1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] Require LibreSSL 3.9 or later

Browse Source 
Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in
2024-10.

https://github.com/ruby/openssl/commit/f33d611f9f
This commit is contained in:
Kazuki Yamaguchi 2025-01-08 01:55:56 +09:00 committed by git
parent 4f79485889
commit 0fb64bda9b
13 changed files with 29 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ext/openssl/extconf.rb
View File

@ -120,14 +120,14 @@ end
version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
is_libressl = true
checking_for("LibreSSL version >= 3.1.0") {
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
checking_for("LibreSSL version >= 3.9.0") {
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") }
else
checking_for("OpenSSL version >= 1.0.2") {
try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
end
unless version_ok
raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.9.0 is required"
end
# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
@ -149,9 +149,6 @@ engines.each { |name|
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
}
# missing in libressl < 3.5
have_func("i2d_re_X509_tbs(NULL, NULL)", x509_h)
# added in 1.1.0
if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
$defs.push("-DHAVE_OPAQUE_OPENSSL")

6
ext/openssl/ossl_kdf.c
View File

@ -3,7 +3,7 @@
* Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
*/
#include "ossl.h"
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
# include <openssl/kdf.h>
#endif
@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
}
#endif
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
/*
* call-seq:
* KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@ -305,7 +305,7 @@ Init_ossl_kdf(void)
#if defined(HAVE_EVP_PBE_SCRYPT)
rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
#endif
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
#endif
}

6
ext/openssl/ossl_pkey.c
View File

@ -799,7 +799,7 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
}
}
else {
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 5, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0,
ossl_pem_passwd_cb,
(void *)pass)) {
@ -1116,7 +1116,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
rb_jump_tag(state);
}
}
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
RSTRING_LEN(data)) < 1) {
EVP_MD_CTX_free(ctx);
@ -1221,7 +1221,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
rb_jump_tag(state);
}
}
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0)
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
RSTRING_LEN(data));

5
ext/openssl/ossl_ssl.c
View File

@ -18,11 +18,6 @@
# define OSSL_USE_NEXTPROTONEG
#endif
#if !defined(TLS1_3_VERSION) && \
OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
# define TLS1_3_VERSION 0x0304
#endif
#ifdef _WIN32
# define TO_SOCKET(s) _get_osfhandle(s)
#else

4
ext/openssl/ossl_x509cert.c
View File

@ -711,7 +711,6 @@ ossl_x509_eq(VALUE self, VALUE other)
return !X509_cmp(a, b) ? Qtrue : Qfalse;
}
#ifdef HAVE_I2D_RE_X509_TBS
/*
* call-seq:
* cert.tbs_bytes => string
@ -741,7 +740,6 @@ ossl_x509_tbs_bytes(VALUE self)
return str;
}
#endif
struct load_chained_certificates_arguments {
VALUE certificates;
@ -1035,7 +1033,5 @@ Init_ossl_x509cert(void)
rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1);
rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0);
rb_define_method(cX509Cert, "==", ossl_x509_eq, 1);
#ifdef HAVE_I2D_RE_X509_TBS
rb_define_method(cX509Cert, "tbs_bytes", ossl_x509_tbs_bytes, 0);
#endif
}

4
ext/openssl/ossl_x509store.c
View File

@ -365,12 +365,12 @@ ossl_x509store_add_file(VALUE self, VALUE file)
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
#if !OSSL_OPENSSL_PREREQ(1, 1, 1) && !OSSL_IS_LIBRESSL
/*
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
* did not check the return value of X509_STORE_add_{cert,crl}(), leaking
* "cert already in hash table" errors on the error queue, if duplicate
* certificates are found. This will be fixed by OpenSSL 1.1.1.
* certificates are found. Fixed by OpenSSL 1.1.1 and LibreSSL 3.5.0.
*/
ossl_clear_error();
#endif

11
test/openssl/test_pkey.rb
View File

@ -11,7 +11,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
end
def test_generic_oid_inspect_x25519
omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0)
omit_on_fips
# X25519 private key
@ -85,8 +85,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
def test_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
# See EVP_PKEY_sign in Changelog for 3.7.0: https://github.com/libressl/portable/blob/master/ChangeLog
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
# Test vector from RFC 8032 Section 7.1 TEST 2
priv_pem = <<~EOF
@ -137,7 +136,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
end
def test_x25519
omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0)
omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0)
omit_on_fips
# Test vector from RFC 7748 Section 6.1
@ -160,7 +159,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
assert_equal bob_pem, bob.public_to_pem
assert_equal [shared_secret].pack("H*"), alice.derive(bob)
unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
if openssl? && !openssl?(1, 1, 1)
omit "running OpenSSL version does not have raw public key support"
end
alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
@ -176,7 +175,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
end
def test_raw_initialize_errors
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0)
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") }

