[ruby/openssl] Require OpenSSL 1.1.0 or later

Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e

ext/openssl/extconf.rb

@@ -60,7 +60,6 @@ end
 def find_openssl_library
   if $mswin || $mingw
     # required for static OpenSSL libraries
-    have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen())
     have_library("crypt32")
   end
 
@@ -77,12 +76,6 @@ def find_openssl_library
       return true
     end
 
-    # OpenSSL <= 1.0.2: libeay32.lib and ssleay32.lib.
-    if have_library("libeay32", "CRYPTO_malloc") &&
-        have_library("ssleay32", "SSL_new")
-      return true
-    end
-
     # LibreSSL: libcrypto-##.lib and libssl-##.lib, where ## is the ABI version
     # number. We have to find the version number out by scanning libpath.
     libpath = $LIBPATH.dup
@@ -124,11 +117,11 @@ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
     try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") }
 else
   is_openssl = true
-  checking_for("OpenSSL version >= 1.0.2") {
-    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
+  checking_for("OpenSSL version >= 1.1.0") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10100000L", "openssl/opensslv.h") }
 end
 unless version_ok
-  raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.9.0 is required"
+  raise "OpenSSL >= 1.1.0 or LibreSSL >= 3.9.0 is required"
 end
 
 # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
@@ -138,64 +131,20 @@ end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
 evp_h = "openssl/evp.h".freeze
-x509_h = "openssl/x509.h".freeze
 ts_h = "openssl/ts.h".freeze
 ssl_h = "openssl/ssl.h".freeze
 
 # compile options
 have_func("RAND_egd()", "openssl/rand.h")
-if is_openssl
-  engines = %w{dynamic 4758cca aep atalla chil
-               cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
-  engines.each { |name|
-    have_func("ENGINE_load_#{name}()", "openssl/engine.h")
-  }
-end
 
-# added in 1.1.0
-if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
-  $defs.push("-DHAVE_OPAQUE_OPENSSL")
-end
-have_func("EVP_MD_CTX_new()", evp_h)
-have_func("EVP_MD_CTX_free(NULL)", evp_h)
-have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
-have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
-have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
-have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
-have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
-have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
-have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
-have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
-have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
-have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
-have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
-have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
-have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
-have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
-have_func("X509_up_ref(NULL)", x509_h)
-have_func("X509_CRL_up_ref(NULL)", x509_h)
-have_func("X509_STORE_up_ref(NULL)", x509_h)
-have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
-have_func("EVP_PKEY_up_ref(NULL)", evp_h)
-have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
-have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
-have_func("X509_get0_notBefore(NULL)", x509_h)
-have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
-have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
-have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
-have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
-have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
-have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
-have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
-have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
+# added in 1.1.0, currently not in LibreSSL
 have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
-have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
-have_func("X509_STORE_get0_param(NULL)", x509_h)
 
 # added in 1.1.1
 have_func("EVP_PKEY_check(NULL)", evp_h)
 have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
 have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
+have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
 
 # added in 3.0.0
 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)

ext/openssl/lib/openssl/ssl.rb

@@ -51,8 +51,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
         }
       end
 
-      if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
-           OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+      if !OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL")
         DEFAULT_PARAMS.merge!(
           min_version: OpenSSL::SSL::TLS1_VERSION,
           ciphers: %w{

ext/openssl/openssl_missing.c

@@ -1,40 +0,0 @@
-/*
- * 'OpenSSL for Ruby' project
- * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
- * All rights reserved.
- */
-/*
- * This program is licensed under the same licence as Ruby.
- * (See the file 'COPYING'.)
- */
-#include RUBY_EXTCONF_H
-
-#include <string.h> /* memcpy() */
-#include <openssl/x509_vfy.h>
-
-#include "openssl_missing.h"
-
-/*** added in 1.1.0 ***/
-#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
-void
-ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
-			     const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-	*psig = crl->signature;
-    if (palg != NULL)
-	*palg = crl->sig_alg;
-}
-#endif
-
-#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
-void
-ossl_X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
-			     const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-	*psig = req->signature;
-    if (palg != NULL)
-	*palg = req->sig_alg;
-}
-#endif

ext/openssl/openssl_missing.h

@@ -12,204 +12,6 @@
 
 #include "ruby/config.h"
 
-/* added in 1.1.0 */
-#if !defined(HAVE_EVP_MD_CTX_NEW)
-#  define EVP_MD_CTX_new EVP_MD_CTX_create
-#endif
-
-#if !defined(HAVE_EVP_MD_CTX_FREE)
-#  define EVP_MD_CTX_free EVP_MD_CTX_destroy
-#endif
-
-#if !defined(HAVE_X509_STORE_GET_EX_DATA)
-#  define X509_STORE_get_ex_data(x, idx) \
-	CRYPTO_get_ex_data(&(x)->ex_data, (idx))
-#endif
-
-#if !defined(HAVE_X509_STORE_SET_EX_DATA)
-#  define X509_STORE_set_ex_data(x, idx, data) \
-	CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
-#endif
-
-#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX) && !defined(X509_STORE_get_ex_new_index)
-#  define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
-	CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
-				(newf), (dupf), (freef))
-#endif
-
-#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
-void ossl_X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
-#  define X509_CRL_get0_signature ossl_X509_CRL_get0_signature
-#endif
-
-#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
-void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
-#  define X509_REQ_get0_signature ossl_X509_REQ_get0_signature
-#endif
-
-#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
-#  define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
-#endif
-
-#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
-#  define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate)
-#endif
-
-#if !defined(HAVE_X509_GET0_TBS_SIGALG)
-#  define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature)
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED)
-#  define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted)
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_CERT)
-#  define X509_STORE_CTX_get0_cert(x) ((x)->cert)
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN)
-#  define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx)
-#endif
-
-#if !defined(HAVE_OCSP_SINGLERESP_GET0_ID)
-#  define OCSP_SINGLERESP_get0_id(s) ((s)->certId)
-#endif
-
-#if !defined(HAVE_SSL_CTX_GET_CIPHERS)
-#  define SSL_CTX_get_ciphers(ctx) ((ctx)->cipher_list)
-#endif
-
-#if !defined(HAVE_X509_UP_REF)
-#  define X509_up_ref(x) \
-	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509)
-#endif
-
-#if !defined(HAVE_X509_CRL_UP_REF)
-#  define X509_CRL_up_ref(x) \
-	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_CRL);
-#endif
-
-#if !defined(HAVE_X509_STORE_UP_REF)
-#  define X509_STORE_up_ref(x) \
-	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_STORE);
-#endif
-
-#if !defined(HAVE_SSL_SESSION_UP_REF)
-#  define SSL_SESSION_up_ref(x) \
-	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_SSL_SESSION);
-#endif
-
-#if !defined(HAVE_EVP_PKEY_UP_REF)
-#  define EVP_PKEY_up_ref(x) \
-	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
-#endif
-
-#if !defined(HAVE_OPAQUE_OPENSSL)
-#define IMPL_PKEY_GETTER(_type, _name) \
-static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
-	return pkey->pkey._name; }
-#define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \
-static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
-	if (a1) *a1 = obj->a1; \
-	if (a2) *a2 = obj->a2; } \
-static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
-	if (_fail_cond) return 0; \
-	BN_clear_free(obj->a1); obj->a1 = a1; \
-	BN_clear_free(obj->a2); obj->a2 = a2; \
-	return 1; }
-#define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \
-static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
-	if (a1) *a1 = obj->a1; \
-	if (a2) *a2 = obj->a2; \
-	if (a3) *a3 = obj->a3; } \
-static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2, BIGNUM *a3) { \
-	if (_fail_cond) return 0; \
-	BN_clear_free(obj->a1); obj->a1 = a1; \
-	BN_clear_free(obj->a2); obj->a2 = a2; \
-	BN_clear_free(obj->a3); obj->a3 = a3; \
-	return 1; }
-
-#if !defined(OPENSSL_NO_RSA)
-IMPL_PKEY_GETTER(RSA, rsa)
-IMPL_KEY_ACCESSOR3(RSA, key, n, e, d, (n == obj->n || e == obj->e || (obj->d && d == obj->d)))
-IMPL_KEY_ACCESSOR2(RSA, factors, p, q, (p == obj->p || q == obj->q))
-IMPL_KEY_ACCESSOR3(RSA, crt_params, dmp1, dmq1, iqmp, (dmp1 == obj->dmp1 || dmq1 == obj->dmq1 || iqmp == obj->iqmp))
-#endif
-
-#if !defined(OPENSSL_NO_DSA)
-IMPL_PKEY_GETTER(DSA, dsa)
-IMPL_KEY_ACCESSOR2(DSA, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
-IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g))
-#endif
-
-#if !defined(OPENSSL_NO_DH)
-IMPL_PKEY_GETTER(DH, dh)
-IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
-IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || (obj->q && q == obj->q) || g == obj->g))
-static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; }
-#endif
-
-#if !defined(OPENSSL_NO_EC)
-IMPL_PKEY_GETTER(EC_KEY, ec)
-#endif
-
-#undef IMPL_PKEY_GETTER
-#undef IMPL_KEY_ACCESSOR2
-#undef IMPL_KEY_ACCESSOR3
-#endif /* HAVE_OPAQUE_OPENSSL */
-
-#if !defined(EVP_CTRL_AEAD_GET_TAG)
-#  define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
-#  define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
-#  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
-#endif
-
-#if !defined(HAVE_X509_GET0_NOTBEFORE)
-#  define X509_get0_notBefore(x) X509_get_notBefore(x)
-#  define X509_get0_notAfter(x) X509_get_notAfter(x)
-#  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
-#  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
-#  define X509_set1_notBefore(x, t) X509_set_notBefore(x, t)
-#  define X509_set1_notAfter(x, t) X509_set_notAfter(x, t)
-#  define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t)
-#  define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t)
-#endif
-
-#if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)
-#  define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
-#endif
-
-#if !defined(HAVE_TS_STATUS_INFO_GET0_STATUS)
-#  define TS_STATUS_INFO_get0_status(a) ((a)->status)
-#endif
-
-#if !defined(HAVE_TS_STATUS_INFO_GET0_TEXT)
-#  define TS_STATUS_INFO_get0_text(a) ((a)->text)
-#endif
-
-#if !defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
-#  define TS_STATUS_INFO_get0_failure_info(a) ((a)->failure_info)
-#endif
-
-#if !defined(HAVE_TS_VERIFY_CTS_SET_CERTS)
-#  define TS_VERIFY_CTS_set_certs(ctx, crts) ((ctx)->certs=(crts))
-#endif
-
-#if !defined(HAVE_TS_VERIFY_CTX_SET_STORE)
-#  define TS_VERIFY_CTX_set_store(ctx, str) ((ctx)->store=(str))
-#endif
-
-#if !defined(HAVE_TS_VERIFY_CTX_ADD_FLAGS)
-#  define TS_VERIFY_CTX_add_flags(ctx, f) ((ctx)->flags |= (f))
-#endif
-
-#if !defined(HAVE_TS_RESP_CTX_SET_TIME_CB)
-#   define TS_RESP_CTX_set_time_cb(ctx, callback, dta) do { \
-        (ctx)->time_cb = (callback); \
-        (ctx)->time_cb_data = (dta); \
-    } while (0)
-#endif
-
 /* added in 3.0.0 */
 #if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
 #  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
@@ -224,11 +26,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
  * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
  */
 #ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
-# ifdef HAVE_EVP_MD_CTX_PKEY_CTX
 #  define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
-# else
-#  define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
-# endif
 #endif
 
