diff --git a/.travis.yml b/.travis.yml index c770d989b..7d7253d6d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,7 +17,6 @@ script: matrix: fast_finish: true include: - - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.0 OSSL_MDEBUG=1 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.1 OSSL_MDEBUG=1 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2 OSSL_MDEBUG=1 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.1.0 OSSL_MDEBUG=1 diff --git a/History.md b/History.md index 670fb32de..a49d271a8 100644 --- a/History.md +++ b/History.md @@ -4,10 +4,12 @@ Version 2.1.0 Compatibility notes ------------------- +* Support for OpenSSL version 0.9.8 and 1.0.0 is completely removed. + Supported platforms ------------------- -* OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 +* OpenSSL 1.0.1, 1.0.2, 1.1.0 * LibreSSL 2.3, 2.4, 2.5 * Ruby 2.3, 2.4 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 7033b0e20..a30dd0810 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -47,15 +47,9 @@ end end -result = checking_for("OpenSSL version is 0.9.8 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h") -} -unless result - raise "OpenSSL 0.9.8 or later required." -end - -unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") - raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')" +unless checking_for("OpenSSL version is 1.0.1 or later") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } + raise "OpenSSL >= 1.0.1 or LibreSSL is required" end Logging::message "=== Checking for OpenSSL features... ===\n" @@ -78,30 +72,6 @@ OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") } -# added in 0.9.8X -have_func("EVP_CIPHER_CTX_new") -have_func("EVP_CIPHER_CTX_free") -OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h") - -# added in 1.0.0 -have_func("ASN1_TIME_adj") -have_func("EVP_CIPHER_CTX_copy") -have_func("EVP_PKEY_base_id") -have_func("HMAC_CTX_copy") -have_func("PKCS5_PBKDF2_HMAC") -have_func("X509_NAME_hash_old") -have_func("X509_STORE_CTX_get0_current_crl") -have_func("X509_STORE_set_verify_cb") -have_func("i2d_ASN1_SET_ANY") -have_func("SSL_SESSION_cmp") # removed -OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h") -have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h") -have_func("EVP_PKEY_get0") - -# added in 1.0.1 -have_func("SSL_CTX_set_next_proto_select_cb") -have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION") - # added in 1.0.2 have_func("EC_curve_nist2nid") have_func("X509_REVOKED_dup") diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 94ce85aff..b36ef0288 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -20,73 +20,6 @@ #include "openssl_missing.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX * -ossl_EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); - if (!ctx) - return NULL; - EVP_CIPHER_CTX_init(ctx); - return ctx; -} -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void -ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) -{ - if (ctx) { - EVP_CIPHER_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -/* - * this function does not exist in OpenSSL yet... or ever?. - * a future version may break this function. - * tested on 0.9.7d. - */ -int -ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) -{ - memcpy(out, in, sizeof(EVP_CIPHER_CTX)); - -#if !defined(OPENSSL_NO_ENGINE) - if (in->engine) ENGINE_add(out->engine); - if (in->cipher_data) { - out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); - memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); - } -#endif - - return 1; -} -#endif - -#if !defined(OPENSSL_NO_HMAC) -#if !defined(HAVE_HMAC_CTX_COPY) -int -ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) -{ - if (!out || !in) - return 0; - - memcpy(out, in, sizeof(HMAC_CTX)); - - EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx); - EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx); - EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx); - - return 1; -} -#endif /* HAVE_HMAC_CTX_COPY */ -#endif /* NO_HMAC */ - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID) diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 3d11aec2d..cc31f6ace 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -12,53 +12,6 @@ #include "ruby/config.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void); -# define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free -#endif - -#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS) -# define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op)) -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_PKEY_BASE_ID) -# define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type) -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy -#endif - -#if !defined(HAVE_HMAC_CTX_COPY) -int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); -# define HMAC_CTX_copy ossl_HMAC_CTX_copy -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL) -# define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl) -#endif - -#if !defined(HAVE_X509_STORE_SET_VERIFY_CB) -# define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func -#endif - -#if !defined(HAVE_I2D_ASN1_SET_ANY) -# define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \ - i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0) -#endif - -#if !defined(HAVE_EVP_PKEY_GET0) -# define EVP_PKEY_get0(pk) (pk->pkey.ptr) -#endif - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID) @@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec) #undef