HAVE_OPENSSL_110_THREADING_API) -/** - * Stores locks needed for OpenSSL thread safety - */ -struct CRYPTO_dynlock_value { - rb_nativethread_lock_t lock; - rb_nativethread_id_t owner; - size_t count; -}; - -static void -ossl_lock_init(struct CRYPTO_dynlock_value *l) -{ - rb_nativethread_lock_initialize(&l->lock); - l->count = 0; -} - -static void -ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l) -{ - if (mode & CRYPTO_LOCK) { - /* TODO: rb_nativethread_id_t is not necessarily compared with ==. */ - rb_nativethread_id_t tid = rb_nativethread_self(); - if (l->count && l->owner == tid) { - l->count++; - return; - } - rb_nativethread_lock_lock(&l->lock); - l->owner = tid; - l->count = 1; - } else { - if (!--l->count) - rb_nativethread_lock_unlock(&l->lock); - } -} - -static struct CRYPTO_dynlock_value * -ossl_dyn_create_callback(const char *file, int line) -{ - /* Do not use xmalloc() here, since it may raise NoMemoryError */ - struct CRYPTO_dynlock_value *dynlock = - OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value)); - if (dynlock) - ossl_lock_init(dynlock); - return dynlock; -} - -static void -ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line) -{ - ossl_lock_unlock(mode, l); -} - -static void -ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int line) -{ - rb_nativethread_lock_destroy(&l->lock); - OPENSSL_free(l); -} - -static void ossl_threadid_func(CRYPTO_THREADID *id) -{ - /* register native thread id */ - CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self()); -} - -static struct CRYPTO_dynlock_value *ossl_locks; - -static void -ossl_lock_callback(int mode, int type, const char *file, int line) -{ - ossl_lock_unlock(mode, &ossl_locks[type]); -} - -static void Init_ossl_locks(void) -{ - int i; - int num_locks = CRYPTO_num_locks(); - - ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks); - for (i = 0; i < num_locks; i++) - ossl_lock_init(&ossl_locks[i]); - - CRYPTO_THREADID_set_callback(ossl_threadid_func); - CRYPTO_set_locking_callback(ossl_lock_callback); - CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback); - CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback); - CRYPTO_set_dynlock_destroy_callback(ossl_dyn_destroy_callback); -} -#endif /* !HAVE_OPENSSL_110_THREADING_API */ - /* * call-seq: * OpenSSL.fixed_length_secure_compare(string, string) -> boolean @@ -1050,15 +952,8 @@ Init_openssl(void) /* * Init all digests, ciphers */ -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL if (!OPENSSL_init_ssl(0, NULL)) rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl"); -#else - OpenSSL_add_ssl_algorithms(); - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - SSL_load_error_strings(); -#endif /* * Init main module @@ -1075,11 +970,7 @@ Init_openssl(void) /* * Version of OpenSSL the ruby OpenSSL extension is running with */ -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION))); -#else - rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION))); -#endif /* * Version number of OpenSSL the ruby OpenSSL extension was built with @@ -1143,10 +1034,6 @@ Init_openssl(void) */ ossl_s_to_der = rb_intern("to_der"); -#if !defined(HAVE_OPENSSL_110_THREADING_API) - Init_ossl_locks(); -#endif - /* * Init components */ diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c index 947d500c2..cb08049a8 100644 --- a/ext/openssl/ossl_engine.c +++ b/ext/openssl/ossl_engine.c @@ -47,7 +47,6 @@ static VALUE eEngineError; /* * Private */ -#if OSSL_OPENSSL_PREREQ(1, 1, 0) #define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x) \ do{\ if(!strcmp(#engine_name, RSTRING_PTR(name))){\ @@ -57,15 +56,6 @@ do{\ ossl_raise(eEngineError, "OPENSSL_init_crypto"); \ }\ }while(0) -#else -#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x) \ -do{\ - if(!strcmp(#engine_name, RSTRING_PTR(name))){\ - ENGINE_load_##engine_name();\ - return Qtrue;\ - }\ -}while(0) -#endif static void ossl_engine_free(void *engine) @@ -102,50 +92,10 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass) return Qtrue; } StringValueCStr(name); -#ifdef HAVE_ENGINE_LOAD_DYNAMIC OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC); -#endif -#ifndef OPENSSL_NO_STATIC_ENGINE -#ifdef HAVE_ENGINE_LOAD_4758CCA - OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA); -#endif -#ifdef HAVE_ENGINE_LOAD_AEP - OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP); -#endif -#ifdef HAVE_ENGINE_LOAD_ATALLA - OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA); -#endif -#ifdef HAVE_ENGINE_LOAD_CHIL - OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL); -#endif -#ifdef HAVE_ENGINE_LOAD_CSWIFT - OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT); -#endif -#ifdef HAVE_ENGINE_LOAD_NURON - OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON); -#endif -#ifdef HAVE_ENGINE_LOAD_SUREWARE - OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE); -#endif -#ifdef HAVE_ENGINE_LOAD_UBSEC - OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC); -#endif -#ifdef HAVE_ENGINE_LOAD_PADLOCK OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK); -#endif -#ifdef HAVE_ENGINE_LOAD_CAPI OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI); -#endif -#ifdef HAVE_ENGINE_LOAD_GMP - OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP); -#endif -#ifdef HAVE_ENGINE_LOAD_GOST - OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST); -#endif -#endif -#ifdef HAVE_ENGINE_LOAD_CRYPTODEV OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV); -#endif OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL); rb_warning("no such builtin loader for `%"PRIsVALUE"'", name); return Qnil; @@ -163,9 +113,6 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass) static VALUE ossl_engine_s_cleanup(VALUE self) { -#if !OSSL_OPENSSL_PREREQ(1, 1, 0) - ENGINE_cleanup(); -#endif return Qnil; } diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c index 666626dc5..f349939a8 100644 --- a/ext/openssl/ossl_kdf.c +++ b/ext/openssl/ossl_kdf.c @@ -3,9 +3,7 @@ * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors */ #include "ossl.h" -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL -# include -#endif +#include static VALUE mKDF, eKDF; @@ -141,7 +139,6 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self) } #endif -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL /* * call-seq: * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String @@ -238,7 +235,6 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self) return str; } -#endif void Init_ossl_kdf(void) @@ -305,7 +301,5 @@ Init_ossl_kdf(void) #if defined(HAVE_EVP_PBE_SCRYPT) rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1); #endif -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1); -#endif } diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c index bda90aec3..2466b5565 100644 --- a/ext/openssl/ossl_pkcs12.c +++ b/ext/openssl/ossl_pkcs12.c @@ -201,12 +201,8 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self) BIO_free(in); pkey = cert = ca = Qnil; - /* OpenSSL's bug; PKCS12_parse() puts errors even if it succeeds. - * Fixed in OpenSSL 1.0.0t, 1.0.1p, 1.0.2d */ - ERR_set_mark(); if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s)) ossl_raise(ePKCS12Error, "PKCS12_parse"); - ERR_pop_to_mark(); if (key) { pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st); if (st) goto err; diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 09036d4b6..f7862002b 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -517,8 +517,7 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey) if (EVP_PKEY_missing_parameters(pkey)) ossl_raise(ePKeyError, "parameters missing"); - /* OpenSSL < 1.1.0 takes non-const pointer */ - ptr = EVP_PKEY_get0((EVP_PKEY *)pkey); + ptr = EVP_PKEY_get0(pkey); switch (EVP_PKEY_base_id(pkey)) { case EVP_PKEY_RSA: RSA_get0_key(ptr, &n, &e, NULL); @@ -799,20 +798,9 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) } } else { -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0, ossl_pem_passwd_cb, (void *)pass)) { -#else - char pem_str[80]; - const char *aname; - - EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, pkey->ameth); - snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname); - if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio, - pkey, enc, NULL, 0, ossl_pem_passwd_cb, - (void *)pass)) { -#endif BIO_free(bio); ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional"); } diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index 9852be6d3..810440f3d 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -1609,9 +1609,7 @@ void Init_ossl_ec(void) ID_hybrid = rb_intern("hybrid"); rb_define_const(cEC, "NAMED_CURVE", INT2NUM(OPENSSL_EC_NAMED_CURVE)); -#if