From cd91cef59078b92805a9a8aaafbfe89691261085 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Tue, 21 Jan 2025 02:47:06 +0900 Subject: [PATCH 1/2] pkey/dh: do not skip test_params_ok? on LibreSSL --- test/openssl/test_pkey_dh.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb index d32ffaf6b..45911968e 100644 --- a/test/openssl/test_pkey_dh.rb +++ b/test/openssl/test_pkey_dh.rb @@ -111,7 +111,7 @@ def test_params_ok? # applying the following commits in OpenSSL 1.1.1d to make `DH_check` # function pass the RFC 7919 FFDHE group texts. # https://github.com/openssl/openssl/pull/9435 - unless openssl?(1, 1, 1, 4) + if openssl? && !openssl?(1, 1, 1, 4) pend 'DH check for RFC 7919 FFDHE group texts is not implemented' end From ba83abe92068decab8337c75bb6a50a56903a150 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Tue, 21 Jan 2025 02:08:54 +0900 Subject: [PATCH 2/2] Require OpenSSL 1.1.1 or later Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2. Distributions that shipped with OpenSSL 1.1.0 include: - Debian 9 (EOL 2022-06) - Ubuntu 18.04 LTS (EOL 2023-04) --- .github/workflows/test.yml | 1 - ext/openssl/extconf.rb | 11 ++---- ext/openssl/ossl_hmac.c | 8 ---- ext/openssl/ossl_pkey.c | 49 ----------------------- ext/openssl/ossl_rand.c | 2 - ext/openssl/ossl_ssl.c | 28 ++++--------- ext/openssl/ossl_x509.c | 2 +- ext/openssl/ossl_x509store.c | 9 ----- test/openssl/test_pkey.rb | 6 --- test/openssl/test_ssl.rb | 68 +++++++++++--------------------- test/openssl/test_ssl_session.rb | 7 ---- test/openssl/test_x509cert.rb | 1 - test/openssl/test_x509crl.rb | 1 - test/openssl/test_x509req.rb | 1 - test/openssl/utils.rb | 8 ---- 15 files changed, 37 insertions(+), 165 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9c94c6b39..6cad988ba 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,6 @@ jobs: name-extra: [ '' ] openssl: # https://openssl-library.org/source/ - - openssl-1.1.0l # EOL - openssl-1.1.1w # EOL 2023-09-11, still used by RHEL 8 and Ubuntu 20.04 - openssl-3.0.15 # Supported until 2026-09-07 - openssl-3.1.7 # Supported until 2025-03-14 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 9eaf4d482..249444135 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -115,11 +115,11 @@ def find_openssl_library try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") } else is_openssl = true - checking_for("OpenSSL version >= 1.1.0") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10100000L", "openssl/opensslv.h") } + checking_for("OpenSSL version >= 1.1.1") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10101000L", "openssl/opensslv.h") } end unless version_ok - raise "OpenSSL >= 1.1.0 or LibreSSL >= 3.9.0 is required" + raise "OpenSSL >= 1.1.1 or LibreSSL >= 3.9.0 is required" end # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h @@ -138,11 +138,8 @@ def find_openssl_library # added in 1.1.0, currently not in LibreSSL have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h) -# added in 1.1.1 +# added in OpenSSL 1.1.1 and LibreSSL 3.5.0, then removed in LibreSSL 4.0.0 have_func("EVP_PKEY_check(NULL)", evp_h) -have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h) -have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h) -have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h) # added in 3.0.0 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h) diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index c1875005c..3aa7aead4 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -97,19 +97,11 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) GetHMAC(self, ctx); StringValue(key); -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, (unsigned char *)RSTRING_PTR(key), RSTRING_LENINT(key)); if (!pkey) ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key"); -#else - pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, - (unsigned char *)RSTRING_PTR(key), - RSTRING_LENINT(key)); - if (!pkey) - ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); -#endif if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), NULL, pkey) != 1) { EVP_PKEY_free(pkey); diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index f7862002b..207d1fa36 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -634,7 +634,6 @@ ossl_pkey_initialize_copy(VALUE self, VALUE other) } #endif -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY /* * call-seq: * OpenSSL::PKey.new_raw_private_key(algo, string) -> PKey @@ -665,9 +664,7 @@ ossl_pkey_new_raw_private_key(VALUE self, VALUE type, VALUE key) return ossl_pkey_new(pkey); } -#endif -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY /* * call-seq: * OpenSSL::PKey.new_raw_public_key(algo, string) -> PKey @@ -698,7 +695,6 @@ ossl_pkey_new_raw_public_key(VALUE self, VALUE type, VALUE key) return ossl_pkey_new(pkey); } -#endif /* * call-seq: @@ -889,7 +885,6 @@ ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self) return do_pkcs8_export(argc, argv, self, 0); } -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY /* * call-seq: * pkey.raw_private_key => string @@ -916,7 +911,6 @@ ossl_pkey_raw_private_key(VALUE self) return str; } -#endif VALUE ossl_pkey_export_spki(VALUE self, int to_der) @@ -973,7 +967,6 @@ ossl_pkey_public_to_pem(VALUE self) return ossl_pkey_export_spki(self, 0); } -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY /* * call-seq: * pkey.raw_public_key => string @@ -1000,7 +993,6 @@ ossl_pkey_raw_public_key(VALUE self) return str; } -#endif /* * call-seq: @@ -1104,7 +1096,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); @@ -1125,30 +1116,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self) EVP_MD_CTX_free(ctx); ossl_raise(ePKeyError, "EVP_DigestSign"); } -#else - if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { - EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_DigestSignUpdate"); - } - if (EVP_DigestSignFinal(ctx, NULL, &siglen) < 1) { - EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_DigestSignFinal"); - } - if (siglen > LONG_MAX) { - EVP_MD_CTX_free(ctx); - rb_raise(ePKeyError, "signature would be too large"); - } - sig = ossl_str_new(NULL, (long)siglen, &state); - if (state) { - EVP_MD_CTX_free(ctx); - rb_jump_tag(state); - } - if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(sig), - &siglen) < 1) { - EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_DigestSignFinal"); - } -#endif EVP_MD_CTX_free(ctx); rb_str_set_len(sig, siglen); return sig; @@ -1209,24 +1176,12 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)); EVP_MD_CTX_free(ctx); if (ret < 0) ossl_raise(ePKeyError, "EVP_DigestVerify"); -#else - if (EVP_DigestVerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { - EVP_MD_CTX_free(ctx); - ossl_raise(ePKeyError, "EVP_DigestVerifyUpdate"); - } - ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig), - RSTRING_LEN(sig)); - EVP_MD_CTX_free(ctx); - if (ret < 0) - ossl_raise(ePKeyError, "EVP_DigestVerifyFinal"); -#endif if (ret) return Qtrue; else { @@ -1739,10 +1694,8 @@ Init_ossl_pkey(void) rb_define_module_function(mPKey, "read", ossl_pkey_new_from_data, -1); rb_define_module_function(mPKey, "generate_parameters", ossl_pkey_s_generate_parameters, -1); rb_define_module_function(mPKey, "generate_key", ossl_pkey_s_generate_key, -1); -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY rb_define_module_function(mPKey, "new_raw_private_key", ossl_pkey_new_raw_private_key, 2); rb_define_module_function(mPKey, "new_raw_public_key", ossl_pkey_new_raw_public_key, 2); -#endif rb_define_alloc_func(cPKey, ossl_pkey_alloc); rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0); @@ -1758,10 +1711,8 @@ Init_ossl_pkey(void) rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1); rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0); rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0); -#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY rb_define_method(cPKey, "raw_private_key", ossl_pkey_raw_private_key, 0); rb_define_method(cPKey, "raw_public_key", ossl_pkey_raw_public_key, 0); -#endif rb_define_method(cPKey, "compare?", ossl_pkey_compare, 1); rb_define_method(cPKey, "sign", ossl_pkey_sign, -1); diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c index 843c9f801..764900dfc 100644 --- a/ext/openssl/ossl_rand.c +++ b/ext/openssl/ossl_rand.c @@ -189,9 +189,7 @@ Init_ossl_rand(void) rb_define_module_function(mRandom, "load_random_file", ossl_rand_load_file, 1); rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); -#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER) rb_define_alias(rb_singleton_class(mRandom), "pseudo_bytes", "random_bytes"); -#endif #ifdef HAVE_RAND_EGD rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 712689411..7ed760ea7 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -109,9 +109,7 @@ parse_proto_version(VALUE str) { "TLS1", TLS1_VERSION }, { "TLS1_1", TLS1_1_VERSION }, { "TLS1_2", TLS1_2_VERSION }, -#ifdef TLS1_3_VERSION { "TLS1_3", TLS1_3_VERSION }, -#endif }; if (NIL_P(str)) @@ -383,7 +381,7 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess) return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if !OSSL_IS_LIBRESSL /* * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see @@ -762,9 +760,7 @@ ossl_sslctx_setup(VALUE self) SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback); #endif -#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH SSL_CTX_set_post_handshake_auth(ctx, 1); -#endif val = rb_attr_get(self, id_i_cert_store); if (!NIL_P(val)) { @@ -904,7 +900,7 @@ ossl_sslctx_setup(VALUE self) OSSL_Debug("SSL TLSEXT servername callback added"); } -#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if !OSSL_IS_LIBRESSL /* * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see @@ -1016,7 +1012,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v) return v; } -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES /* * call-seq: * ctx.ciphersuites = "cipher1:cipher2:..." @@ -1043,7 +1038,6 @@ ossl_sslctx_set_ciphersuites(VALUE self, VALUE v) return v; } -#endif #ifndef OPENSSL_NO_DH /* @@ -2829,9 +2823,7 @@ Init_ossl_ssl(void) ossl_sslctx_set_minmax_proto_version, 2); rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0); rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1); -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1); -#endif #ifndef OPENSSL_NO_DH rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1); #endif @@ -2967,7 +2959,7 @@ Init_ossl_ssl(void) #ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */ rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)); #endif -#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); #endif rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); @@ -2975,28 +2967,26 @@ Init_ossl_ssl(void) rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)); rb_define_const(mSSL, "OP_NO_COMPRESSION", ULONG2NUM(SSL_OP_NO_COMPRESSION)); rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); -#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)); #endif -#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)); #endif -#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA)); #endif -#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY)); #endif rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3)); rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1)); rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1)); rb_define_const(mSSL, "OP_NO_TLSv1_2", ULONG2NUM(SSL_OP_NO_TLSv1_2)); -#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */ rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3)); -#endif rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)); rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)); -#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */ +#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1, missing in LibreSSL */ rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION)); #endif rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)); @@ -3058,10 +3048,8 @@ Init_ossl_ssl(void) rb_define_const(mSSL, "TLS1_1_VERSION", INT2NUM(TLS1_1_VERSION)); /* TLS 1.2 */ rb_define_const(mSSL, "TLS1_2_VERSION", INT2NUM(TLS1_2_VERSION)); -#ifdef TLS1_3_VERSION /* OpenSSL 1.1.1 */ /* TLS 1.3 */ rb_define_const(mSSL, "TLS1_3_VERSION", INT2NUM(TLS1_3_VERSION)); -#endif sym_exception = ID2SYM(rb_intern_const("exception")); diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 8f7e38c45..2d552d784 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -130,7 +130,7 @@ Init_ossl_x509(void) #if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */ DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION); #endif -#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) +#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) /* OpenSSL 1.1.1, missing in LibreSSL */ DefX509Const(V_ERR_OCSP_VERIFY_NEEDED); DefX509Const(V_ERR_OCSP_VERIFY_FAILED); DefX509Const(V_ERR_OCSP_CERT_UNKNOWN); diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index