IMPL_KEY_ACCESSOR3 #endif /* HAVE_OPAQUE_OPENSSL */ -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG) +#if !defined(EVP_CTRL_AEAD_GET_TAG) # define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG # define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG # define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index eb71b643b..a4fa0e73c 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -473,19 +473,11 @@ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int OPENSSL_free(l); } -#ifdef HAVE_CRYPTO_THREADID_PTR static void ossl_threadid_func(CRYPTO_THREADID *id) { /* register native thread id */ CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self()); } -#else -static unsigned long ossl_thread_id(void) -{ - /* before OpenSSL 1.0, this is 'unsigned long' */ - return (unsigned long)rb_nativethread_self(); -} -#endif static void Init_ossl_locks(void) { @@ -503,11 +495,7 @@ static void Init_ossl_locks(void) rb_nativethread_lock_initialize(&ossl_locks[i]); } -#ifdef HAVE_CRYPTO_THREADID_PTR CRYPTO_THREADID_set_callback(ossl_threadid_func); -#else - CRYPTO_set_id_callback(ossl_thread_id); -#endif CRYPTO_set_locking_callback(ossl_lock_callback); CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback); CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback); diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 534796f52..1977fdd2a 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -72,7 +72,6 @@ asn1time_to_time(const ASN1_TIME *time) return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv); } -#if defined(HAVE_ASN1_TIME_ADJ) void ossl_time_split(VALUE time, time_t *sec, int *days) { @@ -88,13 +87,6 @@ ossl_time_split(VALUE time, time_t *sec, int *days) *sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400))); } } -#else -time_t -time_to_time_t(VALUE time) -{ - return (time_t)NUM2TIMET(rb_Integer(time)); -} -#endif /* * STRING conversion @@ -269,15 +261,10 @@ obj_to_asn1utime(VALUE time) time_t sec; ASN1_UTCTIME *t; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0))) -#else - sec = time_to_time_t(time); - if (!(t = ASN1_UTCTIME_set(NULL, sec))) -#endif ossl_raise(eASN1Error, NULL); return t; @@ -289,15 +276,10 @@ obj_to_asn1gtime(VALUE time) time_t sec; ASN1_GENERALIZEDTIME *t; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0))) -#else - sec = time_to_time_t(time); - if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec))) -#endif ossl_raise(eASN1Error, NULL); return t; diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h index d6a170c86..939a96ce7 100644 --- a/ext/openssl/ossl_asn1.h +++ b/ext/openssl/ossl_asn1.h @@ -14,15 +14,11 @@ * ASN1_DATE conversions */ VALUE asn1time_to_time(const ASN1_TIME *); -#if defined(HAVE_ASN1_TIME_ADJ) /* Splits VALUE to seconds and offset days. VALUE is typically a Time or an * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because * they have the Year 2038 issue on sizeof(time_t) == 4 environment */ void ossl_time_split(VALUE, time_t *, int *); -#else -time_t time_to_time_t(VALUE); -#endif /* * ASN1_STRING conversions diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 73b667b2c..aed7fbb44 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -512,10 +512,8 @@ ossl_cipher_set_iv(VALUE self, VALUE iv) StringValue(iv); GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx); -#endif if (!iv_len) iv_len = EVP_CIPHER_CTX_iv_length(ctx); if (RSTRING_LEN(iv) != iv_len) @@ -541,14 +539,9 @@ ossl_cipher_is_authenticated(VALUE self) GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse; -#else - return Qfalse; -#endif } -#ifdef HAVE_AUTHENTICATED_ENCRYPTION /* * call-seq: * cipher.auth_data = string -> string @@ -722,13 +715,6 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length) return iv_length; } -#else -#define ossl_cipher_set_auth_data rb_f_notimplement -#define ossl_cipher_get_auth_tag rb_f_notimplement -#define ossl_cipher_set_auth_tag rb_f_notimplement -#define ossl_cipher_set_auth_tag_len rb_f_notimplement -#define ossl_cipher_set_iv_length rb_f_notimplement -#endif /* * call-seq: @@ -806,10 +792,8 @@ ossl_cipher_iv_length(VALUE self) int len = 0; GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx); -#endif if (!len) len = EVP_CIPHER_CTX_iv_length(ctx); diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c index 47c5bfa3b..7811c5fe0 100644 --- a/ext/openssl/ossl_pkcs5.c +++ b/ext/openssl/ossl_pkcs5.c @@ -6,7 +6,6 @@ VALUE mPKCS5; VALUE ePKCS5; -#ifdef HAVE_PKCS5_PBKDF2_HMAC /* * call-seq: * PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string @@ -18,8 +17,6 @@ VALUE ePKCS5; * * +keylen+ - integer * * +digest+ - a string or OpenSSL::Digest object. * - * Available in OpenSSL >= 1.0.0. - * * Digests other than SHA1 may not be supported by other cryptography libraries. */ static VALUE @@ -43,10 +40,6 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key return str; } -#else -#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement -#endif - /* * call-seq: @@ -99,8 +92,7 @@ Init_ossl_pkcs5(void) * slowed down artificially in order to render possible attacks infeasible. * * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based - * HMAC, or an arbitrary Digest if the underlying version of OpenSSL - * already supports it (>= 1.0.0). + * HMAC, or an arbitrary Digest. * * === Parameters * ==== Password diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 