Remove support for OpenSSL 0.9.8 and 1.0.0

They are no longer receiving security updates from the OpenSSL
development team since 2015-12.

We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.

.travis.yml

@@ -17,7 +17,6 @@ script:
 matrix:
   fast_finish: true
   include:
-    - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.0 OSSL_MDEBUG=1
     - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.1 OSSL_MDEBUG=1
     - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2 OSSL_MDEBUG=1
     - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.1.0 OSSL_MDEBUG=1

History.md

@@ -4,10 +4,12 @@ Version 2.1.0
 Compatibility notes
 -------------------
 
+* Support for OpenSSL version 0.9.8 and 1.0.0 is completely removed.
+
 Supported platforms
 -------------------
 
-* OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0
+* OpenSSL 1.0.1, 1.0.2, 1.1.0
 * LibreSSL 2.3, 2.4, 2.5
 * Ruby 2.3, 2.4
 

ext/openssl/extconf.rb

@@ -47,15 +47,9 @@
   end
 end
 
-result = checking_for("OpenSSL version is 0.9.8 or later") {
-  try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h")
-}
-unless result
-  raise "OpenSSL 0.9.8 or later required."
-end
-
-unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
-  raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')"
+unless checking_for("OpenSSL version is 1.0.1 or later") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
+  raise "OpenSSL >= 1.0.1 or LibreSSL is required"
 end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
@@ -78,30 +72,6 @@
   OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
 }
 
-# added in 0.9.8X
-have_func("EVP_CIPHER_CTX_new")
-have_func("EVP_CIPHER_CTX_free")
-OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h")
-
-# added in 1.0.0
-have_func("ASN1_TIME_adj")
-have_func("EVP_CIPHER_CTX_copy")
-have_func("EVP_PKEY_base_id")
-have_func("HMAC_CTX_copy")
-have_func("PKCS5_PBKDF2_HMAC")
-have_func("X509_NAME_hash_old")
-have_func("X509_STORE_CTX_get0_current_crl")
-have_func("X509_STORE_set_verify_cb")
-have_func("i2d_ASN1_SET_ANY")
-have_func("SSL_SESSION_cmp") # removed
-OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h")
-have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h")
-have_func("EVP_PKEY_get0")
-
-# added in 1.0.1
-have_func("SSL_CTX_set_next_proto_select_cb")
-have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION")
-
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
 have_func("X509_REVOKED_dup")

ext/openssl/openssl_missing.c

@@ -20,73 +20,6 @@
 
 #include "openssl_missing.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *
-ossl_EVP_CIPHER_CTX_new(void)
-{
-    EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX));
-    if (!ctx)
-	return NULL;
-    EVP_CIPHER_CTX_init(ctx);
-    return ctx;
-}
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void
-ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
-{
-    if (ctx) {
-	EVP_CIPHER_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
-    }
-}
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-/*
- * this function does not exist in OpenSSL yet... or ever?.
- * a future version may break this function.
- * tested on 0.9.7d.
- */
-int
-ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
-{
-    memcpy(out, in, sizeof(EVP_CIPHER_CTX));
-
-#if !defined(OPENSSL_NO_ENGINE)
-    if (in->engine) ENGINE_add(out->engine);
-    if (in->cipher_data) {
-	out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
-	memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
-    }
-#endif
-
-    return 1;
-}
-#endif
-
-#if !defined(OPENSSL_NO_HMAC)
-#if !defined(HAVE_HMAC_CTX_COPY)
-int
-ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
-{
-    if (!out || !in)
-	return 0;
-
-    memcpy(out, in, sizeof(HMAC_CTX));
-
-    EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx);
-    EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx);
-    EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx);
-
-    return 1;
-}
-#endif /* HAVE_HMAC_CTX_COPY */
-#endif /* NO_HMAC */
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)

ext/openssl/openssl_missing.h

@@ -12,53 +12,6 @@
 
 #include "ruby/config.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void);
-#  define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free
-#endif
-
-#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS)
-#  define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op))
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_PKEY_BASE_ID)
-#  define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy
-#endif
-
-#if !defined(HAVE_HMAC_CTX_COPY)
-int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
-#  define HMAC_CTX_copy ossl_HMAC_CTX_copy
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
-#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
-#endif
-
-#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
-#  define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
-#endif
-
-#if !defined(HAVE_I2D_ASN1_SET_ANY)
-#  define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
-		i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
-#endif
-
-#if !defined(HAVE_EVP_PKEY_GET0)
-#  define EVP_PKEY_get0(pk) (pk->pkey.ptr)
-#endif
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)
@@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #undef IMPL_KEY_ACCESSOR3
 #endif /* HAVE_OPAQUE_OPENSSL */
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
+#if !defined(EVP_CTRL_AEAD_GET_TAG)
 #  define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
 #  define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
 #  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN

ext/openssl/ossl.c

@@ -473,19 +473,11 @@ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int
     OPENSSL_free(l);
 }
 
