diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 6c7417899..0b5155d90 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -145,6 +145,13 @@ def find_openssl_library # added in OpenSSL 1.0.2, not in LibreSSL or AWS-LC yet have_func("SSL_CTX_set1_client_sigalgs_list(NULL, NULL)", ssl_h) +# SSL options can be uint64_t (OpenSSL >= 3), unsigned long (OpenSSL >= 1.1), +# long (LibreSSL), or uint32_t (AWS-LC) +if checking_for("whether SSL_CTX_get_options() returns a 64-bit value") { + try_static_assert("sizeof(SSL_CTX_get_options(NULL)) == 8", ssl_h) } + $defs.push("-DOSSL_SIZEOF_SSL_OPTIONS_IS_8") +end + # added in 1.1.0, currently not in LibreSSL have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h) diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h index 0a9eab4f8..c74a45db2 100644 --- a/ext/openssl/ossl.h +++ b/ext/openssl/ossl.h @@ -98,8 +98,10 @@ extern VALUE eOSSLError; #if !defined(NUM2UINT64T) /* in case Ruby starts to provide */ # if SIZEOF_LONG == 8 # define NUM2UINT64T(x) ((uint64_t)NUM2ULONG(x)) +# define UINT64T2NUM(x) ULONG2NUM(x) # elif defined(HAVE_LONG_LONG) && SIZEOF_LONG_LONG == 8 # define NUM2UINT64T(x) ((uint64_t)NUM2ULL(x)) +# define UINT64T2NUM(x) ULL2NUM(x) # else # error "unknown platform; no 64-bit width integer" # endif diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 3d913a396..87ef4509d 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -627,11 +627,21 @@ ossl_sslctx_get_options(VALUE self) { SSL_CTX *ctx; GetSSLCTX(self, ctx); + /* - * Do explicit cast because SSL_CTX_get_options() returned (signed) long in - * OpenSSL before 1.1.0. + * SSL_CTX_get_options() returns different types in libssl variants, and + * we want to treat them as a non-negative Integer in Ruby: + * - uint64_t in OpenSSL >= 3 + * - unsigned long in OpenSSL >= 1.1 + * - long in OpenSSL <= 1.0.2 and LibreSSL 4.3 (latest), with all 32 bits + * used for options. + * - uint32_t in AWS-LC 5.0.0 (latest) */ - return ULONG2NUM((unsigned long)SSL_CTX_get_options(ctx)); +#ifdef OSSL_SIZEOF_SSL_OPTIONS_IS_8 + return UINT64T2NUM((uint64_t)SSL_CTX_get_options(ctx)); +#else + return UINT2NUM((uint32_t)SSL_CTX_get_options(ctx)); +#endif } /* @@ -655,13 +665,13 @@ ossl_sslctx_set_options(VALUE self, VALUE options) rb_check_frozen(self); GetSSLCTX(self, ctx); +#ifdef OSSL_SIZEOF_SSL_OPTIONS_IS_8 + uint64_t opts = NIL_P(options) ? SSL_OP_ALL : NUM2UINT64T(options); +#else + uint32_t opts = NIL_P(options) ? SSL_OP_ALL : NUM2UINT(options); +#endif SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx)); - - if (NIL_P(options)) { - SSL_CTX_set_options(ctx, SSL_OP_ALL); - } else { - SSL_CTX_set_options(ctx, NUM2ULONG(options)); - } + SSL_CTX_set_options(ctx, opts); return self; } @@ -3178,98 +3188,128 @@ Init_ossl_ssl(void) rb_define_const(mSSL, "VERIFY_FAIL_IF_NO_PEER_CERT", INT2NUM(SSL_VERIFY_FAIL_IF_NO_PEER_CERT)); rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE)); - rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL)); + rb_define_const(mSSL, "OP_ALL", UINT64T2NUM(SSL_OP_ALL)); +#ifdef SSL_OP_NO_EXTENDED_MASTER_SECRET /* OpenSSL 3.0 */ + rb_define_const(mSSL, "OP_NO_EXTENDED_MASTER_SECRET", UINT64T2NUM(SSL_OP_NO_EXTENDED_MASTER_SECRET)); +#endif #ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */ - rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT)); + rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", UINT64T2NUM(SSL_OP_CLEANSE_PLAINTEXT)); #endif - rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)); + rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", UINT64T2NUM(SSL_OP_LEGACY_SERVER_CONNECT)); #ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */ - rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS)); + rb_define_const(mSSL, "OP_ENABLE_KTLS", UINT64T2NUM(SSL_OP_ENABLE_KTLS)); #endif - rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING)); - rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)); + rb_define_const(mSSL, "OP_TLSEXT_PADDING", UINT64T2NUM(SSL_OP_TLSEXT_PADDING)); + rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", UINT64T2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)); #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */ - rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF)); + rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", UINT64T2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF)); #endif #ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */ - rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)); + rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", UINT64T2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)); #endif #ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */ - rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)); + rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", UINT64T2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)); #endif #ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); + rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", UINT64T2NUM(SSL_OP_ALLOW_NO_DHE_KEX)); #endif - rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); - rb_define_const(mSSL, "OP_NO_TICKET", ULONG2NUM(SSL_OP_NO_TICKET)); - rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)); - rb_define_const(mSSL, "OP_NO_COMPRESSION", ULONG2NUM(SSL_OP_NO_COMPRESSION)); - rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); + rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", UINT64T2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); + rb_define_const(mSSL, "OP_NO_TICKET", UINT64T2NUM(SSL_OP_NO_TICKET)); + rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", UINT64T2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)); + rb_define_const(mSSL, "OP_NO_COMPRESSION", UINT64T2NUM(SSL_OP_NO_COMPRESSION)); + rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", UINT64T2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)); + rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", UINT64T2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)); #endif #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)); + rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", UINT64T2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)); #endif #ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA)); + rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", UINT64T2NUM(SSL_OP_PRIORITIZE_CHACHA)); #endif #ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY)); + rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", UINT64T2NUM(SSL_OP_NO_ANTI_REPLAY)); +#endif + rb_define_const(mSSL, "OP_NO_SSLv3", UINT64T2NUM(SSL_OP_NO_SSLv3)); + rb_define_const(mSSL, "OP_NO_TLSv1", UINT64T2NUM(SSL_OP_NO_TLSv1)); + rb_define_const(mSSL, "OP_NO_TLSv1_1", UINT64T2NUM(SSL_OP_NO_TLSv1_1)); + rb_define_const(mSSL, "OP_NO_TLSv1_2", UINT64T2NUM(SSL_OP_NO_TLSv1_2)); + rb_define_const(mSSL, "OP_NO_TLSv1_3", UINT64T2NUM(SSL_OP_NO_TLSv1_3)); + rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", UINT64T2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)); + rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", UINT64T2NUM(SSL_OP_TLS_ROLLBACK_BUG)); +#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 and LibreSSL 4.1.1 */ + rb_define_const(mSSL, "OP_NO_RENEGOTIATION", UINT64T2NUM(SSL_OP_NO_RENEGOTIATION)); +#endif + rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", UINT64T2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)); +#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION /* OpenSSL 3.2 */ + rb_define_const(mSSL, "OP_NO_TX_CERTIFICATE_COMPRESSION", UINT64T2NUM(SSL_OP_NO_TX_CERTIFICATE_COMPRESSION)); +#endif +#ifdef SSL_OP_NO_RX_CERTIFICATE_COMPRESSION /* OpenSSL 3.2 */ + rb_define_const(mSSL, "OP_NO_RX_CERTIFICATE_COMPRESSION", UINT64T2NUM(SSL_OP_NO_RX_CERTIFICATE_COMPRESSION)); +#endif +#ifdef SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE /* OpenSSL 3.2 */ + rb_define_const(mSSL, "OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE", UINT64T2NUM(SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)); +#endif +#ifdef SSL_OP_PREFER_NO_DHE_KEX /* OpenSSL 3.3 */ + rb_define_const(mSSL, "OP_PREFER_NO_DHE_KEX", UINT64T2NUM(SSL_OP_PREFER_NO_DHE_KEX)); +#endif +#ifdef SSL_OP_LEGACY_EC_POINT_FORMATS /* OpenSSL 3.6 */ + rb_define_const(mSSL, "OP_LEGACY_EC_POINT_FORMATS", UINT64T2NUM(SSL_OP_LEGACY_EC_POINT_FORMATS)); +#endif +#ifdef SSL_OP_ECH_GREASE /* OpenSSL 4.0 */ + rb_define_const(mSSL, "OP_ECH_GREASE", UINT64T2NUM(SSL_OP_ECH_GREASE)); +#endif +#ifdef SSL_OP_ECH_TRIALDECRYPT /* OpenSSL 4.0 */ + rb_define_const(mSSL, "OP_ECH_TRIALDECRYPT", UINT64T2NUM(SSL_OP_ECH_TRIALDECRYPT)); +#endif +#ifdef SSL_OP_ECH_IGNORE_CID /* OpenSSL 4.0 */ + rb_define_const(mSSL, "OP_ECH_IGNORE_CID", UINT64T2NUM(SSL_OP_ECH_IGNORE_CID)); #endif - rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3)); - rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1)); - rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1)); - rb_define_const(mSSL, "OP_NO_TLSv1_2", ULONG2NUM(SSL_OP_NO_TLSv1_2)); - rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3)); - rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)); - rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)); -#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1, missing in LibreSSL */ - rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION)); +#ifdef SSL_OP_ECH_GREASE_RETRY_CONFIG /* OpenSSL 4.0 */ + rb_define_const(mSSL, "OP_ECH_GREASE_RETRY_CONFIG", UINT64T2NUM(SSL_OP_ECH_GREASE_RETRY_CONFIG)); #endif - rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)); /* SSL_OP_* flags for DTLS */ #if 0 - rb_define_const(mSSL, "OP_NO_QUERY_MTU", ULONG2NUM(SSL_OP_NO_QUERY_MTU)); - rb_define_const(mSSL, "OP_COOKIE_EXCHANGE", ULONG2NUM(SSL_OP_COOKIE_EXCHANGE)); - rb_define_const(mSSL, "OP_CISCO_ANYCONNECT", ULONG2NUM(SSL_OP_CISCO_ANYCONNECT)); + rb_define_const(mSSL, "OP_NO_QUERY_MTU", UINT64T2NUM(SSL_OP_NO_QUERY_MTU)); + rb_define_const(mSSL, "OP_COOKIE_EXCHANGE", UINT64T2NUM(SSL_OP_COOKIE_EXCHANGE)); + rb_define_const(mSSL, "OP_CISCO_ANYCONNECT", UINT64T2NUM(SSL_OP_CISCO_ANYCONNECT)); #endif /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_MICROSOFT_SESS_ID_BUG", ULONG2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG)); + rb_define_const(mSSL, "OP_MICROSOFT_SESS_ID_BUG", UINT64T2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_NETSCAPE_CHALLENGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG)); + rb_define_const(mSSL, "OP_NETSCAPE_CHALLENGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG)); /* Deprecated in OpenSSL 0.9.8q and 1.0.0c. */ - rb_define_const(mSSL, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)); + rb_define_const(mSSL, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)); /* Deprecated in OpenSSL 1.0.1h and 1.0.2. */ - rb_define_const(mSSL, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", ULONG2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)); + rb_define_const(mSSL, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", UINT64T2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_MICROSOFT_BIG_SSLV3_BUFFER", ULONG2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)); + rb_define_const(mSSL, "OP_MICROSOFT_BIG_SSLV3_BUFFER", UINT64T2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)); /* Deprecated in OpenSSL 0.9.7h and 0.9.8b. */ - rb_define_const(mSSL, "OP_MSIE_SSLV2_RSA_PADDING", ULONG2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING)); + rb_define_const(mSSL, "OP_MSIE_SSLV2_RSA_PADDING", UINT64T2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_SSLEAY_080_CLIENT_DH_BUG", ULONG2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)); + rb_define_const(mSSL, "OP_SSLEAY_080_CLIENT_DH_BUG", UINT64T2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_TLS_D5_BUG", ULONG2NUM(SSL_OP_TLS_D5_BUG)); + rb_define_const(mSSL, "OP_TLS_D5_BUG", UINT64T2NUM(SSL_OP_TLS_D5_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_TLS_BLOCK_PADDING_BUG", ULONG2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG)); + rb_define_const(mSSL, "OP_TLS_BLOCK_PADDING_BUG", UINT64T2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_SINGLE_ECDH_USE", ULONG2NUM(SSL_OP_SINGLE_ECDH_USE)); + rb_define_const(mSSL, "OP_SINGLE_ECDH_USE", UINT64T2NUM(SSL_OP_SINGLE_ECDH_USE)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_SINGLE_DH_USE", ULONG2NUM(SSL_OP_SINGLE_DH_USE)); + rb_define_const(mSSL, "OP_SINGLE_DH_USE", UINT64T2NUM(SSL_OP_SINGLE_DH_USE)); /* Deprecated in OpenSSL 1.0.1k and 1.0.2. */ - rb_define_const(mSSL, "OP_EPHEMERAL_RSA", ULONG2NUM(SSL_OP_EPHEMERAL_RSA)); + rb_define_const(mSSL, "OP_EPHEMERAL_RSA", UINT64T2NUM(SSL_OP_EPHEMERAL_RSA)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_NO_SSLv2", ULONG2NUM(SSL_OP_NO_SSLv2)); + rb_define_const(mSSL, "OP_NO_SSLv2", UINT64T2NUM(SSL_OP_NO_SSLv2)); /* Deprecated in OpenSSL 1.0.1. */ - rb_define_const(mSSL, "OP_PKCS1_CHECK_1", ULONG2NUM(SSL_OP_PKCS1_CHECK_1)); + rb_define_const(mSSL, "OP_PKCS1_CHECK_1", UINT64T2NUM(SSL_OP_PKCS1_CHECK_1)); /* Deprecated in OpenSSL 1.0.1. */ - rb_define_const(mSSL, "OP_PKCS1_CHECK_2", ULONG2NUM(SSL_OP_PKCS1_CHECK_2)); + rb_define_const(mSSL, "OP_PKCS1_CHECK_2", UINT64T2NUM(SSL_OP_PKCS1_CHECK_2)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_NETSCAPE_CA_DN_BUG", ULONG2NUM(SSL_OP_NETSCAPE_CA_DN_BUG)); + rb_define_const(mSSL, "OP_NETSCAPE_CA_DN_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_CA_DN_BUG)); /* Deprecated in OpenSSL 1.1.0. */ - rb_define_const(mSSL, "OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)); + rb_define_const(mSSL, "OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)); /* diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index e4fd58107..914b80623 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -30,12 +30,24 @@ def test_ctx_options if ctx.options != 4 pend "SSL_CTX_set_options() seems to be modified by distributor" end + + # Unsetting options + ctx.options = 0 + assert_equal(0, ctx.options) + + # Option constants + all_ops = OpenSSL::SSL.constants + .grep(/^OP_/) + .map { |c| OpenSSL::SSL.const_get(c) } + all_ops.each { |op| assert_operator(op, :>=, 0) } + everything = all_ops.inject(&:|) + assert_operator(everything, :>, 0) + ctx.options = everything + assert_equal(everything, ctx.options) + + # Backwards compatibility: nil means OP_ALL ctx.options = nil assert_equal OpenSSL::SSL::OP_ALL, ctx.options - - assert_equal true, ctx.setup - assert_predicate ctx, :frozen? - assert_equal nil, ctx.setup end def test_ctx_options_config @@ -1255,21 +1267,6 @@ def test_connect_certificate_verify_failed_exception_message } end - def test_unset_OP_ALL - ctx_proc = Proc.new { |ctx| - # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is - # redundant because the default options already are equal to OP_ALL. - # But it also degrades gracefully, so keep it - ctx.options = OpenSSL::SSL::OP_ALL - } - start_server(ctx_proc: ctx_proc) { |port| - server_connect(port) { |ssl| - ssl.puts('hello') - assert_equal("hello\n", ssl.gets) - } - } - end - def check_supported_protocol_versions possible_versions = [ OpenSSL::SSL::SSL3_VERSION,