diff options
| author | Kazuki Yamaguchi <[email protected]> | 2025-01-08 01:55:56 +0900 |
|---|---|---|
| committer | git <[email protected]> | 2025-01-14 12:38:16 +0000 |
| commit | 0fb64bda9bf16c36de3c4ca5f9d3aa8da5d39ee2 (patch) | |
| tree | fa94c34070910983bbf0d00a71ef6d9e08a5a4dc | |
| parent | 4f79485889bc9c782474c9dd32d5b916376fd0ec (diff) | |
[ruby/openssl] Require LibreSSL 3.9 or later
Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in
2024-10.
https://github.com/ruby/openssl/commit/f33d611f9f
| -rw-r--r-- | ext/openssl/extconf.rb | 9 | ||||
| -rw-r--r-- | ext/openssl/ossl_kdf.c | 6 | ||||
| -rw-r--r-- | ext/openssl/ossl_pkey.c | 6 | ||||
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 5 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509cert.c | 4 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509store.c | 4 | ||||
| -rw-r--r-- | test/openssl/test_pkey.rb | 11 | ||||
| -rw-r--r-- | test/openssl/test_ssl.rb | 23 | ||||
| -rw-r--r-- | test/openssl/test_ssl_session.rb | 2 | ||||
| -rw-r--r-- | test/openssl/test_x509cert.rb | 5 | ||||
| -rw-r--r-- | test/openssl/test_x509crl.rb | 3 | ||||
| -rw-r--r-- | test/openssl/test_x509req.rb | 3 | ||||
| -rw-r--r-- | test/openssl/test_x509store.rb | 2 |
13 files changed, 29 insertions, 54 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index adca064904..48a1680e8d 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -120,14 +120,14 @@ end version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") is_libressl = true - checking_for("LibreSSL version >= 3.1.0") { - try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") } + checking_for("LibreSSL version >= 3.9.0") { + try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") } else checking_for("OpenSSL version >= 1.0.2") { try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") } end unless version_ok - raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required" + raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.9.0 is required" end # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h @@ -149,9 +149,6 @@ engines.each { |name| have_func("ENGINE_load_#{name}()", "openssl/engine.h") } -# missing in libressl < 3.5 -have_func("i2d_re_X509_tbs(NULL, NULL)", x509_h) - # added in 1.1.0 if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl $defs.push("-DHAVE_OPAQUE_OPENSSL") diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c index ba197a659e..666626dc57 100644 --- a/ext/openssl/ossl_kdf.c +++ b/ext/openssl/ossl_kdf.c @@ -3,7 +3,7 @@ * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors */ #include "ossl.h" -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL # include <openssl/kdf.h> #endif @@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self) } #endif -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL /* * call-seq: * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String @@ -305,7 +305,7 @@ Init_ossl_kdf(void) #if defined(HAVE_EVP_PBE_SCRYPT) rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1); #endif -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1); #endif } diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 6af2245f39..09036d4b6d 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -799,7 +799,7 @@ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der) } } else { -#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 5, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_IS_LIBRESSL if (!PEM_write_bio_PrivateKey_traditional(bio, pkey, enc, NULL, 0, ossl_pem_passwd_cb, (void *)pass)) { @@ -1116,7 +1116,7 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)) < 1) { EVP_MD_CTX_free(ctx); @@ -1221,7 +1221,7 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self) rb_jump_tag(state); } } -#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_LIBRESSL_PREREQ(3, 4, 0) +#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig), RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data)); diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index fc7bd2deb7..8df7a2c8c9 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -18,11 +18,6 @@ # define OSSL_USE_NEXTPROTONEG #endif -#if !defined(TLS1_3_VERSION) && \ - OSSL_LIBRESSL_PREREQ(3, 2, 0) && !OSSL_LIBRESSL_PREREQ(3, 4, 0) -# define TLS1_3_VERSION 0x0304 -#endif - #ifdef _WIN32 # define TO_SOCKET(s) _get_osfhandle(s) #else diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 