 #ifndef HAVE_EVP_PKEY_EQ

ext/openssl/ossl.c

@@ -10,13 +10,6 @@
 #include "ossl.h"
 #include <stdarg.h> /* for ossl_raise */
 
-/* OpenSSL >= 1.1.0 and LibreSSL >= 2.9.0 */
-#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
-# define HAVE_OPENSSL_110_THREADING_API
-#else
-# include <ruby/thread_native.h>
-#endif
-
 /*
  * Data Conversion
  */
@@ -463,97 +456,6 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
 #endif
 }
 
-#if !defined(HAVE_OPENSSL_110_THREADING_API)
-/**
- * Stores locks needed for OpenSSL thread safety
- */
-struct CRYPTO_dynlock_value {
-    rb_nativethread_lock_t lock;
-    rb_nativethread_id_t owner;
-    size_t count;
-};
-
-static void
-ossl_lock_init(struct CRYPTO_dynlock_value *l)
-{
-    rb_nativethread_lock_initialize(&l->lock);
-    l->count = 0;
-}
-
-static void
-ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l)
-{
-    if (mode & CRYPTO_LOCK) {
-	/* TODO: rb_nativethread_id_t is not necessarily compared with ==. */
-	rb_nativethread_id_t tid = rb_nativethread_self();
-	if (l->count && l->owner == tid) {
-	    l->count++;
-	    return;
-	}
-	rb_nativethread_lock_lock(&l->lock);
-	l->owner = tid;
-	l->count = 1;
-    } else {
-	if (!--l->count)
-	    rb_nativethread_lock_unlock(&l->lock);
-    }
-}
-
-static struct CRYPTO_dynlock_value *
-ossl_dyn_create_callback(const char *file, int line)
-{
-    /* Do not use xmalloc() here, since it may raise NoMemoryError */
-    struct CRYPTO_dynlock_value *dynlock =
-	OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value));
-    if (dynlock)
-	ossl_lock_init(dynlock);
-    return dynlock;
-}
-
-static void
-ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
-{
-    ossl_lock_unlock(mode, l);
-}
-
-static void
-ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int line)
-{
-    rb_nativethread_lock_destroy(&l->lock);
-    OPENSSL_free(l);
-}
-
-static void ossl_threadid_func(CRYPTO_THREADID *id)
-{
-    /* register native thread id */
-    CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
-}
-
-static struct CRYPTO_dynlock_value *ossl_locks;
-
-static void
-ossl_lock_callback(int mode, int type, const char *file, int line)
-{
-    ossl_lock_unlock(mode, &ossl_locks[type]);
-}
-
-static void Init_ossl_locks(void)
-{
-    int i;
-    int num_locks = CRYPTO_num_locks();
-
-    ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks);
-    for (i = 0; i < num_locks; i++)
-	ossl_lock_init(&ossl_locks[i]);
-
-    CRYPTO_THREADID_set_callback(ossl_threadid_func);
-    CRYPTO_set_locking_callback(ossl_lock_callback);
-    CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback);
-    CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);
-    CRYPTO_set_dynlock_destroy_callback(ossl_dyn_destroy_callback);
-}
-#endif /* !HAVE_OPENSSL_110_THREADING_API */
-
 /*
  * call-seq:
  *   OpenSSL.fixed_length_secure_compare(string, string) -> boolean
@@ -1050,15 +952,8 @@ Init_openssl(void)
     /*
      * Init all digests, ciphers
      */
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
     if (!OPENSSL_init_ssl(0, NULL))
         rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl");
-#else
-    OpenSSL_add_ssl_algorithms();
-    OpenSSL_add_all_algorithms();
-    ERR_load_crypto_strings();
-    SSL_load_error_strings();
-#endif
 
     /*
      * Init main module
@@ -1075,11 +970,7 @@ Init_openssl(void)
     /*
      * Version of OpenSSL the ruby OpenSSL extension is running with
      */
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
     rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
-#else
-    rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
-#endif
 
     /*
      * Version number of OpenSSL the ruby OpenSSL extension was built with
@@ -1143,10 +1034,6 @@ Init_openssl(void)
      */
     ossl_s_to_der = rb_intern("to_der");
 
-#if !defined(HAVE_OPENSSL_110_THREADING_API)
-    Init_ossl_locks();
-#endif
-
     /*
      * Init components
      */

ext/openssl/ossl_engine.c

@@ -47,7 +47,6 @@ static VALUE eEngineError;
 /*
  * Private
  */
-#if OSSL_OPENSSL_PREREQ(1, 1, 0)
 #define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x) \
 do{\
   if(!strcmp(#engine_name, RSTRING_PTR(name))){\
@@ -57,15 +56,6 @@ do{\
       ossl_raise(eEngineError, "OPENSSL_init_crypto"); \
   }\
 }while(0)
-#else
-#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x)  \
-do{\
-  if(!strcmp(#engine_name, RSTRING_PTR(name))){\
-    ENGINE_load_##engine_name();\
-    return Qtrue;\
-  }\
-}while(0)
-#endif
 
 static void
 ossl_engine_free(void *engine)
@@ -102,50 +92,10 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
         return Qtrue;
     }
     StringValueCStr(name);
-#ifdef HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC);
-#endif
-#ifndef OPENSSL_NO_STATIC_ENGINE
-#ifdef HAVE_ENGINE_LOAD_4758CCA
-    OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA);
-#endif
-#ifdef HAVE_ENGINE_LOAD_AEP
-    OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP);
-#endif
-#ifdef HAVE_ENGINE_LOAD_ATALLA
-    OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA);
-#endif
-#ifdef HAVE_ENGINE_LOAD_CHIL
-    OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL);
-#endif
-#ifdef HAVE_ENGINE_LOAD_CSWIFT
-    OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT);
-#endif
-#ifdef HAVE_ENGINE_LOAD_NURON
-    OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON);
-#endif
-#ifdef HAVE_ENGINE_LOAD_SUREWARE
-    OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE);
-#endif
-#ifdef HAVE_ENGINE_LOAD_UBSEC
-    OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC);
-#endif
-#ifdef HAVE_ENGINE_LOAD_PADLOCK
     OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK);
-#endif
-#ifdef HAVE_ENGINE_LOAD_CAPI
     OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI);
-#endif
-#ifdef HAVE_ENGINE_LOAD_GMP
-    OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP);
-#endif
-#ifdef HAVE_ENGINE_LOAD_GOST
-    OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST);
-#endif
-#endif
-#ifdef HAVE_ENGINE_LOAD_CRYPTODEV
     OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV);
-#endif
     OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL);
     rb_warning("no such builtin loader for `%"PRIsVALUE"'", name);
     return Qnil;
@@ -163,9 +113,6 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
 static VALUE
 ossl_engine_s_cleanup(VALUE self)
 {
-#if !OSSL_OPENSSL_PREREQ(1, 1, 0)
-    ENGINE_cleanup();
-#endif
     return Qnil;
 }
 

ext/openssl/ossl_kdf.c

@@ -3,9 +3,7 @@
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
  */
 #include "ossl.h"
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
-# include <openssl/kdf.h>
-#endif
+#include <openssl/kdf.h>
 
 static VALUE mKDF, eKDF;
 
@@ -141,7 +139,6 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
 }
 #endif
 
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
 /*
  * call-seq:
  *    KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -238,7 +235,6 @@ kdf_hkdf(int argc, VALUE *argv, VALUE self)
 
     return str;
 }
-#endif
 
 void
 Init_ossl_kdf(void)
@@ -305,7 +301,5 @@ Init_ossl_kdf(void)
 #if defined(HAVE_EVP_PBE_SCRYPT)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
-#endif
 }

ext/openssl/ossl_pkcs12.c

@@ -201,12 +201,8 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
     BIO_free(in);
 
     pkey = cert = ca = Qnil;
-    /* OpenSSL's bug; PKCS12_parse() puts errors even if it succeeds.
-     * Fixed in OpenSSL 1.0.0t, 1.0.1p, 1.0.2d */
-    ERR_set_mark();
     if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
 	ossl_raise(ePKCS12Error, "PKCS12_parse");
-    ERR_pop_to_mark();
     if (key) {
 	pkey = rb_protect(ossl_pkey_new_i, (VALUE)key, &st);
 	if (st) goto err;

ext/openssl/ossl_pkey.c

@@ -517,8 +517,7 @@ ossl_pkey_check_public_key(const EVP_PKEY *pkey)
     if (EVP_PKEY_missing_parameters(pkey))
 	ossl_raise(ePKeyError, "parameters missing");
 
-    /* OpenSSL < 1.1.0 takes non-const pointer */
-    ptr = EVP_PKEY_get0((EVP_PKEY *)pkey);
+    ptr = EVP_PKEY_get0(pkey);
     switch (EVP_PKEY_base_id(pkey)) {
       case EVP_PKEY_RSA:
 	RSA_get0_key(ptr, &n, &e, NULL);
@@ -799,20 +798,9 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
 	}
     }
     else {
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
 	if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0,
 						  ossl_pem_passwd_cb,
 						  (void *)pass)) {
-#else
-	char pem_str[80];
-	const char *aname;
-
-	EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &aname, pkey->ameth);
-	snprintf(pem_str, sizeof(pem_str), "%s PRIVATE KEY", aname);
-	if (!PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, pem_str, bio,
-				pkey, enc, NULL, 0, ossl_pem_passwd_cb,
-				(void *)pass)) {
-#endif
 	    BIO_free(bio);
 	    ossl_raise(ePKeyError, "PEM_write_bio_PrivateKey_traditional");
 	}

ext/openssl/ossl_pkey_ec.c

@@ -1609,9 +1609,7 @@ void Init_ossl_ec(void)
     ID_hybrid = rb_intern("hybrid");
 
     rb_define_const(cEC, "NAMED_CURVE", INT2NUM(OPENSSL_EC_NAMED_CURVE));
-#if defined(OPENSSL_EC_EXPLICIT_CURVE)
     rb_define_const(cEC, "EXPLICIT_CURVE", INT2NUM(OPENSSL_EC_EXPLICIT_CURVE));
-#endif
 
     rb_define_singleton_method(cEC, "builtin_curves", ossl_s_builtin_curves, 0);
 

ext/openssl/ossl_ssl.c

@@ -85,11 +85,7 @@ ossl_sslctx_s_alloc(VALUE klass)
     VALUE obj;
 
     obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
     ctx = SSL_CTX_new(TLS_method());
-#else
-    ctx = SSL_CTX_new(SSLv23_method());
-#endif
     if (!ctx) {
         ossl_raise(eSSLError, "SSL_CTX_new");
     }
@@ -97,19 +93,6 @@ ossl_sslctx_s_alloc(VALUE klass)
     RTYPEDDATA_DATA(obj) = ctx;
     SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj);
 
-#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \
-    !defined(LIBRESSL_VERSION_NUMBER)
-    /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
-     * allows to specify multiple curve names and OpenSSL will select
-     * automatically from them. In OpenSSL 1.0.2, the automatic selection has to
-     * be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob
-     * and it is always enabled. To uniform the behavior, we enable the
-     * automatic selection also in 1.0.2. Users can still disable ECDH by
-     * removing ECDH cipher suites by SSLContext#ciphers=. */
-    if (!SSL_CTX_set_ecdh_auto(ctx, 1))
-	ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
-#endif
-
     return obj;
 }
 
@@ -162,40 +145,10 @@ ossl_sslctx_set_minmax_proto_version(VALUE self, VALUE min_v, VALUE max_v)
     min = parse_proto_version(min_v);
     max = parse_proto_version(max_v);
 
-#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
     if (!SSL_CTX_set_min_proto_version(ctx, min))
 	ossl_raise(eSSLError, "SSL_CTX_set_min_proto_version");
     if (!SSL_CTX_set_max_proto_version(ctx, max))
 	ossl_raise(eSSLError, "SSL_CTX_set_max_proto_version");
-#else
-    {
-	unsigned long sum = 0, opts = 0;
-	int i;
-	static const struct {
-	    int ver;
-	    unsigned long opts;
-	} options_map[] = {
-	    { SSL2_VERSION, SSL_OP_NO_SSLv2 },
-	    { SSL3_VERSION, SSL_OP_NO_SSLv3 },
-	    { TLS1_VERSION, SSL_OP_NO_TLSv1 },
-	    { TLS1_1_VERSION, SSL_OP_NO_TLSv1_1 },
-	    { TLS1_2_VERSION, SSL_OP_NO_TLSv1_2 },
-# if defined(TLS1_3_VERSION)
-	    { TLS1_3_VERSION, SSL_OP_NO_TLSv1_3 },
-# endif
-	};
-
-	for (i = 0; i < numberof(options_map); i++) {
-	    sum |= options_map[i].opts;
-            if ((min && min > options_map[i].ver) ||
-                (max && max < options_map[i].ver)) {
-		opts |= options_map[i].opts;
-            }
-	}
-	SSL_CTX_clear_options(ctx, sum);
-	SSL_CTX_set_options(ctx, opts);
-    }
-#endif
 
     return Qnil;
 }
@@ -335,11 +288,7 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	}
         if (ret != Qtrue) {
             preverify_ok = 0;
-#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
             X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
-#else
-            X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
-#endif
         }
     }
 
@@ -361,11 +310,7 @@ ossl_call_session_get_cb(VALUE ary)
 }
 
 static SSL_SESSION *
-#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
-#else
-ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
-#endif
 {
     VALUE ary, ssl_obj, ret_obj;
     SSL_SESSION *sess;
@@ -1203,12 +1148,7 @@ ossl_sslctx_get_security_level(VALUE self)
 
     GetSSLCTX(self, ctx);
 