23
test/openssl/test_ssl.rb
View File

@ -394,7 +394,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
start_server(verify_mode: vflag,
ctx_proc: proc { |ctx|
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0)
# LibreSSL doesn't support client_cert_cb in TLS 1.3
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
}) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key
@ -437,7 +438,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_client_ca
pend "LibreSSL 3.2 has broken client CA support" if libressl?(3, 2, 0)
pend "LibreSSL doesn't support certificate_authorities" if libressl?
ctx_proc = Proc.new do |ctx|
ctx.client_ca = [@ca_cert]
@ -609,12 +610,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(accept_proc: proc { |server|
server_finished = server.finished_message
server_peer_finished = server.peer_finished_message
}, ctx_proc: proc { |ctx|
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0)
}) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
ctx.max_version = :TLS1_2 if libressl?(3, 2, 0) && !libressl?(3, 3, 0)
server_connect(port, ctx) { |ssl|
ssl.puts "abc"; ssl.gets
@ -798,7 +796,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# LibreSSL 3.5.0+ doesn't support other wildcard certificates
# (it isn't required to, as RFC states MAY, not MUST)
return if libressl?(3, 5, 0)
return if libressl?
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
@ -1078,7 +1076,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_verify_hostname_on_connect
ctx_proc = proc { |ctx|
san = "DNS:a.example.com,DNS:*.b.example.com"
san += ",DNS:c*.example.com,DNS:d.*.example.com" unless libressl?(3, 2, 2)
san += ",DNS:c*.example.com,DNS:d.*.example.com" unless libressl?
exts = [
["keyUsage", "keyEncipherment,digitalSignature", true],
["subjectAltName", san],
@ -1105,7 +1103,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
["cx.example.com", true],
["d.x.example.com", false],
].each do |name, expected_ok|
next if name.start_with?('cx') if libressl?(3, 2, 2)
next if name.start_with?('cx') if libressl?
begin
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
@ -1388,8 +1386,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
supported = check_supported_protocol_versions
if !defined?(OpenSSL::SSL::TLS1_3_VERSION) ||
!supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
!supported.include?(OpenSSL::SSL::TLS1_3_VERSION) ||
!defined?(OpenSSL::SSL::OP_NO_TLSv1_3) # LibreSSL < 3.4
!supported.include?(OpenSSL::SSL::TLS1_3_VERSION)
pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
"and enabled by default"
end
@ -1743,11 +1740,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
server_connect(port, cli_ctx) do |ssl|
assert_equal('TLSv1.3', ssl.ssl_version)
if libressl?(3, 4, 0) && !libressl?(3, 5, 0)
assert_equal("AEAD-AES128-GCM-SHA256", ssl.cipher[0])
else
assert_equal(csuite[0], ssl.cipher[0])
end
assert_equal(csuite[0], ssl.cipher[0])
ssl.puts('abc'); assert_equal("abc\n", ssl.gets)
end
end

2
test/openssl/test_ssl_session.rb
View File

@ -120,7 +120,7 @@ __EOS__
ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET
# Disable server-side session cache which is enabled by default
ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0)
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
}
start_server(ctx_proc: ctx_proc) do |port|
sess1 = server_connect_with_session(port, nil, nil) { |ssl|

5
test/openssl/test_x509cert.rb
View File

@ -294,8 +294,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1)
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
assert_equal(true, cert.verify(ed25519))
@ -421,8 +420,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
end
def test_tbs_precert_bytes
pend "LibreSSL < 3.5 does not have i2d_re_X509_tbs" if libressl? && !libressl?(3, 5, 0)
cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
seq = OpenSSL::ASN1.decode(cert.tbs_bytes)

3
test/openssl/test_x509crl.rb
View File

@ -207,8 +207,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1)
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],

3
test/openssl/test_x509req.rb
View File

@ -135,8 +135,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
# See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog
omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1)
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
req = issue_csr(0, @dn, ed25519, nil)
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })

2
test/openssl/test_x509store.rb
View File

@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
def test_add_cert_duplicate
# Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error
# if the given certificate is already in the X509_STORE
return if openssl?(1, 1, 0) || libressl?
return unless openssl? && !openssl?(1, 1, 0)
ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA")
ca1_key = Fixtures.pkey("rsa-1")
ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil)