[ruby/openssl] ssl: disable NPN support on LibreSSL
As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available. https://github.com/ruby/openssl/commit/289f6e0e1f
This commit is contained in:
Kazuki Yamaguchi
parent
d6c16dd3e6
commit
dd6f3276e0
@ -13,6 +13,10 @@
|
|||||||
|
|
||||||
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
|
||||||
|
|
||||||
|
#if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL
|
||||||
|
# define OSSL_USE_NEXTPROTONEG
|
||||||
|
#endif
|
||||||
|
|
||||||
#if !defined(TLS1_3_VERSION) && \
|
#if !defined(TLS1_3_VERSION) && \
|
||||||
OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0)
|
||||||
# define TLS1_3_VERSION 0x0304
|
# define TLS1_3_VERSION 0x0304
|
||||||
@ -702,7 +706,7 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
|
|||||||
return SSL_TLSEXT_ERR_OK;
|
return SSL_TLSEXT_ERR_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
#ifdef OSSL_USE_NEXTPROTONEG
|
||||||
static int
|
static int
|
||||||
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,
|
||||||
void *arg)
|
void *arg)
|
||||||
@ -899,7 +903,7 @@ ossl_sslctx_setup(VALUE self)
|
|||||||
val = rb_attr_get(self, id_i_verify_depth);
|
val = rb_attr_get(self, id_i_verify_depth);
|
||||||
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
|
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val));
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
#ifdef OSSL_USE_NEXTPROTONEG
|
||||||
val = rb_attr_get(self, id_i_npn_protocols);
|
val = rb_attr_get(self, id_i_npn_protocols);
|
||||||
if (!NIL_P(val)) {
|
if (!NIL_P(val)) {
|
||||||
VALUE encoded = ssl_encode_npn_protocols(val);
|
VALUE encoded = ssl_encode_npn_protocols(val);
|
||||||
@ -2445,7 +2449,7 @@ ossl_ssl_get_client_ca_list(VALUE self)
|
|||||||
return ossl_x509name_sk2ary(ca);
|
return ossl_x509name_sk2ary(ca);
|
||||||
}
|
}
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
# ifdef OSSL_USE_NEXTPROTONEG
|
||||||
/*
|
/*
|
||||||
* call-seq:
|
* call-seq:
|
||||||
* ssl.npn_protocol => String | nil
|
* ssl.npn_protocol => String | nil
|
||||||
@ -2781,7 +2785,7 @@ Init_ossl_ssl(void)
|
|||||||
* end
|
* end
|
||||||
*/
|
*/
|
||||||
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse);
|
||||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
#ifdef OSSL_USE_NEXTPROTONEG
|
||||||
/*
|
/*
|
||||||
* An Enumerable of Strings. Each String represents a protocol to be
|
* An Enumerable of Strings. Each String represents a protocol to be
|
||||||
* advertised as the list of supported protocols for Next Protocol
|
* advertised as the list of supported protocols for Next Protocol
|
||||||
@ -2987,7 +2991,7 @@ Init_ossl_ssl(void)
|
|||||||
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
|
||||||
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
|
||||||
rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1);
|
rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1);
|
||||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
# ifdef OSSL_USE_NEXTPROTONEG
|
||||||
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -1379,9 +1379,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_npn_protocol_selection_ary
|
def test_npn_protocol_selection_ary
|
||||||
pend "NPN is not supported" unless \
|
return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
||||||
OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
|
||||||
pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1)
|
|
||||||
|
|
||||||
advertised = ["http/1.1", "spdy/2"]
|
advertised = ["http/1.1", "spdy/2"]
|
||||||
ctx_proc = proc { |ctx| ctx.npn_protocols = advertised }
|
ctx_proc = proc { |ctx| ctx.npn_protocols = advertised }
|
||||||
@ -1399,9 +1397,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_npn_protocol_selection_enum
|
def test_npn_protocol_selection_enum
|
||||||
pend "NPN is not supported" unless \
|
return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
||||||
OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
|
||||||
pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1)
|
|
||||||
|
|
||||||
advertised = Object.new
|
advertised = Object.new
|
||||||
def advertised.each
|
def advertised.each
|
||||||
@ -1423,9 +1419,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_npn_protocol_selection_cancel
|
def test_npn_protocol_selection_cancel
|
||||||
pend "NPN is not supported" unless \
|
return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
||||||
OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
|
||||||
pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1)
|
|
||||||
|
|
||||||
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
|
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
|
||||||
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
||||||
@ -1436,9 +1430,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_npn_advertised_protocol_too_long
|
def test_npn_advertised_protocol_too_long
|
||||||
pend "NPN is not supported" unless \
|
return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
||||||
OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
|
||||||
pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1)
|
|
||||||
|
|
||||||
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["a" * 256] }
|
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["a" * 256] }
|
||||||
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
||||||
@ -1449,9 +1441,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_npn_selected_protocol_too_long
|
def test_npn_selected_protocol_too_long
|
||||||
pend "NPN is not supported" unless \
|
return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
||||||
OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb)
|
|
||||||
pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1)
|
|
||||||
|
|
||||||
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
|
ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] }
|
||||||
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
start_server_version(:TLSv1_2, ctx_proc) { |port|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user