-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
     return INT2NUM(SSL_CTX_get_security_level(ctx));
-#else
-    (void)ctx;
-    return INT2FIX(0);
-#endif
 }
 
 /*
@@ -1238,14 +1178,7 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value)
     rb_check_frozen(self);
     GetSSLCTX(self, ctx);
 
-#if defined(HAVE_SSL_CTX_GET_SECURITY_LEVEL)
     SSL_CTX_set_security_level(ctx, NUM2INT(value));
-#else
-    (void)ctx;
-    if (NUM2INT(value) != 0)
-	ossl_raise(rb_eNotImpError, "setting security level to other than 0 is "
-		   "not supported in this version of OpenSSL");
-#endif
 
     return value;
 }

ext/openssl/ossl_ts.c

@@ -620,14 +620,7 @@ ossl_ts_resp_get_failure_info(VALUE self)
 {
     TS_RESP *resp;
     TS_STATUS_INFO *si;
-
-    /* The ASN1_BIT_STRING_get_bit changed from 1.0.0. to 1.1.0, making this
-     * const. */
-    #if defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
     const ASN1_BIT_STRING *fi;
-    #else
-    ASN1_BIT_STRING *fi;
-    #endif
 
     GetTSResponse(self, resp);
     si = TS_RESP_get_status_info(resp);

ext/openssl/ossl_x509.c

@@ -48,9 +48,7 @@ Init_ossl_x509(void)
 
     /* Certificate verification error code */
     DefX509Const(V_OK);
-#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
     DefX509Const(V_ERR_UNSPECIFIED);
-#endif
     DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
     DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
     DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
@@ -104,10 +102,10 @@ Init_ossl_x509(void)
     DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
     DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
     DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
-#if defined(X509_V_ERR_PATH_LOOP)
+#if defined(X509_V_ERR_PATH_LOOP) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_PATH_LOOP);
 #endif
-#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
     DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
     DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
@@ -118,24 +116,18 @@ Init_ossl_x509(void)
     DefX509Const(V_ERR_HOSTNAME_MISMATCH);
     DefX509Const(V_ERR_EMAIL_MISMATCH);
     DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
-#if defined(X509_V_ERR_DANE_NO_MATCH)
+#if defined(X509_V_ERR_DANE_NO_MATCH) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_DANE_NO_MATCH);
 #endif
-#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
     DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
     DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
     DefX509Const(V_ERR_CA_MD_TOO_WEAK);
-#endif
-#if defined(X509_V_ERR_INVALID_CALL)
     DefX509Const(V_ERR_INVALID_CALL);
-#endif
-#if defined(X509_V_ERR_STORE_LOOKUP)
     DefX509Const(V_ERR_STORE_LOOKUP);
-#endif
-#if defined(X509_V_ERR_NO_VALID_SCTS)
+#if defined(X509_V_ERR_NO_VALID_SCTS) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_NO_VALID_SCTS);
 #endif
-#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
 #endif
 #if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
@@ -189,17 +181,13 @@ Init_ossl_x509(void)
      * certificate chain, search the Store first for the issuer certificate.
      * Enabled by default in OpenSSL >= 1.1.0. */
     DefX509Const(V_FLAG_TRUSTED_FIRST);
-#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
+#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) /* OpenSSL 1.1.0, missing in LibreSSL */
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 128 bit only mode. */
     DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
-#endif
-#if defined(X509_V_FLAG_SUITEB_192_LOS)
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 192 bit only mode. */
     DefX509Const(V_FLAG_SUITEB_192_LOS);
-#endif
-#if defined(X509_V_FLAG_SUITEB_128_LOS)
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
     DefX509Const(V_FLAG_SUITEB_128_LOS);
@@ -207,17 +195,13 @@ Init_ossl_x509(void)
     /* Set by Store#flags= and StoreContext#flags=.
      * Allows partial chains if at least one certificate is in trusted store. */
     DefX509Const(V_FLAG_PARTIAL_CHAIN);
-#if defined(X509_V_FLAG_NO_ALT_CHAINS)
     /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
      * a alternative chain. No effect in OpenSSL >= 1.1.0. */
     DefX509Const(V_FLAG_NO_ALT_CHAINS);
-#endif
-#if defined(X509_V_FLAG_NO_CHECK_TIME)
     /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
      * validity period of certificates and CRLs. No effect when the current
      * time is explicitly set by Store#time= or StoreContext#time=. */
     DefX509Const(V_FLAG_NO_CHECK_TIME);
-#endif
 
     /* Set by Store#purpose=. SSL/TLS client. */
     DefX509Const(PURPOSE_SSL_CLIENT);

ext/openssl/ossl_x509ext.c

@@ -230,11 +230,7 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
     conf = NIL_P(rconf) ? NULL : GetConfig(rconf);
     X509V3_set_nconf(ctx, conf);
 
-#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL
     ext = X509V3_EXT_nconf(conf, ctx, oid_cstr, RSTRING_PTR(valstr));
-#else
-    ext = X509V3_EXT_nconf(conf, ctx, (char *)oid_cstr, RSTRING_PTR(valstr));
-#endif
     X509V3_set_ctx_nodb(ctx);
     if (!ext){
 	ossl_raise(eX509ExtError, "%"PRIsVALUE" = %"PRIsVALUE, oid, valstr);

ext/openssl/ossl_x509store.c

@@ -212,10 +212,6 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
     GetX509Store(self, store);
     if (argc != 0)
         rb_warn("OpenSSL::X509::Store.new does not take any arguments");
-#if !defined(HAVE_OPAQUE_OPENSSL)
-    /* [Bug #405] [Bug #1678] [Bug #3000]; already fixed? */
-    store->ex_data.sk = NULL;
-#endif
     X509_STORE_set_verify_cb(store, x509store_verify_cb);
     ossl_x509store_set_vfy_cb(self, Qnil);
 
@@ -332,11 +328,7 @@ ossl_x509store_set_time(VALUE self, VALUE time)
     X509_VERIFY_PARAM *param;
 
     GetX509Store(self, store);
-#ifdef HAVE_X509_STORE_GET0_PARAM
     param = X509_STORE_get0_param(store);
-#else
-    param = store->param;
-#endif
     X509_VERIFY_PARAM_set_time(param, NUM2LONG(rb_Integer(time)));
     return time;
 }

test/openssl/test_kdf.rb

@@ -132,7 +132,6 @@ class OpenSSL::TestKDF < OpenSSL::TestCase
   end
 
   def test_hkdf_rfc5869_test_case_1
-    pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0
     hash = "sha256"
     ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b")
     salt = B("000102030405060708090a0b0c")
@@ -146,7 +145,6 @@ class OpenSSL::TestKDF < OpenSSL::TestCase
   end
 
   def test_hkdf_rfc5869_test_case_3
-    pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0
     hash = "sha256"
     ikm = B("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b")
     salt = B("")
@@ -160,7 +158,6 @@ class OpenSSL::TestKDF < OpenSSL::TestCase
   end
 
   def test_hkdf_rfc5869_test_case_4
-    pend "HKDF is not implemented" unless OpenSSL::KDF.respond_to?(:hkdf) # OpenSSL >= 1.1.0
     hash = "sha1"
     ikm = B("0b0b0b0b0b0b0b0b0b0b0b")
     salt = B("000102030405060708090a0b0c")

test/openssl/test_pkey.rb

@@ -11,7 +11,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
   end
 
   def test_generic_oid_inspect_x25519
-    omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0)
     omit_on_fips
 
     # X25519 private key
@@ -136,7 +135,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
   end
 
   def test_x25519
-    omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0)
     omit_on_fips
 
     # Test vector from RFC 7748 Section 6.1

test/openssl/test_x509store.rb

@@ -329,15 +329,12 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
   end
 
   def test_add_cert_duplicate
-    # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error
-    # if the given certificate is already in the X509_STORE
-    return unless openssl? && !openssl?(1, 1, 0)
     ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA")
     ca1_key = Fixtures.pkey("rsa-1")
     ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil)
     store = OpenSSL::X509::Store.new
     store.add_cert(ca1_cert)
-    assert_raise(OpenSSL::X509::StoreError){
+    assert_nothing_raised {
       store.add_cert(ca1_cert)  # add same certificate twice
     }
 
@@ -349,7 +346,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
                      ca1_cert, ca1_key, "sha256")
     store.add_crl(crl1)
-    assert_raise(OpenSSL::X509::StoreError){
+    assert_nothing_raised {
       store.add_crl(crl2) # add CRL issued by same CA twice.
     }
   end