defined(OPENSSL_EC_EXPLICIT_CURVE) rb_define_const(cEC, "EXPLICIT_CURVE", INT2NUM(OPENSSL_EC_EXPLICIT_CURVE)); -#endif rb_define_singleton_method(cEC, "builtin_curves", ossl_s_builtin_curves, 0); diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index a6545f2c7..712689411 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -85,11 +85,7 @@ ossl_sslctx_s_alloc(VALUE klass) VALUE obj; obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0); -#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) ctx = SSL_CTX_new(TLS_method()); -#else - ctx = SSL_CTX_new(SSLv23_method()); -#endif if (!ctx) { ossl_raise(eSSLError, "SSL_CTX_new"); } @@ -97,19 +93,6 @@ ossl_sslctx_s_alloc(VALUE klass) RTYPEDDATA_DATA(obj) = ctx; SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj); -#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \ - !defined(LIBRESSL_VERSION_NUMBER) - /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It - * allows to specify multiple curve names and OpenSSL will select - * automatically from them. In OpenSSL 1.0.2, the automatic selection has to - * be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob - * and it is always enabled. To uniform the behavior, we enable the - * automatic selection also in 1.0.2. Users can still disable ECDH by - * removing ECDH cipher suites by SSLContext#ciphers=. */ - if (!SSL_CTX_set_ecdh_auto(ctx, 1)) - ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); -#endif - return obj; } @@ -162,40 +145,10 @@ ossl_sslctx_set_minmax_proto_version(VALUE self, VALUE min_v, VALUE max_v) min = parse_proto_version(min_v); max = parse_proto_version(max_v); -#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(ctx, min)) ossl_raise(eSSLError, "SSL_CTX_set_min_proto_version"); if (!SSL_CTX_set_max_proto_version(ctx, max)) ossl_raise(eSSLError, "SSL_CTX_set_max_proto_version"); -#else - { - unsigned long sum = 0, opts = 0; - int i; - static const struct { - int ver; - unsigned long opts; - } options_map[] = { - { SSL2_VERSION, SSL_OP_NO_SSLv2 }, - { SSL3_VERSION, SSL_OP_NO_SSLv3 }, - { TLS1_VERSION, SSL_OP_NO_TLSv1 }, - { TLS1_1_VERSION, SSL_OP_NO_TLSv1_1 }, - { TLS1_2_VERSION, SSL_OP_NO_TLSv1_2 }, -# if defined(TLS1_3_VERSION) - { TLS1_3_VERSION, SSL_OP_NO_TLSv1_3 }, -# endif - }; - - for (i = 0; i < numberof(options_map); i++) { - sum |= options_map[i].opts; - if ((min && min > options_map[i].ver) || - (max && max < options_map[i].ver)) { - opts |= options_map[i].opts; - } - } - SSL_CTX_clear_options(ctx, sum); - SSL_CTX_set_options(ctx, opts); - } -#endif return Qnil; } @@ -335,11 +288,7 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } if (ret != Qtrue) { preverify_ok = 0; -#if defined(X509_V_ERR_HOSTNAME_MISMATCH) X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH); -#else - X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED); -#endif } } @@ -361,11 +310,7 @@ ossl_call_session_get_cb(VALUE ary) } static SSL_SESSION * -#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy) -#else -ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy) -#endif { VALUE ary, ssl_obj, ret_obj; SSL_SESSION *sess; @@ -1203,12 +1148,7 @@ ossl_sslctx_get_security_level(VALUE self) GetSSLCTX(self, ctx); -#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) return INT2NUM(SSL_CTX_get_security_level(ctx)); -#else - (void)ctx; - return INT2FIX(0); -#endif } /* @@ -1238,14 +1178,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) rb_check_frozen(self); GetSSLCTX(self, ctx); -#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL) SSL_CTX_set_security_level(ctx, NUM2INT(value)); -#else - (void)ctx; - if (NUM2INT(value) != 0) - ossl_raise(rb_eNotImpError, "setting security level to other than 0 is " - "not supported in this version of OpenSSL"); -#endif return value; } diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c index 87bfa968c..7318fe007 100644 --- a/ext/openssl/ossl_ts.c +++ b/ext/openssl/ossl_ts.c @@ -620,14 +620,7 @@ ossl_ts_resp_get_failure_info(VALUE self) { TS_RESP *resp; TS_STATUS_INFO *si; - - /* The ASN1_BIT_STRING_get_bit changed from 1.0.0. to 1.1.0, making this - * const. */ - #if defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO) const ASN1_BIT_STRING *fi; - #else - ASN1_BIT_STRING *fi; - #endif GetTSResponse(self, resp); si = TS_RESP_get_status_info(resp); diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 