summaryrefslogtreecommitdiff
path: root/ext/openssl
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2020-08-04 23:14:44 +0900
committerKazuki Yamaguchi <k@rhe.jp>2021-07-18 17:44:41 +0900
commitcd002305f0db447b47b54b93e1ecb3c666d37c06 (patch)
treeda28b58337630ed2d37ca6a22667ef0bb2ebf044 /ext/openssl
parentdecce40da7ee5180a4093f794eacc1dc5fe8e814 (diff)
[ruby/openssl] require OpenSSL >= 1.0.2 and LibreSSL >= 3.1
Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31. https://github.com/ruby/openssl/commit/c055938f4b
Diffstat (limited to 'ext/openssl')
-rw-r--r--ext/openssl/extconf.rb55
-rw-r--r--ext/openssl/openssl_missing.c37
-rw-r--r--ext/openssl/openssl_missing.h24
-rw-r--r--ext/openssl/ossl_ocsp.c48
-rw-r--r--ext/openssl/ossl_ssl.c128
-rw-r--r--ext/openssl/ossl_ts.c9
-rw-r--r--ext/openssl/ossl_x509.c6
7 files changed, 35 insertions, 272 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index d5e0470ce80..73a4cdc3b27 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -33,9 +33,6 @@ if $mswin || $mingw
have_library("ws2_32")
end
-Logging::message "=== Checking for required stuff... ===\n"
-result = pkg_config("openssl") && have_header("openssl/ssl.h")
-
if $mingw
append_cflags '-D_FORTIFY_SOURCE=2'
append_ldflags '-fstack-protector'
@@ -92,19 +89,32 @@ def find_openssl_library
return false
end
-unless result
- unless find_openssl_library
- Logging::message "=== Checking for required stuff failed. ===\n"
- Logging::message "Makefile wasn't created. Fix the errors above.\n"
- raise "OpenSSL library could not be found. You might want to use " \
- "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
- "is installed."
- end
+Logging::message "=== Checking for required stuff... ===\n"
+pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
+
+if !pkg_config_found && !find_openssl_library
+ Logging::message "=== Checking for required stuff failed. ===\n"
+ Logging::message "Makefile wasn't created. Fix the errors above.\n"
+ raise "OpenSSL library could not be found. You might want to use " \
+ "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
+ "is installed."
+end
+
+version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
+ is_libressl = true
+ checking_for("LibreSSL version >= 3.1.0") {
+ try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
+else
+ checking_for("OpenSSL version >= 1.0.2") {
+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
+end
+unless version_ok
+ raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
end
-unless checking_for("OpenSSL version is 1.0.1 or later") {
- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
- raise "OpenSSL >= 1.0.1 or LibreSSL is required"
+# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
+if is_libressl && ($mswin || $mingw)
+ $defs.push("-DNOCRYPT")
end
Logging::message "=== Checking for OpenSSL features... ===\n"
@@ -116,23 +126,8 @@ engines.each { |name|
have_func("ENGINE_load_#{name}()", "openssl/engine.h")
}
-if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
- $defs.push("-DNOCRYPT")
-end
-
-# added in 1.0.2
-have_func("EC_curve_nist2nid")
-have_func("X509_REVOKED_dup")
-have_func("X509_STORE_CTX_get0_store")
-have_func("SSL_CTX_set_alpn_select_cb")
-have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
-have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
-have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
-have_func("SSL_is_server")
-
# added in 1.1.0
-if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
- try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
+if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
$defs.push("-DHAVE_OPAQUE_OPENSSL")
end
have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index 010c158dc14..8b93cba6d42 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -17,43 +17,6 @@
#include "openssl_missing.h"
-/* added in 1.0.2 */
-#if !defined(OPENSSL_NO_EC)
-#if !defined(HAVE_EC_CURVE_NIST2NID)
-static struct {
- const char *name;
- int nid;
-} nist_curves[] = {
- {"B-163", NID_sect163r2},
- {"B-233", NID_sect233r1},
- {"B-283", NID_sect283r1},
- {"B-409", NID_sect409r1},
- {"B-571", NID_sect571r1},
- {"K-163", NID_sect163k1},
- {"K-233", NID_sect233k1},
- {"K-283", NID_sect283k1},
- {"K-409", NID_sect409k1},
- {"K-571", NID_sect571k1},
- {"P-192", NID_X9_62_prime192v1},
- {"P-224", NID_secp224r1},
- {"P-256", NID_X9_62_prime256v1},
- {"P-384", NID_secp384r1},
- {"P-521", NID_secp521r1}
-};
-
-int
-ossl_EC_curve_nist2nid(const char *name)
-{
- size_t i;
- for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
- if (!strcmp(nist_curves[i].name, name))
- return nist_curves[i].nid;
- }
- return NID_undef;
-}
-#endif
-#endif
-
/*** added in 1.1.0 ***/
#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
void
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 06d2a9082f5..5586f96561a 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -12,27 +12,6 @@
#include "ruby/config.h"
-/* added in 1.0.2 */
-#if !defined(OPENSSL_NO_EC)
-#if !defined(HAVE_EC_CURVE_NIST2NID)
-int ossl_EC_curve_nist2nid(const char *);
-# define EC_curve_nist2nid ossl_EC_curve_nist2nid
-#endif
-#endif
-
-#if !defined(HAVE_X509_REVOKED_DUP)
-# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
- (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
-# define X509_STORE_CTX_get0_store(x) ((x)->ctx)
-#endif
-
-#if !defined(HAVE_SSL_IS_SERVER)
-# define SSL_is_server(s) ((s)->server)
-#endif
-
/* added in 1.1.0 */
#if !defined(HAVE_BN_GENCB_NEW)
# define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB)))
@@ -141,8 +120,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
#endif
-#if !defined(HAVE_OPAQUE_OPENSSL) && \
- (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+#if !defined(HAVE_OPAQUE_OPENSSL)
#define IMPL_PKEY_GETTER(_type, _name) \
static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
return pkey->pkey._name; }
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 0ade7adde7b..c9b02a1752c 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -1069,55 +1069,7 @@ ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
-#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER)
- /*
- * OpenSSL had a bug that it doesn't use the certificates in x509s for
- * verifying the chain. This can be a problem when the response is signed by
- * a certificate issued by an intermediate CA.
- *
- * root_ca
- * |
- * intermediate_ca
- * |-------------|
- * end_entity ocsp_signer
- *
- * When the certificate hierarchy is like this, and the response contains
- * only ocsp_signer certificate, the following code wrongly fails.
- *
- * store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
- * basic_response.verify([intermediate_ca], store)
- *
- * So add the certificates in x509s to the embedded certificates list first.
- *
- * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still
- * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1.
- */
- if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) &&
- sk_X509_num(x509s) && sk_X509_num(bs->certs)) {
- int i;
-
- bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs);
- if (!bs) {
- sk_X509_pop_free(x509s, X509_free);
- ossl_raise(eOCSPError, "ASN1_item_dup");
- }
-
- for (i = 0; i < sk_X509_num(x509s); i++) {
- if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) {
- sk_X509_pop_free(x509s, X509_free);
- OCSP_BASICRESP_free(bs);
- ossl_raise(eOCSPError, "OCSP_basic_add1_cert");
- }
- }
- result = OCSP_basic_verify(bs, x509s, x509st, flg);
- OCSP_BASICRESP_free(bs);
- }
- else {
- result = OCSP_basic_verify(bs, x509s, x509st, flg);
- }
-#else
result = OCSP_basic_verify(bs, x509s, x509st, flg);
-#endif
sk_X509_pop_free(x509s, X509_free);
if (result <= 0)
ossl_clear_error();
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 0511579d7bf..2174b65b55d 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -55,19 +55,11 @@ static ID id_i_io, id_i_context, id_i_hostname;
static int ossl_ssl_ex_vcb_idx;
static int ossl_ssl_ex_ptr_idx;
static int ossl_sslctx_ex_ptr_idx;
-#if !defined(HAVE_X509_STORE_UP_REF)
-static int ossl_sslctx_ex_store_p;
-#endif
static void
ossl_sslctx_free(void *ptr)
{
- SSL_CTX *ctx = ptr;
-#if !defined(HAVE_X509_STORE_UP_REF)
- if (ctx && SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_store_p))
- ctx->cert_store = NULL;
-#endif
- SSL_CTX_free(ctx);
+ SSL_CTX_free(ptr);
}
static const rb_data_type_t ossl_sslctx_type = {
@@ -101,7 +93,7 @@ ossl_sslctx_s_alloc(VALUE klass)
RTYPEDDATA_DATA(obj) = ctx;
SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj);
-#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
+#if !defined(OPENSSL_NO_EC)
/* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It
* allows to specify multiple curve names and OpenSSL will select
* automatically from them. In OpenSSL 1.0.2, the automatic selection has to
@@ -363,7 +355,7 @@ ossl_call_session_get_cb(VALUE ary)
}
static SSL_SESSION *
-#if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f)
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000
ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy)
#else
ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy)
@@ -572,8 +564,6 @@ ssl_renegotiation_cb(const SSL *ssl)
rb_funcallv(cb, id_call, 1, &ssl_obj);
}
-#if !defined(OPENSSL_NO_NEXTPROTONEG) || \
- defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
static VALUE
ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded))
{
@@ -655,7 +645,6 @@ ssl_npn_select_cb_common(SSL *ssl, VALUE cb, const unsigned char **out,
return SSL_TLSEXT_ERR_OK;
}
-#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
static int
@@ -684,7 +673,6 @@ ssl_npn_select_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
}
#endif
-#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
static int
ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg)
@@ -696,7 +684,6 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen);
}
-#endif
/* This function may serve as the entry point to support further callbacks. */
static void
@@ -781,17 +768,7 @@ ossl_sslctx_setup(VALUE self)
if (!NIL_P(val)) {
X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */
SSL_CTX_set_cert_store(ctx, store);
-#if !defined(HAVE_X509_STORE_UP_REF)
- /*
- * WORKAROUND:
- * X509_STORE can count references, but
- * X509_STORE_free() doesn't care it.
