1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] Require OpenSSL 1.1.1 or later

Browse Source 
Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:

 - Debian 9 (EOL 2022-06)
 - Ubuntu 18.04 LTS (EOL 2023-04)

https://github.com/ruby/openssl/commit/ba83abe920
This commit is contained in:
Kazuki Yamaguchi 2025-01-21 02:08:54 +09:00 committed by git
parent e7bd1d1a9a
commit 43c48e3030
14 changed files with 37 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ext/openssl/extconf.rb
View File

@ -115,11 +115,11 @@ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") }
else
is_openssl = true
checking_for("OpenSSL version >= 1.1.0") {
try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10100000L", "openssl/opensslv.h") }
checking_for("OpenSSL version >= 1.1.1") {
try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10101000L", "openssl/opensslv.h") }
end
unless version_ok
raise "OpenSSL >= 1.1.0 or LibreSSL >= 3.9.0 is required"
raise "OpenSSL >= 1.1.1 or LibreSSL >= 3.9.0 is required"
end
# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
@ -138,11 +138,8 @@ have_func("RAND_egd()", "openssl/rand.h")
# added in 1.1.0, currently not in LibreSSL
have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
# added in 1.1.1
# added in OpenSSL 1.1.1 and LibreSSL 3.5.0, then removed in LibreSSL 4.0.0
have_func("EVP_PKEY_check(NULL)", evp_h)
have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
# added in 3.0.0
have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)

8
ext/openssl/ossl_hmac.c
View File

@ -97,19 +97,11 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
GetHMAC(self, ctx);
StringValue(key);
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
(unsigned char *)RSTRING_PTR(key),
RSTRING_LENINT(key));
if (!pkey)
ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
#else
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
(unsigned char *)RSTRING_PTR(key),
RSTRING_LENINT(key));
if (!pkey)
ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
#endif
if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
NULL, pkey) != 1) {
EVP_PKEY_free(pkey);

49
ext/openssl/ossl_pkey.c
View File

@ -634,7 +634,6 @@ ossl_pkey_initialize_copy(VALUE self, VALUE other)
}
#endif
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
/*
* call-seq:
* OpenSSL::PKey.new_raw_private_key(algo, string) -> PKey
@ -665,9 +664,7 @@ ossl_pkey_new_raw_private_key(VALUE self, VALUE type, VALUE key)
return ossl_pkey_new(pkey);
}
#endif
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
/*
* call-seq:
* OpenSSL::PKey.new_raw_public_key(algo, string) -> PKey
@ -698,7 +695,6 @@ ossl_pkey_new_raw_public_key(VALUE self, VALUE type, VALUE key)
return ossl_pkey_new(pkey);
}
#endif
/*
* call-seq:
@ -889,7 +885,6 @@ ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self)
return do_pkcs8_export(argc, argv, self, 0);
}
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
/*
* call-seq:
* pkey.raw_private_key => string
@ -916,7 +911,6 @@ ossl_pkey_raw_private_key(VALUE self)
return str;
}
#endif
VALUE
ossl_pkey_export_spki(VALUE self, int to_der)
@ -973,7 +967,6 @@ ossl_pkey_public_to_pem(VALUE self)
return ossl_pkey_export_spki(self, 0);
}
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
/*
* call-seq:
* pkey.raw_public_key => string
@ -1000,7 +993,6 @@ ossl_pkey_raw_public_key(VALUE self)
return str;
}
#endif
/*
* call-seq:
@ -1104,7 +1096,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
rb_jump_tag(state);
}
}
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
RSTRING_LEN(data)) < 1) {
EVP_MD_CTX_free(ctx);
@ -1125,30 +1116,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
EVP_MD_CTX_free(ctx);
ossl_raise(ePKeyError, "EVP_DigestSign");
}
#else
if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) {
EVP_MD_CTX_free(ctx);
ossl_raise(ePKeyError, "EVP_DigestSignUpdate");
}
if (EVP_DigestSignFinal(ctx, NULL, &siglen) < 1) {
EVP_MD_CTX_free(ctx);
ossl_raise(ePKeyError, "EVP_DigestSignFinal");
}
if (siglen > LONG_MAX) {
EVP_MD_CTX_free(ctx);
rb_raise(ePKeyError, "signature would be too large");
}
sig = ossl_str_new(NULL, (long)siglen, &state);
if (state) {
EVP_MD_CTX_free(ctx);
rb_jump_tag(state);
}
if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(sig),
&siglen) < 1) {
EVP_MD_CTX_free(ctx);
ossl_raise(ePKeyError, "EVP_DigestSignFinal");
}
#endif
EVP_MD_CTX_free(ctx);
rb_str_set_len(sig, siglen);
return sig;
@ -1209,24 +1176,12 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
rb_jump_tag(state);
}
}
#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
RSTRING_LEN(data));
EVP_MD_CTX_free(ctx);
if (ret < 0)
ossl_raise(ePKeyError, "EVP_DigestVerify");
#else
if (EVP_DigestVerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) {
EVP_MD_CTX_free(ctx);
ossl_raise(ePKeyError, "EVP_DigestVerifyUpdate");
}
ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig),
RSTRING_LEN(sig));
EVP_MD_CTX_free(ctx);
if (ret < 0)
ossl_raise(ePKeyError, "EVP_DigestVerifyFinal");
#endif
if (ret)
return Qtrue;
else {
@ -1739,10 +1694,8 @@ Init_ossl_pkey(void)
rb_define_module_function(mPKey, "read", ossl_pkey_new_from_data, -1);
rb_define_module_function(mPKey, "generate_parameters", ossl_pkey_s_generate_parameters, -1);
rb_define_module_function(mPKey, "generate_key", ossl_pkey_s_generate_key, -1);
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
rb_define_module_function(mPKey, "new_raw_private_key", ossl_pkey_new_raw_private_key, 2);
rb_define_module_function(mPKey, "new_raw_public_key", ossl_pkey_new_raw_public_key, 2);
#endif
rb_define_alloc_func(cPKey, ossl_pkey_alloc);
rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);
@ -1758,10 +1711,8 @@ Init_ossl_pkey(void)
rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1);
rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0);
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
rb_define_method(cPKey, "raw_private_key", ossl_pkey_raw_private_key, 0);
rb_define_method(cPKey, "raw_public_key", ossl_pkey_raw_public_key, 0);
#endif
rb_define_method(cPKey, "compare?", ossl_pkey_compare, 1);
rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);