6ab1b6184..e161277d2 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -92,7 +92,7 @@ pkey_new0(EVP_PKEY *pkey) case EVP_PKEY_DH: return ossl_dh_new(pkey); #endif -#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL) +#if !defined(OPENSSL_NO_EC) case EVP_PKEY_EC: return ossl_ec_new(pkey); #endif diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index 85085419c..b21abc428 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -627,12 +627,6 @@ Init_ossl_dsa(void) * DSA, the Digital Signature Algorithm, is specified in NIST's * FIPS 186-3. It is an asymmetric public key algorithm that may be used * similar to e.g. RSA. - * Please note that for OpenSSL versions prior to 1.0.0 the digest - * algorithms OpenSSL::Digest::DSS (equivalent to SHA) or - * OpenSSL::Digest::DSS1 (equivalent to SHA-1) must be used for issuing - * signatures with a DSA key using OpenSSL::PKey#sign. - * Starting with OpenSSL 1.0.0, digest algorithms are no longer restricted, - * any Digest may be used for signing. */ cDSA = rb_define_class_under(mPKey, "DSA", cPKey); diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index fc3f034a3..ce3475166 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -4,7 +4,7 @@ #include "ossl.h" -#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL) +#if !defined(OPENSSL_NO_EC) #define EXPORT_PEM 0 #define EXPORT_DER 1 diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index eef7dbece..a2520fe91 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -51,19 +51,19 @@ static ID id_i_io, id_i_context, id_i_hostname; */ static const struct { const char *name; - SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */ + const SSL_METHOD *(*func)(void); int version; } ossl_ssl_method_tab[] = { #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) #define OSSL_SSL_METHOD_ENTRY(name, version) \ - { #name, (SSL_METHOD *(*)(void))TLS_method, version }, \ - { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \ - { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version } + { #name, TLS_method, version }, \ + { #name"_server", TLS_server_method, version }, \ + { #name"_client", TLS_client_method, version } #else #define OSSL_SSL_METHOD_ENTRY(name, version) \ - { #name, (SSL_METHOD *(*)(void))name##_method, version }, \ - { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \ - { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version } + { #name, name##_method, version }, \ + { #name"_server", name##_server_method, version }, \ + { #name"_client", name##_client_method, version } #endif #if defined(HAVE_SSLV2_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION), @@ -109,14 +109,12 @@ static VALUE ossl_sslctx_s_alloc(VALUE klass) { SSL_CTX *ctx; - long mode = SSL_MODE_ENABLE_PARTIAL_WRITE | - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; + long mode = 0 | + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_RELEASE_BUFFERS; VALUE obj; -#ifdef SSL_MODE_RELEASE_BUFFERS - mode |= SSL_MODE_RELEASE_BUFFERS; -#endif - obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0); ctx = SSL_CTX_new(SSLv23_method()); if (!ctx) { @@ -168,7 +166,7 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) int version = ossl_ssl_method_tab[i].version; #endif - SSL_METHOD *method = ossl_ssl_method_tab[i].func(); + const SSL_METHOD *method = ossl_ssl_method_tab[i].func(); if (SSL_CTX_set_ssl_version(ctx, method) != 1) ossl_raise(eSSLError, "SSL_CTX_set_ssl_version"); @@ -514,7 +512,6 @@ ossl_sslctx_add_extra_chain_cert_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, arg)) static VALUE ossl_sslctx_setup(VALUE self); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME static VALUE ossl_call_servername_cb(VALUE ary) { @@ -571,7 +568,6 @@ ssl_servername_cb(SSL *ssl, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } -#endif static void ssl_renegotiation_cb(const SSL *ssl) @@ -944,13 +940,11 @@ ossl_sslctx_setup(VALUE self) OSSL_Debug("SSL SESSION remove callback added"); } -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME val = rb_attr_get(self, id_i_servername_cb); if (!NIL_P(val)) { SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); OSSL_Debug("SSL TLSEXT servername callback added"); } -#endif return Qtrue; } @@ -2092,7 +2086,6 @@ ossl_ssl_set_session(VALUE self, VALUE arg1) return arg1; } -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME /* * call-seq: * ssl.hostname = hostname -> hostname @@ -2119,7 +2112,6 @@ ossl_ssl_set_hostname(VALUE self, VALUE arg) return arg; } -#endif /* * call-seq: @@ -2437,11 +2429,7 @@ Init_ossl_ssl(void) */ rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue); -#else - rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qfalse); -#endif #ifdef TLS_DH_anon_WITH_AES_256_GCM_SHA384 rb_define_const(mSSLExtConfig, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", Qtrue); @@ -2646,10 +2634,8 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0); rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME /* #hostname is defined in lib/openssl/ssl.rb */ rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1); -#endif # ifdef HAVE_SSL_GET_SERVER_TMP_KEY rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); # endif @@ -2691,18 +2677,10 @@ Init_ossl_ssl(void) ossl_ssl_def_const(OP_NO_SSLv2); ossl_ssl_def_const(OP_NO_SSLv3); ossl_ssl_def_const(OP_NO_TLSv1); -#if defined(SSL_OP_NO_TLSv1_1) ossl_ssl_def_const(OP_NO_TLSv1_1); -#endif -#if