4c357f4247..da9344b4e6 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -711,7 +711,6 @@ ossl_x509_eq(VALUE self, VALUE other) return !X509_cmp(a, b) ? Qtrue : Qfalse; } -#ifdef HAVE_I2D_RE_X509_TBS /* * call-seq: * cert.tbs_bytes => string @@ -741,7 +740,6 @@ ossl_x509_tbs_bytes(VALUE self) return str; } -#endif struct load_chained_certificates_arguments { VALUE certificates; @@ -1035,7 +1033,5 @@ Init_ossl_x509cert(void) rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1); rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0); rb_define_method(cX509Cert, "==", ossl_x509_eq, 1); -#ifdef HAVE_I2D_RE_X509_TBS rb_define_method(cX509Cert, "tbs_bytes", ossl_x509_tbs_bytes, 0); -#endif } diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 214a3057de..c99ed8f4a3 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -365,12 +365,12 @@ ossl_x509store_add_file(VALUE self, VALUE file) ossl_raise(eX509StoreError, "X509_STORE_add_lookup"); if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1) ossl_raise(eX509StoreError, "X509_LOOKUP_load_file"); -#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER) +#if !OSSL_OPENSSL_PREREQ(1, 1, 1) && !OSSL_IS_LIBRESSL /* * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() * did not check the return value of X509_STORE_add_{cert,crl}(), leaking * "cert already in hash table" errors on the error queue, if duplicate - * certificates are found. This will be fixed by OpenSSL 1.1.1. + * certificates are found. Fixed by OpenSSL 1.1.1 and LibreSSL 3.5.0. */ ossl_clear_error(); #endif diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 5fe4a3efc4..f132b65882 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -11,7 +11,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_generic_oid_inspect_x25519 - omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0) + omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0) omit_on_fips # X25519 private key @@ -85,8 +85,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase def test_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - # See EVP_PKEY_sign in Changelog for 3.7.0: https://github.com/libressl/portable/blob/master/ChangeLog - omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0) + omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) # Test vector from RFC 8032 Section 7.1 TEST 2 priv_pem = <<~EOF @@ -137,7 +136,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_x25519 - omit "X25519 not supported" unless openssl?(1, 1, 0) || libressl?(3, 7, 0) + omit "X25519 not supported" if openssl? && !openssl?(1, 1, 0) omit_on_fips # Test vector from RFC 7748 Section 6.1 @@ -160,7 +159,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase assert_equal bob_pem, bob.public_to_pem assert_equal [shared_secret].pack("H*"), alice.derive(bob) - unless openssl?(1, 1, 1) || libressl?(3, 7, 0) + if openssl? && !openssl?(1, 1, 1) omit "running OpenSSL version does not have raw public key support" end alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key) @@ -176,7 +175,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_raw_initialize_errors - omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 7, 0) + omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") } assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") } diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 459efcc18e..9f1b56c8ec 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -394,7 +394,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(verify_mode: vflag, ctx_proc: proc { |ctx| - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) + # LibreSSL doesn't support client_cert_cb in TLS 1.3 + ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? }) { |port| ctx = OpenSSL::SSL::SSLContext.new ctx.key = @cli_key @@ -437,7 +438,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_client_ca - pend "LibreSSL 3.2 has broken client CA support" if libressl?(3, 2, 0) + pend "LibreSSL doesn't support certificate_authorities" if libressl? ctx_proc = Proc.new do |ctx| ctx.client_ca = [@ca_cert] @@ -609,12 +610,9 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(accept_proc: proc { |server| server_finished = server.finished_message server_peer_finished = server.peer_finished_message - }, ctx_proc: proc { |ctx| - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) }) { |port| ctx = OpenSSL::SSL::SSLContext.new ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE - ctx.max_version = :TLS1_2 if libressl?