c707160ea..18acdc8ad 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -357,15 +357,6 @@ ossl_x509store_add_file(VALUE self, VALUE file) ossl_raise(eX509StoreError, "X509_STORE_add_lookup"); if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1) ossl_raise(eX509StoreError, "X509_LOOKUP_load_file"); -#if !OSSL_OPENSSL_PREREQ(1, 1, 1) && !OSSL_IS_LIBRESSL - /* - * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() - * did not check the return value of X509_STORE_add_{cert,crl}(), leaking - * "cert already in hash table" errors on the error queue, if duplicate - * certificates are found. Fixed by OpenSSL 1.1.1 and LibreSSL 3.5.0. - */ - ossl_clear_error(); -#endif return self; } diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 3c0fc5698..8444cfdcd 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -84,7 +84,6 @@ def test_hmac_sign_verify def test_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) # Test vector from RFC 8032 Section 7.1 TEST 2 priv_pem = <<~EOF @@ -157,9 +156,6 @@ def test_x25519 assert_equal bob_pem, bob.public_to_pem assert_equal [shared_secret].pack("H*"), alice.derive(bob) - if openssl? && !openssl?(1, 1, 1) - omit "running OpenSSL version does not have raw public key support" - end alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key) bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key) assert_equal alice_private.private_to_pem, @@ -173,8 +169,6 @@ def test_x25519 end def test_raw_initialize_errors - omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) - assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") } assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") } assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_public_key("foo123", "xxx") } diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index c9cc7a02e..c705f7879 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -40,7 +40,6 @@ def test_ctx_options def test_ctx_options_config omit "LibreSSL does not support OPENSSL_CONF" if libressl? - omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1) Tempfile.create("openssl.cnf") { |f| f.puts(<<~EOF) @@ -922,7 +921,7 @@ def socketpair end def test_keylog_cb - pend "Keylog callback is not supported" if !openssl?(1, 1, 1) || libressl? + omit "Keylog callback is not supported" if libressl? prefix = 'CLIENT_RANDOM' context = OpenSSL::SSL::SSLContext.new @@ -942,30 +941,28 @@ def test_keylog_cb end end - if tls13_supported? - prefixes = [ - 'SERVER_HANDSHAKE_TRAFFIC_SECRET', - 'EXPORTER_SECRET', - 'SERVER_TRAFFIC_SECRET_0', - 'CLIENT_HANDSHAKE_TRAFFIC_SECRET', - 'CLIENT_TRAFFIC_SECRET_0', - ] - context = OpenSSL::SSL::SSLContext.new - context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION - cb_called = false - context.keylog_cb = proc do |_sock, line| - cb_called = true - assert_not_nil(prefixes.delete(line.split.first)) - end + prefixes = [ + 'SERVER_HANDSHAKE_TRAFFIC_SECRET', + 'EXPORTER_SECRET', + 'SERVER_TRAFFIC_SECRET_0', + 'CLIENT_HANDSHAKE_TRAFFIC_SECRET', + 'CLIENT_TRAFFIC_SECRET_0', + ] + context = OpenSSL::SSL::SSLContext.new + context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION + cb_called = false + context.keylog_cb = proc do |_sock, line| + cb_called = true + assert_not_nil(prefixes.delete(line.split.first)) + end - start_server do |port| - server_connect(port, context) do |ssl| - ssl.puts "abc" - assert_equal("abc\n", ssl.gets) - assert_equal(true, cb_called) - end - assert_equal(0, prefixes.size) + start_server do |port| + server_connect(port, context) do |ssl| + ssl.puts "abc" + assert_equal("abc\n", ssl.gets) + assert_equal(true, cb_called) end + assert_equal(0, prefixes.size) end end @@ -1204,8 +1201,7 @@ def check_supported_protocol_versions OpenSSL::SSL::TLS1_VERSION, OpenSSL::SSL::TLS1_1_VERSION, OpenSSL::SSL::TLS1_2_VERSION, - # OpenSSL 1.1.1 - defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION, + OpenSSL::SSL::TLS1_3_VERSION, ].compact # Prepare for testing & do sanity check @@ -1265,9 +1261,7 @@ def test_minmax_version OpenSSL::SSL::TLS1_VERSION => { name: "TLSv1", method: "TLSv1" }, OpenSSL::SSL::TLS1_1_VERSION => { name: "TLSv1.1", method: "TLSv1_1" }, OpenSSL::SSL::TLS1_2_VERSION => { name: "TLSv1.2", method: "TLSv1_2" }, - # OpenSSL 1.1.1 - defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION => - { name: "TLSv1.3", method: nil }, + OpenSSL::SSL::TLS1_3_VERSION => { name: "TLSv1.3", method: nil }, } # Server enables a single version @@ -1381,8 +1375,7 @@ def test_options_disable_versions # applications. The purpose of this test case is to check that SSL options # are properly propagated to OpenSSL library. supported = check_supported_protocol_versions - if !defined?