defined(SSL_OP_NO_TLSv1_2) ossl_ssl_def_const(OP_NO_TLSv1_2); -#endif -#if defined(SSL_OP_NO_TICKET) ossl_ssl_def_const(OP_NO_TICKET); -#endif -#if defined(SSL_OP_NO_COMPRESSION) ossl_ssl_def_const(OP_NO_COMPRESSION); -#endif ossl_ssl_def_const(OP_PKCS1_CHECK_1); ossl_ssl_def_const(OP_PKCS1_CHECK_2); ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG); diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c index 1b602a6cd..fefbf28b3 100644 --- a/ext/openssl/ossl_ssl_session.c +++ b/ext/openssl/ossl_ssl_session.c @@ -93,8 +93,8 @@ ossl_ssl_session_initialize_copy(VALUE self, VALUE other) return self; } -#if !defined(HAVE_SSL_SESSION_CMP) -int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) +static int +ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { unsigned int a_len; const unsigned char *a_sid = SSL_SESSION_get_id(a, &a_len); @@ -108,8 +108,6 @@ int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) return CRYPTO_memcmp(a_sid, b_sid, a_len); } -#define SSL_SESSION_cmp(a, b) ossl_SSL_SESSION_cmp(a, b) -#endif /* * call-seq: @@ -124,7 +122,7 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2) GetSSLSession(val1, ctx1); SafeGetSSLSession(val2, ctx2); - switch (SSL_SESSION_cmp(ctx1, ctx2)) { + switch (ossl_SSL_SESSION_cmp(ctx1, ctx2)) { case 0: return Qtrue; default: return Qfalse; } diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 19ec274ae..8a061b068 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -20,15 +20,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time) { time_t sec; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); return X509_time_adj_ex(s, off_days, 0, &sec); -#else - sec = time_to_time_t(time); - return X509_time_adj(s, 0, &sec); -#endif } void @@ -112,21 +107,15 @@ Init_ossl_x509(void) DefX509Const(V_FLAG_INHIBIT_MAP); /* Set by Store#flags= and StoreContext#flags=. */ DefX509Const(V_FLAG_NOTIFY_POLICY); -#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT) /* Set by Store#flags= and StoreContext#flags=. Enables some additional * features including support for indirect signed CRLs. */ DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT); -#endif -#if defined(X509_V_FLAG_USE_DELTAS) /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not * specified, deltas are ignored. */ DefX509Const(V_FLAG_USE_DELTAS); -#endif -#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE) /* Set by Store#flags= and StoreContext#flags=. Enables checking of the * signature of the root self-signed CA. */ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE); -#endif #if defined(X509_V_FLAG_TRUSTED_FIRST) /* Set by Store#flags= and StoreContext#flags=. When constructing a * certificate chain, search the Store first for the issuer certificate. @@ -161,10 +150,8 @@ Init_ossl_x509(void) DefX509Const(PURPOSE_ANY); /* Set by Store#purpose=. OCSP helper. */ DefX509Const(PURPOSE_OCSP_HELPER); -#if defined(X509_PURPOSE_TIMESTAMP_SIGN) /* Set by Store#purpose=. Time stamps signer. */ DefX509Const(PURPOSE_TIMESTAMP_SIGN); -#endif DefX509Const(TRUST_COMPAT); DefX509Const(TRUST_SSL_CLIENT); @@ -173,9 +160,7 @@ Init_ossl_x509(void) DefX509Const(TRUST_OBJECT_SIGN); DefX509Const(TRUST_OCSP_SIGN); DefX509Const(TRUST_OCSP_REQUEST); -#if defined(X509_TRUST_TSA) DefX509Const(TRUST_TSA); -#endif DefX509Default(CERT_AREA, cert_area); DefX509Default(CERT_DIR, cert_dir); diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 4523e0d71..56816bdc7 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -398,7 +398,6 @@ ossl_x509name_hash(VALUE self) return ULONG2NUM(hash); } -#ifdef HAVE_X509_NAME_HASH_OLD /* * call-seq: * name.hash_old => integer @@ -417,7 +416,6 @@ ossl_x509name_hash_old(VALUE self) return ULONG2NUM(hash); } -#endif /* * call-seq: @@ -486,9 +484,7 @@ Init_ossl_x509name(void) rb_define_alias(cX509Name, "<=>", "cmp"); rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1); rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0); -#ifdef HAVE_X509_NAME_HASH_OLD rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0); -#endif rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0); utf8str = INT2NUM(V_ASN1_UTF8STRING); diff --git a/lib/openssl/digest.rb b/lib/openssl/digest.rb index 97ccbc956..b57292400 100644 --- a/lib/openssl/digest.rb +++ b/lib/openssl/digest.rb @@ -15,13 +15,10 @@ module OpenSSL class Digest - alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1) + alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OPENSSL_VERSION_NUMBER < 0x10100000 alg += %w(DSS DSS1 SHA) end - if OPENSSL_VERSION_NUMBER > 0x00908000 - alg += %w(SHA224 SHA256 SHA384 SHA512) - end # Return the +data+ hash computed with +name+ Digest. +name+ is either the # long name or short name of a supported digest algorithm. diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index f40a45143..73f4cdde5 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -23,7 +23,7 @@ class SSLContext :options => -> { opts = OpenSSL::SSL::OP_ALL opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) + opts |= OpenSSL::SSL::OP_NO_COMPRESSION opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 opts }.call @@ -87,7 +87,7 @@ class SSLContext # # The callback is invoked with an SSLSocket and a server name. The # callback must return an SSLContext for the server name or nil. - attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME + attr_accessor :servername_cb # call-seq: # SSLContext.new => ctx @@ -242,9 +242,7 @@ class SSLSocket include Buffering include SocketForwarder - if ExtConfig::HAVE_TLSEXT_HOST_NAME - attr_reader :hostname - end + attr_reader :hostname # The underlying IO object. attr_reader :io diff --git a/test/test_asn1.rb b/test/test_asn1.rb index a0ac1ddbf..b14ebd554 100644 --- a/test/test_asn1.rb +++ b/test/test_asn1.rb @@ -576,4 +576,4 @@ def assert_universal(tag, asn1) assert_equal(:UNIVERSAL, asn1.tag_class) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_bn.rb b/test/test_bn.rb index 37ba5e559..57755d04f 100644 --- a/test/test_bn.rb +++ b/test/test_bn.