9686fc1a9..8f7e38c45 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -48,9 +48,7 @@ Init_ossl_x509(void) /* Certificate verification error code */ DefX509Const(V_OK); -#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */ DefX509Const(V_ERR_UNSPECIFIED); -#endif DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT); DefX509Const(V_ERR_UNABLE_TO_GET_CRL); DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE); @@ -104,10 +102,10 @@ Init_ossl_x509(void) DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX); DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX); DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR); -#if defined(X509_V_ERR_PATH_LOOP) +#if defined(X509_V_ERR_PATH_LOOP) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_PATH_LOOP); #endif -#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) +#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_SUITE_B_INVALID_VERSION); DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM); DefX509Const(V_ERR_SUITE_B_INVALID_CURVE); @@ -118,24 +116,18 @@ Init_ossl_x509(void) DefX509Const(V_ERR_HOSTNAME_MISMATCH); DefX509Const(V_ERR_EMAIL_MISMATCH); DefX509Const(V_ERR_IP_ADDRESS_MISMATCH); -#if defined(X509_V_ERR_DANE_NO_MATCH) +#if defined(X509_V_ERR_DANE_NO_MATCH) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_DANE_NO_MATCH); #endif -#if defined(X509_V_ERR_EE_KEY_TOO_SMALL) DefX509Const(V_ERR_EE_KEY_TOO_SMALL); DefX509Const(V_ERR_CA_KEY_TOO_SMALL); DefX509Const(V_ERR_CA_MD_TOO_WEAK); -#endif -#if defined(X509_V_ERR_INVALID_CALL) DefX509Const(V_ERR_INVALID_CALL); -#endif -#if defined(X509_V_ERR_STORE_LOOKUP) DefX509Const(V_ERR_STORE_LOOKUP); -#endif -#if defined(X509_V_ERR_NO_VALID_SCTS) +#if defined(X509_V_ERR_NO_VALID_SCTS) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_NO_VALID_SCTS); #endif -#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) +#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION); #endif #if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) @@ -189,17 +181,13 @@ Init_ossl_x509(void) * certificate chain, search the Store first for the issuer certificate. * Enabled by default in OpenSSL >= 1.1.0. */ DefX509Const(V_FLAG_TRUSTED_FIRST); -#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) +#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) /* OpenSSL 1.1.0, missing in LibreSSL */ /* Set by Store#flags= and StoreContext#flags=. * Enables Suite B 128 bit only mode. */ DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY); -#endif -#if defined(X509_V_FLAG_SUITEB_192_LOS) /* Set by Store#flags= and StoreContext#flags=. * Enables Suite B 192 bit only mode. */ DefX509Const(V_FLAG_SUITEB_192_LOS); -#endif -#if defined(X509_V_FLAG_SUITEB_128_LOS) /* Set by Store#flags= and StoreContext#flags=. * Enables Suite B 128 bit mode allowing 192 bit algorithms. */ DefX509Const(V_FLAG_SUITEB_128_LOS); @@ -207,17 +195,13 @@ Init_ossl_x509(void) /* Set by Store#flags= and StoreContext#flags=. * Allows partial chains if at least one certificate is in trusted store. */ DefX509Const(V_FLAG_PARTIAL_CHAIN); -#if defined(X509_V_FLAG_NO_ALT_CHAINS) /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for * a alternative chain. No effect in OpenSSL >= 1.1.0. */ DefX509Const(V_FLAG_NO_ALT_CHAINS); -#endif -#if defined(X509_V_FLAG_NO_CHECK_TIME) /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the * validity period of certificates and CRLs. No effect when the current * time is explicitly set by Store#time= or StoreContext#time=. */ DefX509Const(V_FLAG_NO_CHECK_TIME); -#endif /* Set by Store#purpose=. SSL/TLS client. */ DefX509Const(PURPOSE_SSL_CLIENT); diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c index bb1808fc1..c1e01f2b4 100644 --- a/ext/openssl/ossl_x509ext.c +++ b/ext/openssl/ossl_x509ext.c @@ -230,11 +230,7 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self) conf = NIL_P(rconf) ? NULL : GetConfig(rconf); X509V3_set_nconf(ctx, conf); -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL ext = X509V3_EXT_nconf(conf, ctx, oid_cstr, RSTRING_PTR(valstr)); -#else - ext = X509V3_EXT_nconf(conf, ctx, (char *)oid_cstr, RSTRING_PTR(valstr)); -#endif X509V3_set_ctx_nodb(ctx); if (!ext){ ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr); diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index