(OpenSSL::SSL::TLS1_3_VERSION) || - !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) || + if !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) || !supported.include?(OpenSSL::SSL::TLS1_3_VERSION) pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \ "and enabled by default" @@ -1721,11 +1714,6 @@ def test_tmp_dh_callback end def test_ciphersuites_method_tls_connection - ssl_ctx = OpenSSL::SSL::SSLContext.new - if !tls13_supported? || !ssl_ctx.respond_to?(:ciphersuites=) - pend 'TLS 1.3 not supported' - end - csuite = ['TLS_AES_128_GCM_SHA256', 'TLSv1.3', 128, 128] inputs = [csuite[0], [csuite[0]], [csuite]] @@ -1746,23 +1734,17 @@ def test_ciphersuites_method_tls_connection def test_ciphersuites_method_nil_argument ssl_ctx = OpenSSL::SSL::SSLContext.new - pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) - assert_nothing_raised { ssl_ctx.ciphersuites = nil } end def test_ciphersuites_method_frozen_object ssl_ctx = OpenSSL::SSL::SSLContext.new - pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) - ssl_ctx.freeze assert_raise(FrozenError) { ssl_ctx.ciphersuites = 'TLS_AES_256_GCM_SHA384' } end def test_ciphersuites_method_bogus_csuite ssl_ctx = OpenSSL::SSL::SSLContext.new - pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=) - assert_raise_with_message( OpenSSL::SSL::SSLError, /SSL_CTX_set_ciphersuites: no cipher match/i @@ -1878,8 +1860,6 @@ def test_ecdh_curves_tls12 end def test_ecdh_curves_tls13 - pend "TLS 1.3 not supported" unless tls13_supported? - ctx_proc = -> ctx { # Assume TLS 1.3 is enabled and chosen by default ctx.ecdh_curves = "P-384:P-521" diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb index 4fa382117..0a9289136 100644 --- a/test/openssl/test_ssl_session.rb +++ b/test/openssl/test_ssl_session.rb @@ -250,7 +250,6 @@ def test_ctx_client_session_cb_tls12 end def test_ctx_client_session_cb_tls13 - omit "TLS 1.3 not supported" unless tls13_supported? omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl? start_server do |port| @@ -274,7 +273,6 @@ def test_ctx_client_session_cb_tls13 end def test_ctx_client_session_cb_tls13_exception - omit "TLS 1.3 not supported" unless tls13_supported? omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl? server_proc = lambda do |ctx, ssl| @@ -375,11 +373,6 @@ def test_ctx_server_session_cb connections = 2 sess2 = server_connect_with_session(port, cctx, sess0.dup) { |ssl| ssl.puts("abc"); assert_equal "abc\n", ssl.gets - if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7) - # OpenSSL >= 1.1.0, < 1.1.0g - pend "External session cache is not working; " \ - "see https://github.com/openssl/openssl/pull/4014" - end assert_equal true, ssl.session_reused? ssl.session } diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index 4f7aa0cb1..5fc87d9c6 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -294,7 +294,6 @@ def test_sign_and_verify_dsa_md5 def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) assert_equal(true, cert.verify(ed25519)) diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index caab795d5..89165388d 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -207,7 +207,6 @@ def test_sign_and_verify def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 88a7bee93..18d3e7f8f 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -135,7 +135,6 @@ def test_sign_and_verify_dsa_md5 def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") req = issue_csr(0, @dn, ed25519, nil) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 4110d9b0f..e38b19092 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -186,14 +186,6 @@ def setup @server = nil end - def tls13_supported? - return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION) - ctx = OpenSSL::SSL::SSLContext.new - ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION - true - rescue - end - def readwrite_loop(ctx, ssl) while line = ssl.gets ssl.write(line)