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestBN < OpenSSL::TestCase def test_new_str e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable @@ -57,5 +55,3 @@ def test_cmp assert_not_equal(bn3.hash, bn1.hash) end end - -end diff --git a/test/test_buffering.rb b/test/test_buffering.rb index f85353fc6..73cfa9d81 100644 --- a/test/test_buffering.rb +++ b/test/test_buffering.rb @@ -86,4 +86,4 @@ def test_each_byte assert_equal([97, 98, 99], res) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_cipher.rb b/test/test_cipher.rb index ad0e87b44..ce64fbb9f 100644 --- a/test/test_cipher.rb +++ b/test/test_cipher.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestCipher < OpenSSL::TestCase module Helper def has_cipher?(name) @@ -129,7 +127,7 @@ def test_ctr_if_exists assert_equal ct, cipher.update(pt) << cipher.final cipher = new_decryptor("aes-128-ctr", key: key, iv: iv, padding: 0) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?('aes-128-ctr') + end def test_ciphers OpenSSL::Cipher.ciphers.each{|name| @@ -165,10 +163,8 @@ def test_update_raise_if_key_not_set end def test_authenticated - if has_cipher?('aes-128-gcm') - cipher = OpenSSL::Cipher.new('aes-128-gcm') - assert_predicate(cipher, :authenticated?) - end + cipher = OpenSSL::Cipher.new('aes-128-gcm') + assert_predicate(cipher, :authenticated?) cipher = OpenSSL::Cipher.new('aes-128-cbc') assert_not_predicate(cipher, :authenticated?) end @@ -220,7 +216,7 @@ def test_aes_gcm cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_tag: tag, auth_data: aad) cipher.update(ct2) assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } - end if has_cipher?("aes-128-gcm") + end def test_aes_gcm_variable_iv_len # GCM spec Appendix B Test Case 5 @@ -243,7 +239,7 @@ def test_aes_gcm_variable_iv_len assert_equal tag, cipher.auth_tag cipher = new_decryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_tag: tag, auth_data: aad) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?("aes-128-gcm") + end def test_aes_ocb_tag_len # RFC 7253 Appendix A; the second sample @@ -295,7 +291,7 @@ def test_aes_gcm_key_iv_order_issue assert_equal ct1, ct2 assert_equal tag1, tag2 - end if has_cipher?("aes-128-gcm") + end private @@ -314,5 +310,3 @@ def new_decryptor(algo, **kwargs) end end - -end diff --git a/test/test_config.rb b/test/test_config.rb index 786bce9d2..42f9d3c51 100644 --- a/test/test_config.rb +++ b/test/test_config.rb @@ -297,4 +297,4 @@ def test_clone @it['newsection'] = {'a' => 'b'} assert_not_equal(@it.sections.sort, c.sections.sort) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_digest.rb b/test/test_digest.rb index 9891d99ae..e81d618d4 100644 --- a/test/test_digest.rb +++ b/test/test_digest.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestDigest < OpenSSL::TestCase def setup super @@ -54,13 +52,10 @@ def test_reset end def test_digest_constants - algs = %w(MD4 MD5 RIPEMD160 SHA1) + algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 algs += %w(DSS1 SHA) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - algs += %w(SHA224 SHA256 SHA384 SHA512) - end algs.each do |alg| assert_not_nil(OpenSSL::Digest.new(alg)) klass = OpenSSL::Digest.const_get(alg) @@ -73,34 +68,32 @@ def test_digest_by_oid_and_name check_digest(OpenSSL::ASN1::ObjectId.new("SHA1")) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - def encode16(str) - str.unpack("H*").first - end + def encode16(str) + str.unpack("H*").first + end - def test_098_features - sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" - sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" - sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" - sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" - - assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) - assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) - assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) - assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) - - assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) - assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) - assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) - assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) - end + def test_sha2 + sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" + sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" + sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" + sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" + + assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) + assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) + assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) + assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) + + assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) + assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) + assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) + assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) + end - def test_digest_by_oid_and_name_sha2 - check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) - end + def test_digest_by_oid_and_name_sha2 + check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) end def test_openssl_digest @@ -121,14 +114,4 @@ def check_digest(oid) d = OpenSSL::Digest.new(oid.oid) assert_not_nil(d) end - - def libressl? - OpenSSL::OPENSSL_VERSION.include?