- * So we won't increment it but mark it by ex_data.
- */
- SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx);
-#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */
X509_STORE_up_ref(store);
-#endif
}
val = rb_attr_get(self, id_i_extra_chain_cert);
@@ -873,7 +850,6 @@ ossl_sslctx_setup(VALUE self)
}
#endif
-#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
val = rb_attr_get(self, id_i_alpn_protocols);
if (!NIL_P(val)) {
VALUE rprotos = ssl_encode_npn_protocols(val);
@@ -888,7 +864,6 @@ ossl_sslctx_setup(VALUE self)
SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self);
OSSL_Debug("SSL ALPN select callback added");
}
-#endif
rb_obj_freeze(self);
@@ -1021,9 +996,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
* Extension. For a server, the list is used by OpenSSL to determine the set of
* shared curves. OpenSSL will pick the most appropriate one from it.
*
- * Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve
- * can be set, and this has no effect for TLS clients.
- *
* === Example
* ctx1 = OpenSSL::SSL::SSLContext.new
* ctx1.ecdh_curves = "X25519:P-256:P-224"
@@ -1047,48 +1019,8 @@ ossl_sslctx_set_ecdh_curves(VALUE self, VALUE arg)
GetSSLCTX(self, ctx);
StringValueCStr(arg);
-#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST)
if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg)))
ossl_raise(eSSLError, NULL);
-#else
- /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to
- * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */
- {
- VALUE curve, splitted;
- EC_KEY *ec;
- int nid;
-
- splitted = rb_str_split(arg, ":");
- if (!RARRAY_LEN(splitted))
- ossl_raise(eSSLError, "invalid input format");
- curve = RARRAY_AREF(splitted, 0);
- StringValueCStr(curve);
-
- /* SSL_CTX_set1_curves_list() accepts NIST names */
- nid = EC_curve_nist2nid(RSTRING_PTR(curve));
- if (nid == NID_undef)
- nid = OBJ_txt2nid(RSTRING_PTR(curve));
- if (nid == NID_undef)
- ossl_raise(eSSLError, "unknown curve name");
-
- ec = EC_KEY_new_by_curve_name(nid);
- if (!ec)
- ossl_raise(eSSLError, NULL);
- EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
- if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) {
- EC_KEY_free(ec);
- ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh");
- }
- EC_KEY_free(ec);
-# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO)
- /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto
- * is enabled. So disable ecdh_auto. */
- if (!SSL_CTX_set_ecdh_auto(ctx, 0))
- ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto");
-# endif
- }
-#endif
-
return arg;
}
#else
@@ -1211,10 +1143,6 @@ ossl_sslctx_enable_fallback_scsv(VALUE self)
* ecdsa_pkey = ...
* another_ca_cert = ...
* ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
- *
- * === Note
- * OpenSSL before the version 1.0.2 could handle only one extra chain across
- * all key types. Calling this method discards the chain set previously.