2
ext/openssl/ossl_rand.c
View File

@ -189,9 +189,7 @@ Init_ossl_rand(void)
rb_define_module_function(mRandom, "load_random_file", ossl_rand_load_file, 1);
rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1);
rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1);
#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
rb_define_alias(rb_singleton_class(mRandom), "pseudo_bytes", "random_bytes");
#endif
#ifdef HAVE_RAND_EGD
rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1);
rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);

28
ext/openssl/ossl_ssl.c
View File

@ -109,9 +109,7 @@ parse_proto_version(VALUE str)
{ "TLS1", TLS1_VERSION },
{ "TLS1_1", TLS1_1_VERSION },
{ "TLS1_2", TLS1_2_VERSION },
#ifdef TLS1_3_VERSION
{ "TLS1_3", TLS1_3_VERSION },
#endif
};
if (NIL_P(str))
@ -383,7 +381,7 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
return 0;
}
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
#if !OSSL_IS_LIBRESSL
/*
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
@ -762,9 +760,7 @@ ossl_sslctx_setup(VALUE self)
SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
#endif
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
SSL_CTX_set_post_handshake_auth(ctx, 1);
#endif
val = rb_attr_get(self, id_i_cert_store);
if (!NIL_P(val)) {
@ -904,7 +900,7 @@ ossl_sslctx_setup(VALUE self)
OSSL_Debug("SSL TLSEXT servername callback added");
}
#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
#if !OSSL_IS_LIBRESSL
/*
* It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
* SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
@ -1016,7 +1012,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
return v;
}
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
/*
* call-seq:
* ctx.ciphersuites = "cipher1:cipher2:..."
@ -1043,7 +1038,6 @@ ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
return v;
}
#endif
#ifndef OPENSSL_NO_DH
/*
@ -2856,9 +2850,7 @@ Init_ossl_ssl(void)
ossl_sslctx_set_minmax_proto_version, 2);
rb_define_method(cSSLContext, "ciphers", ossl_sslctx_get_ciphers, 0);
rb_define_method(cSSLContext, "ciphers=", ossl_sslctx_set_ciphers, 1);
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
#endif
#ifndef OPENSSL_NO_DH
rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
#endif
@ -2994,7 +2986,7 @@ Init_ossl_ssl(void)
#ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
#endif
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
#endif
rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
@ -3002,28 +2994,26 @@ Init_ossl_ssl(void)
rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION));
rb_define_const(mSSL, "OP_NO_COMPRESSION", ULONG2NUM(SSL_OP_NO_COMPRESSION));
rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
#endif
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
#endif
#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
#endif
#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
#endif
rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
rb_define_const(mSSL, "OP_NO_TLSv1_2", ULONG2NUM(SSL_OP_NO_TLSv1_2));
#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
#endif
rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1, missing in LibreSSL */
rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
#endif
rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
@ -3085,10 +3075,8 @@ Init_ossl_ssl(void)
rb_define_const(mSSL, "TLS1_1_VERSION", INT2NUM(TLS1_1_VERSION));
/* TLS 1.2 */
rb_define_const(mSSL, "TLS1_2_VERSION", INT2NUM(TLS1_2_VERSION));
#ifdef TLS1_3_VERSION /* OpenSSL 1.1.1 */
/* TLS 1.3 */
rb_define_const(mSSL, "TLS1_3_VERSION", INT2NUM(TLS1_3_VERSION));
#endif
sym_exception = ID2SYM(rb_intern_const("exception"));

2
ext/openssl/ossl_x509.c
View File

@ -130,7 +130,7 @@ Init_ossl_x509(void)
#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */
DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
#endif
#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) /* OpenSSL 1.1.1, missing in LibreSSL */
DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);

9
ext/openssl/ossl_x509store.c
View File

@ -357,15 +357,6 @@ ossl_x509store_add_file(VALUE self, VALUE file)
ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
#if !OSSL_OPENSSL_PREREQ(1, 1, 1) && !OSSL_IS_LIBRESSL
/*
* X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
* did not check the return value of X509_STORE_add_{cert,crl}(), leaking
* "cert already in hash table" errors on the error queue, if duplicate
* certificates are found. Fixed by OpenSSL 1.1.1 and LibreSSL 3.5.0.
*/
ossl_clear_error();
#endif
return self;
}

6
test/openssl/test_pkey.rb
View File

@ -84,7 +84,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
def test_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
# Test vector from RFC 8032 Section 7.1 TEST 2
priv_pem = <<~EOF
@ -157,9 +156,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
assert_equal bob_pem, bob.public_to_pem
assert_equal [shared_secret].pack("H*"), alice.derive(bob)
if openssl? && !openssl?(1, 1, 1)
omit "running OpenSSL version does not have raw public key support"
end
alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
assert_equal alice_private.private_to_pem,
@ -173,8 +169,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
end
def test_raw_initialize_errors
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") }
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_public_key("foo123", "xxx") }