('LibreSSL') - end - - def version_since(verary) - (OpenSSL::OPENSSL_LIBRARY_VERSION.scan(/\d+/).map(&:to_i) <=> verary) != -1 - end -end - end diff --git a/test/test_engine.rb b/test/test_engine.rb index 75e45eb7f..a987f2676 100644 --- a/test/test_engine.rb +++ b/test/test_engine.rb @@ -96,4 +96,4 @@ def crypt_data(data, key, mode) end end -end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine) +end if defined?(OpenSSL::Engine) diff --git a/test/test_fips.rb b/test/test_fips.rb index 534dade02..9ba352cbb 100644 --- a/test/test_fips.rb +++ b/test/test_fips.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestFIPS < OpenSSL::TestCase def test_fips_mode_is_reentrant @@ -11,5 +9,3 @@ def test_fips_mode_is_reentrant end end - -end diff --git a/test/test_hmac.rb b/test/test_hmac.rb index dbde97d9c..86857ba08 100644 --- a/test/test_hmac.rb +++ b/test/test_hmac.rb @@ -37,4 +37,4 @@ def test_reset_keep_key second = h1.update("test").hexdigest assert_equal first, second end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_ns_spki.rb b/test/test_ns_spki.rb index ac34613fc..b75906b21 100644 --- a/test/test_ns_spki.rb +++ b/test/test_ns_spki.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestNSSPI < OpenSSL::TestCase def setup super @@ -49,5 +47,3 @@ def test_decode_data assert_equal(OpenSSL::PKey::RSA, spki.public_key.class) end end - -end diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index 8881f25dd..7da929c05 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestOCSP < OpenSSL::TestCase def setup super @@ -294,5 +292,3 @@ def test_response_dup assert_equal res.to_der, res.dup.to_der end end - -end diff --git a/test/test_pair.rb b/test/test_pair.rb index 9a5205f81..ad3897876 100644 --- a/test/test_pair.rb +++ b/test/test_pair.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - require 'socket' require_relative 'ut_eof' @@ -489,5 +487,3 @@ class OpenSSL::TestPairLowlevelSocket < OpenSSL::TestCase include OpenSSL::SSLPairLowlevelSocket include OpenSSL::TestPairM end - -end diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb index 403718b94..d4556cd7d 100644 --- a/test/test_pkcs12.rb +++ b/test/test_pkcs12.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - module OpenSSL class TestPKCS12 < OpenSSL::TestCase include OpenSSL::TestUtils @@ -311,5 +309,3 @@ def assert_include_cert cert, ary end end - -end diff --git a/test/test_pkcs5.rb b/test/test_pkcs5.rb index ad8132c26..59a7e7c92 100644 --- a/test/test_pkcs5.rb +++ b/test/test_pkcs5.rb @@ -93,6 +93,6 @@ def test_pbkdf2_hmac_sha256_c_20000_len_32 value1 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) value2 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) assert_equal(value1, value2) - end if OpenSSL::PKCS5.respond_to?(:pbkdf2_hmac) + end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_pkcs7.rb b/test/test_pkcs7.rb index 48d599975..127111448 100644 --- a/test/test_pkcs7.rb +++ b/test/test_pkcs7.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKCS7 < OpenSSL::TestCase def setup super @@ -285,5 +283,3 @@ def test_split_content assert_equal(pki_message_content_pem, p7enc.to_pem) end end - -end diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 470c952e2..533aaa7ef 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024 @@ -116,5 +114,3 @@ def assert_same_dh(expected, key) check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) end end - -end diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb index a4ccd1d8f..4e36400b2 100644 --- a/test/test_pkey_dsa.rb +++ b/test/test_pkey_dsa.rb @@ -2,8 +2,6 @@ require_relative 'utils' require 'base64' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512 @@ -43,7 +41,6 @@ def test_sign_verify assert_equal true, DSA512.verify(OpenSSL::Digest::DSS1.new, signature, data) end - return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000 signature = DSA512.sign("SHA1", data) assert_equal true, DSA512.verify("SHA1", signature, data) @@ -196,5 +193,3 @@ def assert_same_dsa(expected, key) check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) end end - -end diff --git a/test/test_pkey_ec.rb b/test/test_pkey_ec.rb index e281f80ca..badaff713 100644 --- a/test/test_pkey_ec.rb +++ b/test/test_pkey_ec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC) +if defined?(OpenSSL::PKey::EC) class OpenSSL::TestEC < OpenSSL::PKeyTestCase P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 @@ -100,16 +100,9 @@ def test_dsa_sign_asn1_FIPS186_3 key = OpenSSL::PKey::EC.new("prime256v1").generate_key! size = key.group.order.num_bits / 8 + 1 dgst = (1..size).to_a.pack('C*') - begin - sig = key.dsa_sign_asn1(dgst) - # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m - assert(key.dsa_verify_asn1(dgst + "garbage", sig)) - rescue OpenSSL::PKey::ECError => e - # just an exception for longer dgst before openssl-0.9.8m - assert_equal('ECDSA_sign: data too large for key size', e.message) - # no need to do following tests - return - end + sig = key.dsa_sign_asn1(dgst) + # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m + assert(key.dsa_verify_asn1(dgst + "garbage", sig)) end def test_dh_compute_key diff --git a/test/test_pkey_rsa.rb b/test/test_pkey_rsa.rb index b24f1d550..ebde6328c 100644 --- a/test/test_pkey_rsa.rb +++ b/test/test_pkey_rsa.rb @@ -2,8 +2,6 @@ require_relative 'utils' require 'base64' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 @@ -255,5 +253,3 @@ def assert_same_rsa(expected, key) check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp]) end end - -end diff --git a/test/test_random.rb b/test/test_random.rb index 607946192..dd72d84dc 100644 --- a/test/test_random.rb +++ b/test/test_random.rb @@ -12,4 +12,4 @@ def test_pseudo_bytes assert_equal("", OpenSSL::Random.pseudo_bytes(0)) assert_equal(12, OpenSSL::Random.pseudo_bytes(12).bytesize) end if OpenSSL::Random.methods.include?(:pseudo_bytes) -end if defined?(OpenSSL::TestCase) +end diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 8d74f25f5..382627a42 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_ctx_options @@ -352,10 +350,8 @@ def test_sslctx_set_params assert ciphers_names.all?{|v| /A(EC)?DH/ !~ v }, "anon ciphers are disabled" assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES)/ !~ v }, "weak ciphers are disabled" assert_equal 0, ctx.options & OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) # >= 1.0.0 - assert_equal OpenSSL::SSL::OP_NO_COMPRESSION, - ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION - end + assert_equal OpenSSL::SSL::OP_NO_COMPRESSION, + ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION end def test_post_connect_check_with_anon_ciphers @@ -845,7 +841,7 @@ def test_tls_v1_2 ctx.ssl_version = :TLSv1_2_client server_connect(port, ctx) { |ssl| assert_equal("TLSv1.2", ssl.ssl_version) } } - end if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 + end def test_forbid_tls_v1_1_for_client ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 } @@ -854,7 +850,7 @@ def test_forbid_tls_v1_1_for_client ctx.ssl_version = :TLSv1_1 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) + end def test_forbid_tls_v1_1_from_server start_server_version(:TLSv1_1) { |server, port| @@ -862,7 +858,7 @@ def test_forbid_tls_v1_1_from_server ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) + end def test_forbid_tls_v1_2_for_client ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 } @@ -871,7 +867,7 @@ def test_forbid_tls_v1_2_for_client ctx.ssl_version = :TLSv1_2 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) + end def test_forbid_tls_v1_2_from_server start_server_version(:TLSv1_2) { |server, port| @@ -879,7 +875,7 @@ def test_forbid_tls_v1_2_from_server ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) + end end @@ -942,8 +938,7 @@ def test_alpn_protocol_selection_cancel end end -if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 && - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) +if OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) # NPN may be disabled by OpenSSL configure option def test_npn_protocol_selection_ary @@ -1296,5 +1291,3 @@ def assert_handshake_error } end end - -end diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb index b2643edd8..2f633b035 100644 --- a/test/test_ssl_session.rb +++ b/test/test_ssl_session.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase def test_session_equals session = OpenSSL::SSL::Session.new <<-SESSION @@ -150,7 +148,7 @@ def test_session_timeout def test_session_exts_read assert(OpenSSL::SSL::Session.new(DUMMY_SESSION)) - end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf + end def test_client_session last_session = nil @@ -376,5 +374,3 @@ def test_dup assert_equal(sess_orig.to_der, sess_dup.to_der) end end - -end diff --git a/test/test_x509attr.rb b/test/test_x509attr.rb index d7473f1a2..249c15936 100644 --- a/test/test_x509attr.rb +++ b/test/test_x509attr.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Attribute < OpenSSL::TestCase def test_new ef = OpenSSL::X509::ExtensionFactory.new @@ -63,5 +61,3 @@ def test_dup assert_equal(attr.to_der, attr.dup.to_der) end end - -end diff --git a/test/test_x509cert.rb b/test/test_x509cert.rb index 0cfe4402e..0f317c380 100644 --- a/test/test_x509cert.rb +++ b/test/test_x509cert.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Certificate < OpenSSL::TestCase def setup super @@ -34,13 +32,10 @@ def test_public_key ["authorityKeyIdentifier","keyid:always",false], ] - sha1 = OpenSSL::Digest::SHA1.new - dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new - [ - [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] - ].each{|pk, digest| - cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest) + @rsa1024, @rsa2048, @dsa256, @dsa512, + ].each{|pk| + cert = issue_cert(@ca, pk, 1, exts, nil, nil) assert_equal(cert.extensions.sort_by(&:to_s)[2].value, OpenSSL::TestUtils.get_subject_key_id(cert)) cert = OpenSSL::X509::Certificate.new(cert.to_der) @@ -152,26 +147,15 @@ def test_sign_and_verify_dsa_md5 } end - def test_dsig_algorithm_mismatch - assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) - end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949] - end - def test_dsa_with_sha2 - begin - cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") - assert_equal("dsa_with_SHA256", cert.signature_algorithm) - rescue OpenSSL::X509::CertificateError - # dsa_with_sha2 not supported. skip following test. - return - end + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") + assert_equal("dsa_with_SHA256", cert.signature_algorithm) # TODO: need more tests for dsa + sha2 # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") assert_equal("dsaWithSHA1", cert.signature_algorithm) - end if defined?