diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2022-10-17 17:33:37 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2022-12-23 09:39:15 +0900 |
commit | dd6f3276e07f8f731a3bbcbdd58525ee6dd6581e (patch) | |
tree | f06e671a3a52a541ede19d229281e356eda82451 | |
parent | d6c16dd3e67ea5aa58a2f17dc8aa8aa977ded99a (diff) |
[ruby/openssl] ssl: disable NPN support on LibreSSL
As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.
Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.
NPN is less relevant today anyway. Let's also silence test suite when
it's not available.
https://github.com/ruby/openssl/commit/289f6e0e1f
-rw-r--r-- | ext/openssl/ossl_ssl.c | 14 | ||||
-rw-r--r-- | test/openssl/test_ssl.rb | 20 |
2 files changed, 14 insertions, 20 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 0c4ea37431..849bf3440f 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -13,6 +13,10 @@ #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0])) +#if !defined(OPENSSL_NO_NEXTPROTONEG) && !OSSL_IS_LIBRESSL +# define OSSL_USE_NEXTPROTONEG +#endif + #if !defined(TLS1_3_VERSION) && \ OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0) # define TLS1_3_VERSION 0x0304 @@ -702,7 +706,7 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out, return SSL_TLSEXT_ERR_OK; } -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG static int ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg) @@ -899,7 +903,7 @@ ossl_sslctx_setup(VALUE self) val = rb_attr_get(self, id_i_verify_depth); if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2INT(val)); -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG val = rb_attr_get(self, id_i_npn_protocols); if (!NIL_P(val)) { VALUE encoded = ssl_encode_npn_protocols(val); @@ -2445,7 +2449,7 @@ ossl_ssl_get_client_ca_list(VALUE self) return ossl_x509name_sk2ary(ca); } -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifdef OSSL_USE_NEXTPROTONEG /* * call-seq: * ssl.npn_protocol => String | nil @@ -2781,7 +2785,7 @@ Init_ossl_ssl(void) * end */ rb_attr(cSSLContext, rb_intern_const("renegotiation_cb"), 1, 1, Qfalse); -#ifndef OPENSSL_NO_NEXTPROTONEG +#ifdef OSSL_USE_NEXTPROTONEG /* * An Enumerable of Strings. Each String represents a protocol to be * advertised as the list of supported protocols for Next Protocol @@ -2987,7 +2991,7 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); rb_define_method(cSSLSocket, "export_keying_material", ossl_ssl_export_keying_material, -1); -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifdef OSSL_USE_NEXTPROTONEG rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0); # endif #endif diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 945cc7c48e..1fa2e691df 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -1379,9 +1379,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_npn_protocol_selection_ary - pend "NPN is not supported" unless \ - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) - pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) + return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) advertised = ["http/1.1", "spdy/2"] ctx_proc = proc { |ctx| ctx.npn_protocols = advertised } @@ -1399,9 +1397,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_npn_protocol_selection_enum - pend "NPN is not supported" unless \ - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) - pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) + return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) advertised = Object.new def advertised.each @@ -1423,9 +1419,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_npn_protocol_selection_cancel - pend "NPN is not supported" unless \ - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) - pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) + return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] } start_server_version(:TLSv1_2, ctx_proc) { |port| @@ -1436,9 +1430,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_npn_advertised_protocol_too_long - pend "NPN is not supported" unless \ - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) - pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) + return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["a" * 256] } start_server_version(:TLSv1_2, ctx_proc) { |port| @@ -1449,9 +1441,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_npn_selected_protocol_too_long - pend "NPN is not supported" unless \ - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) - pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) + return unless OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) ctx_proc = Proc.new { |ctx| ctx.npn_protocols = ["http/1.1"] } start_server_version(:TLSv1_2, ctx_proc) { |port| |