Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Miscellaneous changes for OpenSSL 3.0 support #468

Merged
merged 13 commits into from
Oct 24, 2021
Merged

Miscellaneous changes for OpenSSL 3.0 support #468

merged 13 commits into from
Oct 24, 2021

Commits on Oct 24, 2021

  1. ext/openssl/ossl.h: add helper macros for OpenSSL/LibreSSL versions 

    Add following convenient macros:

 - OSSL_IS_LIBRESSL
 - OSSL_OPENSSL_PREREQ(maj, min, pat)
 - OSSL_LIBRESSL_PREREQ(maj, min, pat)
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    00abee7 View commit details
    Browse the repository at this point in the history

  2. ossl.c: use ERR_get_error_all() if available 

    OpenSSL 3.0 deprecated ERR_get_error_line_data() in favor of
ERR_get_error_all(), as part of the error queue structure changes.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    8e98d2e View commit details
    Browse the repository at this point in the history

  3. ts: use TS_VERIFY_CTX_set_certs instead of TS_VERIFY_CTS_set_certs 

    OpenSSL 3.0 fixed the typo in the function name and replaced the
current 'CTS' version with a macro.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    2be6779 View commit details
    Browse the repository at this point in the history

  4. ssl: use SSL_CTX_load_verify_{file,dir}() if available 

    SSL_CTX_load_verify_locations() is deprecated in OpenSSL 3.0 and
replaced with those two separate functions. Use them if they exist.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    5375a55 View commit details
    Browse the repository at this point in the history

  5. ssl: use SSL_get_rbio() to check if SSL is started or not 

    Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally
calls SSL_get_rbio() and it's enough for our purpose.

In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue
if BIO has not been set up yet, and we would have to clean it up.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    e95ee24 View commit details
    Browse the repository at this point in the history

  6. bn: use BN_check_prime() in OpenSSL::BN#prime{,_fasttest}? 

    In OpenSSL 3.0, BN_is_prime_ex() and BN_is_prime_fasttest_ex() are
deprecated in favor of BN_check_prime().
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    90d51ef View commit details
    Browse the repository at this point in the history

  7. digest: use EVP_MD_CTX_get0_md() instead of EVP_MD_CTX_md() if exists 

    The function was renamed in OpenSSL 3.0 due to the change of the
lifetime of EVP_MD objects. They are no longer necessarily statically
allocated and can be reference-counted -- when an EVP_MD_CTX is free'd,
the associated EVP_MD can also become inaccessible.

Currently Ruby/OpenSSL only handles builtin algorithms, so no special
handling is needed except for adapting to the rename.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    0a25302 View commit details
    Browse the repository at this point in the history

  8. hmac: use EVP_MD_CTX_get_pkey_ctx() instead of EVP_MD_CTX_pkey_ctx() 

    OpenSSL 3.0 renamed EVP_MD_CTX_pkey_ctx() to include "get" in the
function name. Adjust compatibility macro so that we can use the new
function name for all OpenSSL 1.0.2-3.0.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    c106d88 View commit details
    Browse the repository at this point in the history

  9. pkey/ec: deprecate PKey::EC::Point#make_affine! and make it a no-op 

    It converts the internal representation of the point object to the
affine coordinate system. However, it had no real use case because the
difference in the internal representation has not been visible from
Ruby/OpenSSL at all.

EC_POINT_make_affine() is marked as deprecated in OpenSSL 3.0.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    e2cc81f View commit details
    Browse the repository at this point in the history

  10. pkey/ec: use EC_GROUP_free() instead of EC_GROUP_clear_free() 

    EC_GROUP_clear_free() is deprecated in OpenSSL 3.0.

EC_GROUP does not include any sensitive data, so we can safely use
EC_GROUP_free() instead.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    e93a5fd View commit details
    Browse the repository at this point in the history

  11. pkey, ssl: use EVP_PKEY_eq() instead of EVP_PKEY_cmp() 

    OpenSSL 3.0 renamed EVP_PKEY_cmp() to EVP_PKEY_eq() because that was a
confusing name.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    d42bd7f View commit details
    Browse the repository at this point in the history

  12. bn: make BN.pseudo_rand{,_range} an alias of BN.rand{,_range} 

    BN_pseudo_rand() and BN_pseudo_rand_range() are deprecated in
OpenSSL 3.0. Since they are identical to their non-'pseudo' version
anyway, let's make them alias.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    2d34e85 View commit details
    Browse the repository at this point in the history

  13. bn: expand BIGNUM_RAND and BIGNUM_RAND_RANGE macros 

    Now that BN.pseudo_rand{,_range} are alias, those macros are only used
once. Let's expand the macros for better readability.
    @rhenium
    rhenium committed Oct 24, 2021
    Configuration menu
    Copy the full SHA
    7c2fc00 View commit details
    Browse the repository at this point in the history