68
test/openssl/test_ssl.rb
View File

@ -40,7 +40,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_ctx_options_config
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1)
Tempfile.create("openssl.cnf") { |f|
f.puts(<<~EOF)
@ -922,7 +921,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_keylog_cb
pend "Keylog callback is not supported" if !openssl?(1, 1, 1) || libressl?
omit "Keylog callback is not supported" if libressl?
prefix = 'CLIENT_RANDOM'
context = OpenSSL::SSL::SSLContext.new
@ -942,30 +941,28 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
end
if tls13_supported?
prefixes = [
'SERVER_HANDSHAKE_TRAFFIC_SECRET',
'EXPORTER_SECRET',
'SERVER_TRAFFIC_SECRET_0',
'CLIENT_HANDSHAKE_TRAFFIC_SECRET',
'CLIENT_TRAFFIC_SECRET_0',
]
context = OpenSSL::SSL::SSLContext.new
context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION
cb_called = false
context.keylog_cb = proc do |_sock, line|
cb_called = true
assert_not_nil(prefixes.delete(line.split.first))
end
prefixes = [
'SERVER_HANDSHAKE_TRAFFIC_SECRET',
'EXPORTER_SECRET',
'SERVER_TRAFFIC_SECRET_0',
'CLIENT_HANDSHAKE_TRAFFIC_SECRET',
'CLIENT_TRAFFIC_SECRET_0',
]
context = OpenSSL::SSL::SSLContext.new
context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION
cb_called = false
context.keylog_cb = proc do |_sock, line|
cb_called = true
assert_not_nil(prefixes.delete(line.split.first))
end
start_server do |port|
server_connect(port, context) do |ssl|
ssl.puts "abc"
assert_equal("abc\n", ssl.gets)
assert_equal(true, cb_called)
end
assert_equal(0, prefixes.size)
start_server do |port|
server_connect(port, context) do |ssl|
ssl.puts "abc"
assert_equal("abc\n", ssl.gets)
assert_equal(true, cb_called)
end
assert_equal(0, prefixes.size)
end
end
@ -1204,8 +1201,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
OpenSSL::SSL::TLS1_VERSION,
OpenSSL::SSL::TLS1_1_VERSION,
OpenSSL::SSL::TLS1_2_VERSION,
# OpenSSL 1.1.1
defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION,
OpenSSL::SSL::TLS1_3_VERSION,
].compact
# Prepare for testing & do sanity check
@ -1265,9 +1261,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
OpenSSL::SSL::TLS1_VERSION => { name: "TLSv1", method: "TLSv1" },
OpenSSL::SSL::TLS1_1_VERSION => { name: "TLSv1.1", method: "TLSv1_1" },
OpenSSL::SSL::TLS1_2_VERSION => { name: "TLSv1.2", method: "TLSv1_2" },
# OpenSSL 1.1.1
defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION =>
{ name: "TLSv1.3", method: nil },
OpenSSL::SSL::TLS1_3_VERSION => { name: "TLSv1.3", method: nil },
}
# Server enables a single version
@ -1381,8 +1375,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# applications. The purpose of this test case is to check that SSL options
# are properly propagated to OpenSSL library.
supported = check_supported_protocol_versions
if !defined?(OpenSSL::SSL::TLS1_3_VERSION) ||
!supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
if !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
!supported.include?(OpenSSL::SSL::TLS1_3_VERSION)
pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
"and enabled by default"
@ -1721,11 +1714,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_ciphersuites_method_tls_connection
ssl_ctx = OpenSSL::SSL::SSLContext.new
if !tls13_supported? || !ssl_ctx.respond_to?(:ciphersuites=)
pend 'TLS 1.3 not supported'
end
csuite = ['TLS_AES_128_GCM_SHA256', 'TLSv1.3', 128, 128]
inputs = [csuite[0], [csuite[0]], [csuite]]
@ -1746,23 +1734,17 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_ciphersuites_method_nil_argument
ssl_ctx = OpenSSL::SSL::SSLContext.new
pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
assert_nothing_raised { ssl_ctx.ciphersuites = nil }
end
def test_ciphersuites_method_frozen_object
ssl_ctx = OpenSSL::SSL::SSLContext.new
pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
ssl_ctx.freeze
assert_raise(FrozenError) { ssl_ctx.ciphersuites = 'TLS_AES_256_GCM_SHA384' }
end
def test_ciphersuites_method_bogus_csuite
ssl_ctx = OpenSSL::SSL::SSLContext.new
pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
assert_raise_with_message(
OpenSSL::SSL::SSLError,
/SSL_CTX_set_ciphersuites: no cipher match/i
@ -1878,8 +1860,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_ecdh_curves_tls13
pend "TLS 1.3 not supported" unless tls13_supported?
ctx_proc = -> ctx {
# Assume TLS 1.3 is enabled and chosen by default
ctx.ecdh_curves = "P-384:P-521"

7
test/openssl/test_ssl_session.rb
View File

@ -250,7 +250,6 @@ __EOS__
end
def test_ctx_client_session_cb_tls13
omit "TLS 1.3 not supported" unless tls13_supported?
omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
start_server do |port|
@ -274,7 +273,6 @@ __EOS__
end
def test_ctx_client_session_cb_tls13_exception
omit "TLS 1.3 not supported" unless tls13_supported?
omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
server_proc = lambda do |ctx, ssl|
@ -375,11 +373,6 @@ __EOS__
connections = 2
sess2 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
ssl.puts("abc"); assert_equal "abc\n", ssl.gets
if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7)
# OpenSSL >= 1.1.0, < 1.1.0g
pend "External session cache is not working; " \
"see https://github.com/openssl/openssl/pull/4014"
end
assert_equal true, ssl.session_reused?
ssl.session
}

1
test/openssl/test_x509cert.rb
View File

@ -294,7 +294,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
assert_equal(true, cert.verify(ed25519))

1
test/openssl/test_x509crl.rb
View File

@ -207,7 +207,6 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],

1
test/openssl/test_x509req.rb
View File

@ -135,7 +135,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
def test_sign_and_verify_ed25519
# Ed25519 is not FIPS-approved.
omit_on_fips
omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
ed25519 = OpenSSL::PKey::generate_key("ED25519")
req = issue_csr(0, @dn, ed25519, nil)
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })

8
test/openssl/utils.rb
View File

@ -186,14 +186,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
@server = nil
end
def tls13_supported?
return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION)
ctx = OpenSSL::SSL::SSLContext.new
ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION
true
rescue
end
def readwrite_loop(ctx, ssl)
while line = ssl.gets
ssl.write(line)