(OpenSSL::Digest::SHA256) + end def test_check_private_key cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) @@ -186,5 +170,3 @@ def certificate_error_returns_false false end end - -end diff --git a/test/test_x509crl.rb b/test/test_x509crl.rb index 44dfffc95..9c1cdbbf3 100644 --- a/test/test_x509crl.rb +++ b/test/test_x509crl.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509CRL < OpenSSL::TestCase def setup super @@ -196,7 +194,7 @@ def test_sign_and_verify cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) assert_equal(false, crl.verify(@dsa256)) @@ -213,5 +211,3 @@ def crl_error_returns_false false end end - -end diff --git a/test/test_x509ext.rb b/test/test_x509ext.rb index 58f03168b..d9cde1bd4 100644 --- a/test/test_x509ext.rb +++ b/test/test_x509ext.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Extension < OpenSSL::TestCase def setup super @@ -76,5 +74,3 @@ def test_dup assert_equal(ext.to_der, ext.dup.to_der) end end - -end diff --git a/test/test_x509name.rb b/test/test_x509name.rb index b30a02e64..486d0bbb1 100644 --- a/test/test_x509name.rb +++ b/test/test_x509name.rb @@ -2,8 +2,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Name < OpenSSL::TestCase def setup super @@ -306,7 +304,6 @@ def test_add_entry end def test_add_entry_street - return if OpenSSL::OPENSSL_VERSION_NUMBER < 0x009080df # 0.9.8m # openssl/crypto/objects/obj_mac.h 1.83 dn = [ ["DC", "org"], @@ -362,5 +359,3 @@ def test_dup assert_equal(name.to_der, name.dup.to_der) end end - -end diff --git a/test/test_x509req.rb b/test/test_x509req.rb index 585dda1bc..a42a4f9a2 100644 --- a/test/test_x509req.rb +++ b/test/test_x509req.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Request < OpenSSL::TestCase def setup super @@ -28,7 +26,7 @@ def test_public_key req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der) - req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) @@ -122,7 +120,7 @@ def test_sign_and_verify_rsa_md5 end def test_sign_and_verify_dsa - req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) assert_equal(false, req.verify(@dsa256)) @@ -131,18 +129,6 @@ def test_sign_and_verify_dsa assert_equal(false, req.verify(@dsa512)) end - def test_sign_and_verify_rsa_dss1 - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) - assert_equal(true, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) - assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.version = 1 - assert_equal(false, req.verify(@rsa1024)) - rescue OpenSSL::X509::RequestError - pend - end if defined?(OpenSSL::Digest::DSS1) - def test_sign_and_verify_dsa_md5 assert_raise(OpenSSL::X509::RequestError){ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } @@ -161,5 +147,3 @@ def request_error_returns_false false end end - -end diff --git a/test/test_x509store.rb b/test/test_x509store.rb index af0d8b283..db5e41a00 100644 --- a/test/test_x509store.rb +++ b/test/test_x509store.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Store < OpenSSL::TestCase def setup super @@ -209,17 +207,9 @@ def test_set_errors crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [], ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) store.add_crl(crl1) - if /0\.9\.8.*-rhel/ =~ OpenSSL::OPENSSL_VERSION - # RedHat is distributing a patched version of OpenSSL that allows - # multiple CRL for a key (multi-crl.patch) - assert_nothing_raised do - store.add_crl(crl2) # add CRL issued by same CA twice. - end - else - assert_raise(OpenSSL::X509::StoreError){ - store.add_crl(crl2) # add CRL issued by same CA twice. - } - end + assert_raise(OpenSSL::X509::StoreError){ + store.add_crl(crl2) # add CRL issued by same CA twice. + } end def test_dup @@ -229,5 +219,3 @@ def test_dup assert_raise(NoMethodError) { ctx.dup } end end - -end diff --git a/test/utils.rb b/test/utils.rb index bbc9c7efc..1b58f3b3e 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -124,14 +124,10 @@ module OpenSSL::TestUtils TEST_KEY_DH1024.set_key(OpenSSL::BN.new("556AF1598AE69899867CEBA9F29CE4862B884C2B43C9019EA0231908F6EFA785E3C462A6ECB16DF676866E997FFB72B487DC7967C58C3CA38CE974473BF19B2AA5DCBF102735572EBA6F353F6F0BBE7FF1DE1B07FE1381A355C275C33405004317F9491B5955F191F6615A63B30E55A027FB88A1A4B25608E09EEE68A7DF32D", 16), OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16)) - DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 ? - OpenSSL::Digest::SHA1 : - OpenSSL::Digest::DSS1 - module_function def issue_cert(dn, key, serial, extensions, issuer, issuer_key, - not_before: nil, not_after: nil, digest: nil) + not_before: nil, not_after: nil, digest: "sha256") cert = OpenSSL::X509::Certificate.new issuer = cert unless issuer issuer_key = key unless issuer_key @@ -149,7 +145,6 @@ def issue_cert(dn, key, serial, extensions, issuer, issuer_key, extensions.each{|oid, value, critical| cert.add_extension(ef.create_extension(oid, value, critical)) } - digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256" cert.sign(issuer_key, digest) cert end @@ -375,6 +370,4 @@ def dup_public(key) end end end - -end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and - /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION +end