--- ruby-3.0.2-orig/ext/openssl/extconf.rb 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/extconf.rb 2021-09-17 16:10:36.749439537 +1000 @@ -33,9 +33,6 @@ have_library("ws2_32") end -Logging::message "=== Checking for required stuff... ===\n" -result = pkg_config("openssl") && have_header("openssl/ssl.h") - if $mingw append_cflags '-D_FORTIFY_SOURCE=2' append_ldflags '-fstack-protector' @@ -92,19 +89,32 @@ return false end -unless result - unless find_openssl_library - Logging::message "=== Checking for required stuff failed. ===\n" - Logging::message "Makefile wasn't created. Fix the errors above.\n" - raise "OpenSSL library could not be found. You might want to use " \ - "--with-openssl-dir= option to specify the prefix where OpenSSL " \ - "is installed." - end +Logging::message "=== Checking for required stuff... ===\n" +pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h") + +if !pkg_config_found && !find_openssl_library + Logging::message "=== Checking for required stuff failed. ===\n" + Logging::message "Makefile wasn't created. Fix the errors above.\n" + raise "OpenSSL library could not be found. You might want to use " \ + "--with-openssl-dir= option to specify the prefix where OpenSSL " \ + "is installed." +end + +version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") + is_libressl = true + checking_for("LibreSSL version >= 3.1.0") { + try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") } +else + checking_for("OpenSSL version >= 1.0.2") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") } +end +unless version_ok + raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required" end -unless checking_for("OpenSSL version is 1.0.1 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } - raise "OpenSSL >= 1.0.1 or LibreSSL is required" +# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h +if is_libressl && ($mswin || $mingw) + $defs.push("-DNOCRYPT") end Logging::message "=== Checking for OpenSSL features... ===\n" @@ -116,23 +126,8 @@ have_func("ENGINE_load_#{name}()", "openssl/engine.h") } -if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") - $defs.push("-DNOCRYPT") -end - -# added in 1.0.2 -have_func("EC_curve_nist2nid") -have_func("X509_REVOKED_dup") -have_func("X509_STORE_CTX_get0_store") -have_func("SSL_CTX_set_alpn_select_cb") -have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h") -have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h") -have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h") -have_func("SSL_is_server") - # added in 1.1.0 -if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || - try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h") +if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl $defs.push("-DHAVE_OPAQUE_OPENSSL") end have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API") --- ruby-3.0.2-orig/ext/openssl/openssl_missing.c 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/openssl_missing.c 2021-09-17 16:10:36.749439537 +1000 @@ -20,43 +20,6 @@ #include "openssl_missing.h" -/* added in 1.0.2 */ -#if !defined(OPENSSL_NO_EC) -#if !defined(HAVE_EC_CURVE_NIST2NID) -static struct { - const char *name; - int nid; -} nist_curves[] = { - {"B-163", NID_sect163r2}, - {"B-233", NID_sect233r1}, - {"B-283", NID_sect283r1}, - {"B-409", NID_sect409r1}, - {"B-571", NID_sect571r1}, - {"K-163", NID_sect163k1}, - {"K-233", NID_sect233k1}, - {"K-283", NID_sect283k1}, - {"K-409", NID_sect409k1}, - {"K-571", NID_sect571k1}, - {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, - {"P-521", NID_secp521r1} -}; - -int -ossl_EC_curve_nist2nid(const char *name) -{ - size_t i; - for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) { - if (!strcmp(nist_curves[i].name, name)) - return nist_curves[i].nid; - } - return NID_undef; -} -#endif -#endif - /*** added in 1.1.0 ***/ #if !defined(HAVE_HMAC_CTX_NEW) HMAC_CTX * --- ruby-3.0.2-orig/ext/openssl/openssl_missing.h 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/openssl_missing.h 2021-09-17 17:03:24.833360338 +1000 @@ -12,27 +12,6 @@ #include "ruby/config.h" -/* added in 1.0.2 */ -#if !defined(OPENSSL_NO_EC) -#if !defined(HAVE_EC_CURVE_NIST2NID) -int ossl_EC_curve_nist2nid(const char *); -# define EC_curve_nist2nid ossl_EC_curve_nist2nid -#endif -#endif - -#if !defined(HAVE_X509_REVOKED_DUP) -# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \ - (d2i_of_void *)d2i_X509_REVOKED, (char *)(rev)) -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_STORE) -# define X509_STORE_CTX_get0_store(x) ((x)->ctx) -#endif - -#if !defined(HAVE_SSL_IS_SERVER) -# define SSL_is_server(s) ((s)->server) -#endif - /* added in 1.1.0 */ #if !defined(HAVE_BN_GENCB_NEW) # define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) @@ -147,8 +126,7 @@ CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY); #endif -#if !defined(HAVE_OPAQUE_OPENSSL) && \ - (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL) +#if !defined(HAVE_OPAQUE_OPENSSL) #define IMPL_PKEY_GETTER(_type, _name) \ static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \ return pkey->pkey._name; } --- ruby-3.0.2-orig/ext/openssl/ossl_ocsp.c 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/ossl_ocsp.c 2021-09-17 16:10:36.750439540 +1000 @@ -1069,55 +1069,7 @@ x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); -#if (OPENSSL_VERSION_NUMBER < 0x1000202fL) || defined(LIBRESSL_VERSION_NUMBER) - /* - * OpenSSL had a bug that it doesn't use the certificates in x509s for - * verifying the chain. This can be a problem when the response is signed by - * a certificate issued by an intermediate CA. - * - * root_ca - * | - * intermediate_ca - * |-------------| - * end_entity ocsp_signer - * - * When the certificate hierarchy is like this, and the response contains - * only ocsp_signer certificate, the following code wrongly fails. - * - * store = OpenSSL::X509::Store.new; store.add_cert(root_ca) - * basic_response.verify([intermediate_ca], store) - * - * So add the certificates in x509s to the embedded certificates list first. - * - * This is fixed in OpenSSL 0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b. But it still - * exists in LibreSSL 2.1.10, 2.2.9, 2.3.6, 2.4.1. - */ - if (!(flg & (OCSP_NOCHAIN | OCSP_NOVERIFY)) && - sk_X509_num(x509s) && sk_X509_num(bs->certs)) { - int i; - - bs = ASN1_item_dup(ASN1_ITEM_rptr(OCSP_BASICRESP), bs); - if (!bs) { - sk_X509_pop_free(x509s, X509_free); - ossl_raise(eOCSPError, "ASN1_item_dup"); - } - - for (i = 0; i < sk_X509_num(x509s); i++) { - if (!OCSP_basic_add1_cert(bs, sk_X509_value(x509s, i))) { - sk_X509_pop_free(x509s, X509_free); - OCSP_BASICRESP_free(bs); - ossl_raise(eOCSPError, "OCSP_basic_add1_cert"); - } - } - result = OCSP_basic_verify(bs, x509s, x509st, flg); - OCSP_BASICRESP_free(bs); - } - else { - result = OCSP_basic_verify(bs, x509s, x509st, flg); - } -#else result = OCSP_basic_verify(bs, x509s, x509st, flg); -#endif sk_X509_pop_free(x509s, X509_free); if (result <= 0) ossl_clear_error(); --- ruby-3.0.2-orig/ext/openssl/ossl_ssl.c 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/ossl_ssl.c 2021-09-17 16:10:36.751439543 +1000 @@ -49,19 +49,11 @@ static int ossl_ssl_ex_vcb_idx; static int ossl_ssl_ex_ptr_idx; static int ossl_sslctx_ex_ptr_idx; -#if !defined(HAVE_X509_STORE_UP_REF) -static int ossl_sslctx_ex_store_p; -#endif static void ossl_sslctx_free(void *ptr) { - SSL_CTX *ctx = ptr; -#if !defined(HAVE_X509_STORE_UP_REF) - if (ctx && SSL_CTX_get_ex_data(ctx, ossl_sslctx_ex_store_p)) - ctx->cert_store = NULL; -#endif - SSL_CTX_free(ctx); + SSL_CTX_free(ptr); } static const rb_data_type_t ossl_sslctx_type = { @@ -95,7 +87,7 @@ RTYPEDDATA_DATA(obj) = ctx; SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj); -#if !defined(OPENSSL_NO_EC) && defined(HAVE_SSL_CTX_SET_ECDH_AUTO) +#if !defined(OPENSSL_NO_EC) /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It * allows to specify multiple curve names and OpenSSL will select * automatically from them. In OpenSSL 1.0.2, the automatic selection has to @@ -387,7 +379,7 @@ } static SSL_SESSION * -#if (!defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x10100000 : LIBRESSL_VERSION_NUMBER >= 0x2080000f) +#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000 ossl_sslctx_session_get_cb(SSL *ssl, const unsigned char *buf, int len, int *copy) #else ossl_sslctx_session_get_cb(SSL *ssl, unsigned char *buf, int len, int *copy) @@ -596,8 +588,6 @@ rb_funcallv(cb, id_call, 1, &ssl_obj); } -#if !defined(OPENSSL_NO_NEXTPROTONEG) || \ - defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB) static VALUE ssl_npn_encode_protocol_i(RB_BLOCK_CALL_FUNC_ARGLIST(cur, encoded)) { @@ -679,7 +669,6 @@ return SSL_TLSEXT_ERR_OK; } -#endif #ifndef OPENSSL_NO_NEXTPROTONEG static int @@ -708,7 +697,6 @@ } #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB static int ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) @@ -720,7 +708,6 @@ return ssl_npn_select_cb_common(ssl, cb, out, outlen, in, inlen); } -#endif /* This function may serve as the entry point to support further callbacks. */ static void @@ -825,17 +812,7 @@ if (!NIL_P(val)) { X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */ SSL_CTX_set_cert_store(ctx, store); -#if !defined(HAVE_X509_STORE_UP_REF) - /* - * WORKAROUND: - * X509_STORE can count references, but - * X509_STORE_free() doesn't care it. - * So we won't increment it but mark it by ex_data. - */ - SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_store_p, ctx); -#else /* Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) */ X509_STORE_up_ref(store); -#endif } val = rb_attr_get(self, id_i_extra_chain_cert); @@ -917,7 +894,6 @@ } #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB val = rb_attr_get(self, id_i_alpn_protocols); if (!NIL_P(val)) { VALUE rprotos = ssl_encode_npn_protocols(val); @@ -932,7 +908,6 @@ SSL_CTX_set_alpn_select_cb(ctx, ssl_alpn_select_cb, (void *) self); OSSL_Debug("SSL ALPN select callback added"); } -#endif rb_obj_freeze(self); @@ -1065,9 +1040,6 @@ * Extension. For a server, the list is used by OpenSSL to determine the set of * shared curves. OpenSSL will pick the most appropriate one from it. * - * Note that this works differently with old OpenSSL (<= 1.0.1). Only one curve - * can be set, and this has no effect for TLS clients. - * * === Example * ctx1 = OpenSSL::SSL::SSLContext.new * ctx1.ecdh_curves = "X25519:P-256:P-224" @@ -1091,48 +1063,8 @@ GetSSLCTX(self, ctx); StringValueCStr(arg); -#if defined(HAVE_SSL_CTX_SET1_CURVES_LIST) if (!SSL_CTX_set1_curves_list(ctx, RSTRING_PTR(arg))) ossl_raise(eSSLError, NULL); -#else - /* OpenSSL does not have SSL_CTX_set1_curves_list()... Fallback to - * SSL_CTX_set_tmp_ecdh(). So only the first curve is used. */ - { - VALUE curve, splitted; - EC_KEY *ec; - int nid; - - splitted = rb_str_split(arg, ":"); - if (!RARRAY_LEN(splitted)) - ossl_raise(eSSLError, "invalid input format"); - curve = RARRAY_AREF(splitted, 0); - StringValueCStr(curve); - - /* SSL_CTX_set1_curves_list() accepts NIST names */ - nid = EC_curve_nist2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - nid = OBJ_txt2nid(RSTRING_PTR(curve)); - if (nid == NID_undef) - ossl_raise(eSSLError, "unknown curve name"); - - ec = EC_KEY_new_by_curve_name(nid); - if (!ec) - ossl_raise(eSSLError, NULL); - EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); - if (!SSL_CTX_set_tmp_ecdh(ctx, ec)) { - EC_KEY_free(ec); - ossl_raise(eSSLError, "SSL_CTX_set_tmp_ecdh"); - } - EC_KEY_free(ec); -# if defined(HAVE_SSL_CTX_SET_ECDH_AUTO) - /* tmp_ecdh and ecdh_auto conflict. tmp_ecdh is ignored when ecdh_auto - * is enabled. So disable ecdh_auto. */ - if (!SSL_CTX_set_ecdh_auto(ctx, 0)) - ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); -# endif - } -#endif - return arg; } #else @@ -1255,10 +1187,6 @@ * ecdsa_pkey = ... * another_ca_cert = ... * ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert]) - * - * === Note - * OpenSSL before the version 1.0.2 could handle only one extra chain across - * all key types. Calling this method discards the chain set previously. */ static VALUE ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) @@ -1297,34 +1225,9 @@ sk_X509_pop_free(extra_chain, X509_free); ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey"); } - - if (extra_chain) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000 && !defined(LIBRESSL_VERSION_NUMBER) - if (!SSL_CTX_set0_chain(ctx, extra_chain)) { - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_set0_chain"); - } -#else - STACK_OF(X509) *orig_extra_chain; - X509 *x509_tmp; - - /* First, clear the existing chain */ - SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain); - if (orig_extra_chain && sk_X509_num(orig_extra_chain)) { - rb_warning("SSL_CTX_set0_chain() is not available; " \ - "clearing previously set certificate chain"); - SSL_CTX_clear_extra_chain_certs(ctx); - } - while ((x509_tmp = sk_X509_shift(extra_chain))) { - /* Transfers ownership */ - if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) { - X509_free(x509_tmp); - sk_X509_pop_free(extra_chain, X509_free); - ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert"); - } - } - sk_X509_free(extra_chain); -#endif + if (extra_chain && !SSL_CTX_set0_chain(ctx, extra_chain)) { + sk_X509_pop_free(extra_chain, X509_free); + ossl_raise(eSSLError, "SSL_CTX_set0_chain"); } return self; } @@ -2410,7 +2313,6 @@ } # endif -# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB /* * call-seq: * ssl.alpn_protocol => String | nil @@ -2433,9 +2335,7 @@ else return rb_str_new((const char *) out, outlen); } -# endif -# ifdef HAVE_SSL_GET_SERVER_TMP_KEY /* * call-seq: * ssl.tmp_key => PKey or nil @@ -2453,7 +2353,6 @@ return Qnil; return ossl_pkey_new(key); } -# endif /* defined(HAVE_SSL_GET_SERVER_TMP_KEY) */ #endif /* !defined(OPENSSL_NO_SOCK) */ void @@ -2478,11 +2377,6 @@ ossl_sslctx_ex_ptr_idx = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_ptr_idx", 0, 0, 0); if (ossl_sslctx_ex_ptr_idx < 0) ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index"); -#if !defined(HAVE_X509_STORE_UP_REF) - ossl_sslctx_ex_store_p = SSL_CTX_get_ex_new_index(0, (void *)"ossl_sslctx_ex_store_p", 0, 0, 0); - if (ossl_sslctx_ex_store_p < 0) - ossl_raise(rb_eRuntimeError, "SSL_CTX_get_ex_new_index"); -#endif /* Document-module: OpenSSL::SSL * @@ -2733,7 +2627,6 @@ rb_attr(cSSLContext, rb_intern_const("npn_select_cb"), 1, 1, Qfalse); #endif -#ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB /* * An Enumerable of Strings. Each String represents a protocol to be * advertised as the list of supported protocols for Application-Layer @@ -2763,7 +2656,6 @@ * end */ rb_attr(cSSLContext, rb_intern_const("alpn_select_cb"), 1, 1, Qfalse); -#endif rb_define_alias(cSSLContext, "ssl_timeout", "timeout"); rb_define_alias(cSSLContext, "ssl_timeout=", "timeout="); @@ -2877,12 +2769,8 @@ rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1); rb_define_method(cSSLSocket, "finished_message", ossl_ssl_get_finished, 0); rb_define_method(cSSLSocket, "peer_finished_message", ossl_ssl_get_peer_finished, 0); -# ifdef HAVE_SSL_GET_SERVER_TMP_KEY rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); -# endif -# ifdef HAVE_SSL_CTX_SET_ALPN_SELECT_CB rb_define_method(cSSLSocket, "alpn_protocol", ossl_ssl_alpn_protocol, 0); -# endif # ifndef OPENSSL_NO_NEXTPROTONEG rb_define_method(cSSLSocket, "npn_protocol", ossl_ssl_npn_protocol, 0); # endif @@ -2895,12 +2783,8 @@ rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL)); rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)); -#ifdef SSL_OP_TLSEXT_PADDING /* OpenSSL 1.0.1h and OpenSSL 1.0.2 */ rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING)); -#endif -#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG /* OpenSSL 1.0.1f and OpenSSL 1.0.2 */ rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)); -#endif #ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */ rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); #endif --- ruby-3.0.2-orig/ext/openssl/ossl_ts.c 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/ossl_ts.c 2021-09-17 16:10:36.752439547 +1000 @@ -821,12 +821,9 @@ TS_VERIFY_CTX_set_store(ctx, x509st); ok = TS_RESP_verify_response(ctx, resp); - - /* WORKAROUND: - * X509_STORE can count references, but X509_STORE_free() doesn't check - * this. To prevent our X509_STORE from being freed with our - * TS_VERIFY_CTX we set the store to NULL first. - * Fixed in OpenSSL 1.0.2; bff9ce4db38b (master), 5b4b9ce976fc (1.0.2) + /* + * TS_VERIFY_CTX_set_store() call above does not increment the reference + * counter, so it must be unset before TS_VERIFY_CTX_free() is called. */ TS_VERIFY_CTX_set_store(ctx, NULL); TS_VERIFY_CTX_free(ctx); --- ruby-3.0.2-orig/ext/openssl/ossl_x509.c 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/ext/openssl/ossl_x509.c 2021-09-17 16:10:36.752439547 +1000 @@ -115,11 +115,9 @@ DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED); DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256); #endif -#if defined(X509_V_ERR_HOSTNAME_MISMATCH) DefX509Const(V_ERR_HOSTNAME_MISMATCH); DefX509Const(V_ERR_EMAIL_MISMATCH); DefX509Const(V_ERR_IP_ADDRESS_MISMATCH); -#endif #if defined(X509_V_ERR_DANE_NO_MATCH) DefX509Const(V_ERR_DANE_NO_MATCH); #endif @@ -187,12 +185,10 @@ /* Set by Store#flags= and StoreContext#flags=. Enables checking of the * signature of the root self-signed CA. */ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE); -#if defined(X509_V_FLAG_TRUSTED_FIRST) /* Set by Store#flags= and StoreContext#flags=. When constructing a * certificate chain, search the Store first for the issuer certificate. * Enabled by default in OpenSSL >= 1.1.0. */ DefX509Const(V_FLAG_TRUSTED_FIRST); -#endif #if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) /* Set by Store#flags= and StoreContext#flags=. * Enables Suite B 128 bit only mode. */ @@ -208,11 +204,9 @@ * Enables Suite B 128 bit mode allowing 192 bit algorithms. */ DefX509Const(V_FLAG_SUITEB_128_LOS); #endif -#if defined(X509_V_FLAG_PARTIAL_CHAIN) /* Set by Store#flags= and StoreContext#flags=. * Allows partial chains if at least one certificate is in trusted store. */ DefX509Const(V_FLAG_PARTIAL_CHAIN); -#endif #if defined(X509_V_FLAG_NO_ALT_CHAINS) /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for * a alternative chain. No effect in OpenSSL >= 1.1.0. */ --- ruby-3.0.2-orig/test/openssl/test_asn1.rb 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/test/openssl/test_asn1.rb 2021-09-17 16:10:36.753439550 +1000 @@ -265,10 +265,9 @@ assert_raise(OpenSSL::ASN1::ASN1Error) { OpenSSL::ASN1.decode(B(%w{ 03 00 })) } - # OpenSSL < OpenSSL_1_0_1k and LibreSSL ignore the error - # assert_raise(OpenSSL::ASN1::ASN1Error) { - # OpenSSL::ASN1.decode(B(%w{ 03 03 08 FF 00 })) - # } + assert_raise(OpenSSL::ASN1::ASN1Error) { + OpenSSL::ASN1.decode(B(%w{ 03 03 08 FF 00 })) + } # OpenSSL does not seem to prohibit this, though X.690 8.6.2.3 (15/08) does # assert_raise(OpenSSL::ASN1::ASN1Error) { # OpenSSL::ASN1.decode(B(%w{ 03 01 04 })) --- ruby-3.0.2-orig/test/openssl/test_ocsp.rb 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/test/openssl/test_ocsp.rb 2021-09-17 16:10:36.753439550 +1000 @@ -123,14 +123,7 @@ assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN) ret = req.verify([@cert], store) - if ret || openssl?(1, 0, 2) - assert_equal true, ret - else - # RT2560; OCSP_request_verify() does not find signer cert from 'certs' when - # OCSP_NOINTERN is not specified. - # fixed by OpenSSL 1.0.1j, 1.0.2 - pend "RT2560: ocsp_req_find_signer" - end + assert_equal true, ret # not signed req = OpenSSL::OCSP::Request.new.add_certid(cid) --- ruby-3.0.2-orig/test/openssl/test_ssl.rb 2021-07-07 20:08:35.000000000 +1000 +++ ruby-3.0.2/test/openssl/test_ssl.rb 2021-09-17 16:18:51.708145484 +1000 @@ -1,3 +1,4 @@ +# coding: utf-8 # frozen_string_literal: true require_relative "utils" @@ -127,21 +128,13 @@ pend "EC is not supported" unless defined?(OpenSSL::PKey::EC) pend "TLS 1.2 is not supported" unless tls12_supported? - # SSL_CTX_set0_chain() is needed for setting multiple certificate chains - add0_chain_supported = openssl?(1, 0, 2) - - if add0_chain_supported - ca2_key = Fixtures.pkey("rsa-3") - ca2_exts = [ - ["basicConstraints", "CA:TRUE", true], - ["keyUsage", "cRLSign, keyCertSign", true], - ] - ca2_dn = OpenSSL::X509::Name.parse_rfc2253("CN=CA2") - ca2_cert = issue_cert(ca2_dn, ca2_key, 123, ca2_exts, nil, nil) - else - # Use the same CA as @svr_cert - ca2_key = @ca_key; ca2_cert = @ca_cert - end + ca2_key = Fixtures.pkey("rsa-3") + ca2_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign, keyCertSign", true], + ] + ca2_dn = OpenSSL::X509::Name.parse_rfc2253("CN=CA2") + ca2_cert = issue_cert(ca2_dn, ca2_key, 123, ca2_exts, nil, nil) ecdsa_key = Fixtures.pkey("p256") exts = [ @@ -150,23 +143,11 @@ ecdsa_dn = OpenSSL::X509::Name.parse_rfc2253("CN=localhost2") ecdsa_cert = issue_cert(ecdsa_dn, ecdsa_key, 456, exts, ca2_cert, ca2_key) - if !add0_chain_supported - # Testing the warning emitted when 'extra' chain is replaced - tctx = OpenSSL::SSL::SSLContext.new - tctx.add_certificate(@svr_cert, @svr_key, [@ca_cert]) - assert_warning(/set0_chain/) { - tctx.add_certificate(ecdsa_cert, ecdsa_key, [ca2_cert]) - } - end - ctx_proc = -> ctx { # Unset values set by start_server ctx.cert = ctx.key = ctx.extra_chain_cert = nil - ctx.ecdh_curves = "P-256" unless openssl?(1, 0, 2) ctx.add_certificate(@svr_cert, @svr_key, [@ca_cert]) # RSA - EnvUtil.suppress_warning do # !add0_chain_supported - ctx.add_certificate(ecdsa_cert, ecdsa_key, [ca2_cert]) - end + ctx.add_certificate(ecdsa_cert, ecdsa_key, [ca2_cert]) } start_server(ctx_proc: ctx_proc) do |port| ctx = OpenSSL::SSL::SSLContext.new @@ -941,10 +922,7 @@ ssl.hostname = "b.example.com" assert_handshake_error { ssl.connect } assert_equal false, verify_callback_ok - code_expected = openssl?(1, 0, 2) || defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH) ? - OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH : - OpenSSL::X509::V_ERR_CERT_REJECTED - assert_equal code_expected, verify_callback_err + assert_equal OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH, verify_callback_err ensure sock&.close end @@ -1234,7 +1212,6 @@ } end -if openssl?(1, 0, 2) || libressl? def test_alpn_protocol_selection_ary advertised = ["http/1.1", "spdy/2"] ctx_proc = Proc.new { |ctx| @@ -1280,7 +1257,6 @@ t&.kill t&.join end -end def test_npn_protocol_selection_ary pend "TLS 1.2 is not supported" unless tls12_supported? @@ -1398,11 +1374,6 @@ end def test_get_ephemeral_key - # OpenSSL >= 1.0.2 - unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) - pend "SSL_get_server_tmp_key() is not supported" - end - if tls12_supported? # kRSA ctx_proc1 = proc { |ctx| @@ -1533,9 +1504,7 @@ start_server(ctx_proc: ctx_proc) do |port| server_connect(port) { |ssl| assert called, "dh callback should be called" - if ssl.respond_to?(:tmp_key) - assert_equal dh.to_der, ssl.tmp_key.to_der - end + assert_equal dh.to_der, ssl.tmp_key.to_der } end end @@ -1590,6 +1559,7 @@ ctx.ecdh_curves = "P-384:P-521" } start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| + # Test 1: Client=P-256:P-384, Server=P-384:P-521 --> P-384 ctx = OpenSSL::SSL::SSLContext.new ctx.ecdh_curves = "P-256:P-384" # disable P-521 for OpenSSL >= 1.0.2 @@ -1599,29 +1569,25 @@ assert_equal "secp384r1", ssl.tmp_key.group.curve_name else assert_match (/\AECDH/), cs - if ssl.respond_to?(:tmp_key) - assert_equal "secp384r1", ssl.tmp_key.group.curve_name - end + assert_equal "secp384r1", ssl.tmp_key.group.curve_name end ssl.puts "abc"; assert_equal "abc\n", ssl.gets } - if openssl?(1, 0, 2) || libressl?(2, 5, 1) - ctx = OpenSSL::SSL::SSLContext.new - ctx.ecdh_curves = "P-256" - - assert_raise(OpenSSL::SSL::SSLError) { - server_connect(port, ctx) { } - } - - ctx = OpenSSL::SSL::SSLContext.new - ctx.ecdh_curves = "P-521:P-384" + # Test 2: Client=P-256, Server=P-521:P-384 --> Fail + ctx = OpenSSL::SSL::SSLContext.new + ctx.ecdh_curves = "P-256" + assert_raise(OpenSSL::SSL::SSLError) { + server_connect(port, ctx) { } + } - server_connect(port, ctx) { |ssl| - assert_equal "secp521r1", ssl.tmp_key.group.curve_name - ssl.puts "abc"; assert_equal "abc\n", ssl.gets - } - end + # Test 3: Client=P-521:P-384, Server=P-521:P-384 --> P-521 + ctx = OpenSSL::SSL::SSLContext.new + ctx.ecdh_curves = "P-521:P-384" + server_connect(port, ctx) { |ssl| + assert_equal "secp521r1", ssl.tmp_key.group.curve_name + ssl.puts "abc"; assert_equal "abc\n", ssl.gets + } end end