(3, 2, 0) && !libressl?(3, 3, 0) server_connect(port, ctx) { |ssl| ssl.puts "abc"; ssl.gets @@ -798,7 +796,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase # LibreSSL 3.5.0+ doesn't support other wildcard certificates # (it isn't required to, as RFC states MAY, not MUST) - return if libressl?(3, 5, 0) + return if libressl? assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) @@ -1078,7 +1076,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_verify_hostname_on_connect ctx_proc = proc { |ctx| san = "DNS:a.example.com,DNS:*.b.example.com" - san += ",DNS:c*.example.com,DNS:d.*.example.com" unless libressl?(3, 2, 2) + san += ",DNS:c*.example.com,DNS:d.*.example.com" unless libressl? exts = [ ["keyUsage", "keyEncipherment,digitalSignature", true], ["subjectAltName", san], @@ -1105,7 +1103,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ["cx.example.com", true], ["d.x.example.com", false], ].each do |name, expected_ok| - next if name.start_with?('cx') if libressl?(3, 2, 2) + next if name.start_with?('cx') if libressl? begin sock = TCPSocket.new("127.0.0.1", port) ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) @@ -1388,8 +1386,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase supported = check_supported_protocol_versions if !defined?(OpenSSL::SSL::TLS1_3_VERSION) || !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) || - !supported.include?(OpenSSL::SSL::TLS1_3_VERSION) || - !defined?(OpenSSL::SSL::OP_NO_TLSv1_3) # LibreSSL < 3.4 + !supported.include?(OpenSSL::SSL::TLS1_3_VERSION) pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \ "and enabled by default" end @@ -1743,11 +1740,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase server_connect(port, cli_ctx) do |ssl| assert_equal('TLSv1.3', ssl.ssl_version) - if libressl?(3, 4, 0) && !libressl?(3, 5, 0) - assert_equal("AEAD-AES128-GCM-SHA256", ssl.cipher[0]) - else - assert_equal(csuite[0], ssl.cipher[0]) - end + assert_equal(csuite[0], ssl.cipher[0]) ssl.puts('abc'); assert_equal("abc\n", ssl.gets) end end diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb index 25ba6a8c45..4fa3821177 100644 --- a/test/openssl/test_ssl_session.rb +++ b/test/openssl/test_ssl_session.rb @@ -120,7 +120,7 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?(3, 2, 0) + ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb index eecb985e12..4f7aa0cb10 100644 --- a/test/openssl/test_x509cert.rb +++ b/test/openssl/test_x509cert.rb @@ -294,8 +294,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1) + omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) assert_equal(true, cert.verify(ed25519)) @@ -421,8 +420,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_tbs_precert_bytes - pend "LibreSSL < 3.5 does not have i2d_re_X509_tbs" if libressl? && !libressl?(3, 5, 0) - cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) seq = OpenSSL::ASN1.decode(cert.tbs_bytes) diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb index e5fa6f9989..caab795d5b 100644 --- a/test/openssl/test_x509crl.rb +++ b/test/openssl/test_x509crl.rb @@ -207,8 +207,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1) + omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb index 1bf457ecf6..88a7bee93a 100644 --- a/test/openssl/test_x509req.rb +++ b/test/openssl/test_x509req.rb @@ -135,8 +135,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase def test_sign_and_verify_ed25519 # Ed25519 is not FIPS-approved. omit_on_fips - # See ASN1_item_sign_ctx in ChangeLog for 3.8.1: https://github.com/libressl/portable/blob/master/ChangeLog - omit "Ed25519 not supported" unless openssl?(1, 1, 1) || libressl?(3, 8, 1) + omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1) ed25519 = OpenSSL::PKey::generate_key("ED25519") req = issue_csr(0, @dn, ed25519, nil) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index d6c0e707a2..93e24e02b7 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -331,7 +331,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_add_cert_duplicate # Up until OpenSSL 1.1.0, X509_STORE_add_{cert,crl}() returned an error # if the given certificate is already in the X509_STORE - return if openssl?(1, 1, 0) || libressl? + return unless openssl? && !openssl?(1, 1, 0) ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") ca1_key = Fixtures.pkey("rsa-1") ca1_cert = issue_cert(ca1, ca1_key, 1, [], nil, nil) |