*/
static VALUE
ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
@@ -1253,34 +1181,9 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
sk_X509_pop_free(extra_chain, X509_free);
ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
}
-
- if (extra_chain) {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000 && !defined(LIBRESSL_VERSION_NUMBER)
- if (!SSL_CTX_set0_chain(ctx, extra_chain)) {
- sk_X509_pop_free(extra_chain, X509_free);
- ossl_raise(eSSLError, "SSL_CTX_set0_chain");
- }
-#else
- STACK_OF(X509) *orig_extra_chain;
- X509 *x509_tmp;
-
- /* First, clear the existing chain */
- SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain);
- if (orig_extra_chain && sk_X509_num(orig_extra_chain)) {
- rb_warning("SSL_CTX_set0_chain() is not available; " \
- "clearing previously set certificate chain");
- SSL_CTX_clear_extra_chain_certs(ctx);
- }
- while ((x509_tmp = sk_X509_shift(extra_chain))) {
- /* Transfers ownership */
- if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) {
- X509_free(x509_tmp);
- sk_X509_pop_free(extra_chain, X509_free);
- ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert");
- }
- }
- sk_X509_free(extra_chain);
-#endif
+ if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) {
+ sk_X509_pop_free(extra_chain, X509_free);
+ ossl_raise(eSSLError, "SSL_CTX_set0_chain");
}
return self;
}
@@ -2381,7 +2284,6 @@ ossl_ssl_npn_protocol(VALUE self)
}
# endif
-# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* call-seq:
* ssl.alpn_protocol => String | nil
@@ -2404,9 +2306,7 @@ ossl_ssl_alpn_protocol(VALUE self)
else
return rb_str_new((const char *) out, outlen);
}
-# endif
-# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
/*
* call-seq:
* ssl.tmp_key => PKey or nil
@@ -2424,7 +2324,6 @@ ossl_ssl_tmp_key(VALUE self)
return Qnil;
return ossl_pkey_new(key);
}
-# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */
#endif /* !defined(OPENSSL_NO_SOCK) */
void
@@ -2449,11 +2348,6 @@ Init_ossl_ssl(void)
ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0);
if (ossl_sslctx_ex_ptr_idx < 0)
ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
-#if !defined(HAVE_X509_STORE_UP_REF)
- ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0);
- if (ossl_sslctx_ex_store_p < 0)
- ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index");
-#endif
/* Document-module: OpenSSL::SSL
*
@@ -2690,7 +2584,6 @@ Init_ossl_ssl(void)
rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse);
#endif
-#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
/*
* An Enumerable of Strings. Each String represents a protocol to be
* advertised as the list of supported protocols for Application-Layer
@@ -2720,7 +2613,6 @@ Init_ossl_ssl(void)
* end
*/
rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse);
-#endif
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
@@ -2834,12 +2726,8 @@ Init_ossl_ssl(void)
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0);
rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0);
-# ifdef HAVE_SSL_GET_SERVER_TMP_KEY
rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
-# endif
-# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0);
-# endif
# ifndef OPENSSL_NO_NEXTPROTONEG
rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0);
# endif
@@ -2852,12 +2740,8 @@ Init_ossl_ssl(void)
rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
-#ifdef SSL_OP_TLSEXT_PADDING /* OpenSSL 1.0.1h and OpenSSL 1.0.2 */
rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
-#endif
-#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG /* OpenSSL 1.0.1f and OpenSSL 1.0.2 */
rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
-#endif
#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
#endif
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
index 9450e435e0b..4654babfcf9 100644
--- a/ext/openssl/ossl_ts.c
+++ b/ext/openssl/ossl_ts.c
@@ -821,12 +821,9 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
TS_VERIFY_CTX_set_store(ctx, x509st);
ok = TS_RESP_verify_response(ctx, resp);
-
- /* WORKAROUND:
- * X509_STORE can count references, but X509_STORE_free() doesn't check
- * this. To prevent our X509_STORE from being freed with our
- * TS_VERIFY_CTX we set the store to NULL first.
- * Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2)
+ /*
+ * TS_VERIFY_CTX_set_store() call above does not increment the reference
+ * counter, so it must be unset before TS_VERIFY_CTX_free() is called.
*/
TS_VERIFY_CTX_set_store(ctx, NULL);
TS_VERIFY_CTX_free(ctx);
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index 4fc06486148..f8470703fcd 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -115,11 +115,9 @@ Init_ossl_x509(void)
DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
#endif
-#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
DefX509Const(V_ERR_HOSTNAME_MISMATCH);
DefX509Const(V_ERR_EMAIL_MISMATCH);
DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
-#endif
#if defined(X509_V_ERR_DANE_NO_MATCH)
DefX509Const(V_ERR_DANE_NO_MATCH);
#endif
@@ -187,12 +185,10 @@ Init_ossl_x509(void)
/* Set by Store#flags= and StoreContext#flags=. Enables checking of the
* signature of the root self-signed CA. */
DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
-#if defined(X509_V_FLAG_TRUSTED_FIRST)
/* Set by Store#flags= and StoreContext#flags=. When constructing a
* certificate chain, search the Store first for the issuer certificate.
* Enabled by default in OpenSSL >= 1.1.0. */
DefX509Const(V_FLAG_TRUSTED_FIRST);
-#endif
#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
/* Set by Store#flags= and StoreContext#flags=.
* Enables Suite B 128 bit only mode. */
@@ -208,11 +204,9 @@ Init_ossl_x509(void)
* Enables Suite B 128 bit mode allowing 192 bit algorithms. */
DefX509Const(V_FLAG_SUITEB_128_LOS);
#endif
-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
/* Set by Store#flags= and StoreContext#flags=.
* Allows partial chains if at least one certificate is in trusted store. */
DefX509Const(V_FLAG_PARTIAL_CHAIN);
-#endif
#if defined(X509_V_FLAG_NO_ALT_CHAINS)
/* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
* a alternative chain. No effect in OpenSSL >= 1.1.0. */