-#ifdef HAVE_CRYPTO_THREADID_PTR
 static void ossl_threadid_func(CRYPTO_THREADID *id)
 {
     /* register native thread id */
     CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
 }
-#else
-static unsigned long ossl_thread_id(void)
-{
-    /* before OpenSSL 1.0, this is 'unsigned long' */
-    return (unsigned long)rb_nativethread_self();
-}
-#endif
 
 static void Init_ossl_locks(void)
 {
@@ -503,11 +495,7 @@ static void Init_ossl_locks(void)
 	rb_nativethread_lock_initialize(&ossl_locks[i]);
     }
 
-#ifdef HAVE_CRYPTO_THREADID_PTR
     CRYPTO_THREADID_set_callback(ossl_threadid_func);
-#else
-    CRYPTO_set_id_callback(ossl_thread_id);
-#endif
     CRYPTO_set_locking_callback(ossl_lock_callback);
     CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback);
     CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);

ext/openssl/ossl_asn1.c

@@ -72,7 +72,6 @@ asn1time_to_time(const ASN1_TIME *time)
     return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
 }
 
-#if defined(HAVE_ASN1_TIME_ADJ)
 void
 ossl_time_split(VALUE time, time_t *sec, int *days)
 {
@@ -88,13 +87,6 @@ ossl_time_split(VALUE time, time_t *sec, int *days)
 	*sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400)));
     }
 }
-#else
-time_t
-time_to_time_t(VALUE time)
-{
-    return (time_t)NUM2TIMET(rb_Integer(time));
-}
-#endif
 
 /*
  * STRING conversion
@@ -269,15 +261,10 @@ obj_to_asn1utime(VALUE time)
     time_t sec;
     ASN1_UTCTIME *t;
 
-#if defined(HAVE_ASN1_TIME_ADJ)
     int off_days;
 
     ossl_time_split(time, &sec, &off_days);
     if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0)))
-#else
-    sec = time_to_time_t(time);
-    if (!(t = ASN1_UTCTIME_set(NULL, sec)))
-#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;
@@ -289,15 +276,10 @@ obj_to_asn1gtime(VALUE time)
     time_t sec;
     ASN1_GENERALIZEDTIME *t;
 
-#if defined(HAVE_ASN1_TIME_ADJ)
     int off_days;
 
     ossl_time_split(time, &sec, &off_days);
     if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0)))
-#else
-    sec = time_to_time_t(time);
-    if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec)))
-#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;

ext/openssl/ossl_asn1.h

@@ -14,15 +14,11 @@
  * ASN1_DATE conversions
  */
 VALUE asn1time_to_time(const ASN1_TIME *);
-#if defined(HAVE_ASN1_TIME_ADJ)
 /* Splits VALUE to seconds and offset days. VALUE is typically a Time or an
  * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or
  * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because
  * they have the Year 2038 issue on sizeof(time_t) == 4 environment */
 void ossl_time_split(VALUE, time_t *, int *);
-#else
-time_t time_to_time_t(VALUE);
-#endif
 
 /*
  * ASN1_STRING conversions

ext/openssl/ossl_cipher.c

@@ -512,10 +512,8 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
     StringValue(iv);
     GetCipher(self, ctx);
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
-#endif
     if (!iv_len)
 	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
     if (RSTRING_LEN(iv) != iv_len)
@@ -541,14 +539,9 @@ ossl_cipher_is_authenticated(VALUE self)
 
     GetCipher(self, ctx);
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
-#else
-    return Qfalse;
-#endif
 }
 
-#ifdef HAVE_AUTHENTICATED_ENCRYPTION
 /*
  *  call-seq:
  *     cipher.auth_data = string -> string
@@ -722,13 +715,6 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
 
     return iv_length;
 }
-#else
-#define ossl_cipher_set_auth_data rb_f_notimplement
-#define ossl_cipher_get_auth_tag rb_f_notimplement
-#define ossl_cipher_set_auth_tag rb_f_notimplement
-#define ossl_cipher_set_auth_tag_len rb_f_notimplement
-#define ossl_cipher_set_iv_length rb_f_notimplement
-#endif
 
 /*
  *  call-seq:
@@ -806,10 +792,8 @@ ossl_cipher_iv_length(VALUE self)
     int len = 0;
 
     GetCipher(self, ctx);
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
-#endif
     if (!len)
 	len = EVP_CIPHER_CTX_iv_length(ctx);
 

ext/openssl/ossl_pkcs5.c

@@ -6,7 +6,6 @@
 VALUE mPKCS5;
 VALUE ePKCS5;
 
-#ifdef HAVE_PKCS5_PBKDF2_HMAC
 /*
  * call-seq:
  *    PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string
@@ -18,8 +17,6 @@ VALUE ePKCS5;
  * * +keylen+ - integer
  * * +digest+ - a string or OpenSSL::Digest object.
  *
- * Available in OpenSSL >= 1.0.0.
- *
  * Digests other than SHA1 may not be supported by other cryptography libraries.
  */
 static VALUE
@@ -43,10 +40,6 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
 
     return str;
 }
-#else
-#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement
-#endif
-
 
 /*
  * call-seq:
@@ -99,8 +92,7 @@ Init_ossl_pkcs5(void)
      * slowed down artificially in order to render possible attacks infeasible.
      *
      * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based
-     * HMAC, or an arbitrary Digest if the underlying version of OpenSSL
-     * already supports it (>= 1.0.0).
+     * HMAC, or an arbitrary Digest.
      *
      * === Parameters
      * ==== Password