c99ed8f4a..c707160ea 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -212,10 +212,6 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self) GetX509Store(self, store); if (argc != 0) rb_warn("OpenSSL::X509::Store.new does not take any arguments"); -#if !defined(HAVE_OPAQUE_OPENSSL) - /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */ - store->ex_data.sk = NULL; -#endif X509_STORE_set_verify_cb(store, x509store_verify_cb); ossl_x509store_set_vfy_cb(self, Qnil); @@ -332,11 +328,7 @@ ossl_x509store_set_time(VALUE self, VALUE time) X509_VERIFY_PARAM *param; GetX509Store(self, store); -#ifdef HAVE_X509_STORE_GET0_PARAM param = X509_STORE_get0_param(store); -#else - param = store->param; -#endif X509_VERIFY_PARAM_set_time(param, NUM2LONG(rb_Integer(time))); return time; } diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index d6cb260f9..1cc16d9b1 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -51,8 +51,7 @@ class SSLContext } end - if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && - OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) + if !OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") DEFAULT_PARAMS.merge!( min_version: OpenSSL::SSL::TLS1_VERSION, ciphers: %w{ diff --git a/test/openssl/test_kdf.rb b/test/openssl/test_kdf.rb index f4790c96a..6a12a25aa 100644 --- a/test/openssl/test_kdf.rb +++ b/test/openssl/test_kdf.rb @@ -132,7 +132,6 @@ def test_scrypt_rfc7914_second end def test_hkdf_rfc5869_test_case_1 - pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 hash = "sha256" ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b") salt = B("000102030405060708090a0b0c") @@ -146,7 +145,6 @@ def test_hkdf_rfc5869_test_case_1 end def test_hkdf_rfc5869_test_case_3 - pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 hash = "sha256" ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b") salt = B("") @@ -160,7 +158,6 @@ def test_hkdf_rfc5869_test_case_3 end def test_hkdf_rfc5869_test_case_4 - pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0 hash = "sha1" ikm = B("0b0b0b0b0b0b0b0b0b0b0b") salt = B("000102030405060708090a0b0c") diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index f132b6588..3c0fc5698 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -11,7 +11,6 @@ def test_generic_oid_inspect_rsa end def test_generic_oid_inspect_x25519 - omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0) omit_on_fips # X25519 private key @@ -136,7 +135,6 @@ def test_ed25519 end def test_x25519 - omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0) omit_on_fips # Test vector from RFC 7748 Section 6.1 diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 93e24e02b..745ae7dd1 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -329,15 +329,12 @@ def test_verify_with_crl end def test_add_cert_duplicate - # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error - # if the given certificate is already in the X509_STORE - return unless openssl? && !openssl?(1, 1, 0) ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) - assert_raise(OpenSSL::X509::StoreError){ + assert_nothing_raised { store.add_cert(ca1_cert) # add same certificate twice } @@ -349,7 +346,7 @@ def test_add_cert_duplicate crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [], ca1_cert, ca1_key, "sha256") store.add_crl(crl1) - assert_raise(OpenSSL::X509::StoreError){ + assert_nothing_raised { store.add_crl(crl2) # add CRL issued by same CA twice. } end From 78d028c3321515ec313c70b7a6701a3ae28d6ae3 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Thu, 16 Jan 2025 00:26:06 +0900 Subject: [PATCH 4/4] extconf.rb: remove dir_config("kerberos") The dir_config was introduced by Ruby trunk r4181. Since support for Kerberos cipher suites has been removed in OpenSSL 1.1.0, it is no longer necessary. Although ruby/openssl did not directly depend on the MIT Kerberos library, it was an optional transitive dependency. Unless it was disabled by a compile-time option, the OpenSSL headers would try to include . --- ext/openssl/extconf.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 55444e94a..9eaf4d482 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -34,8 +34,6 @@ "library directories." end -dir_config("kerberos") - Logging::message "=== OpenSSL for Ruby configurator ===\n" $defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")