test/utils: add OpenSSL::TestUtils.openssl? and .libressl?

Add methods that check whether the running OpenSSL is an OpenSSL or a
LibreSSL, and optionally check whether the version is newer or equal to
the given version number.

8 files changed, 49 insertions, 59 deletions

diff --git a/test/test_digest.rb b/test/test_digest.rb
index 9891d99a..c8817395 100644
--- a/test/test_digest.rb
+++ b/test/test_digest.rb
@@ -54,13 +54,10 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
   end
 
   def test_digest_constants
-    algs = %w(MD4 MD5 RIPEMD160 SHA1)
-    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000
+    algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512)
+    if !libressl? && !openssl?(1, 1, 0)
       algs += %w(DSS1 SHA)
     end
-    if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
-      algs += %w(SHA224 SHA256 SHA384 SHA512)
-    end
     algs.each do |alg|
       assert_not_nil(OpenSSL::Digest.new(alg))
       klass = OpenSSL::Digest.const_get(alg)
@@ -73,34 +70,32 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
     check_digest(OpenSSL::ASN1::ObjectId.new("SHA1"))
   end
 
-  if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
-    def encode16(str)
-      str.unpack("H*").first
-    end
+  def encode16(str)
+    str.unpack("H*").first
+  end
 
-    def test_098_features
-      sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5"
-      sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"
-      sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31"
-      sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75"
-
-      assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a"))
-      assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a"))
-      assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a"))
-      assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a"))
-
-      assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a")))
-      assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a")))
-      assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a")))
-      assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a")))
-    end
+  def test_sha2
+    sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5"
+    sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"
+    sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31"
+    sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75"
+
+    assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a"))
+    assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a"))
+    assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a"))
+    assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a"))
+
+    assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a")))
+    assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a")))
+    assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a")))
+    assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a")))
+  end
 
-    def test_digest_by_oid_and_name_sha2
-      check_digest(OpenSSL::ASN1::ObjectId.new("SHA224"))
-      check_digest(OpenSSL::ASN1::ObjectId.new("SHA256"))
-      check_digest(OpenSSL::ASN1::ObjectId.new("SHA384"))
-      check_digest(OpenSSL::ASN1::ObjectId.new("SHA512"))
-    end
+  def test_digest_by_oid_and_name_sha2
+    check_digest(OpenSSL::ASN1::ObjectId.new("SHA224"))
+    check_digest(OpenSSL::ASN1::ObjectId.new("SHA256"))
+    check_digest(OpenSSL::ASN1::ObjectId.new("SHA384"))
+    check_digest(OpenSSL::ASN1::ObjectId.new("SHA512"))
   end
 
   def test_openssl_digest
@@ -121,14 +116,6 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
     d = OpenSSL::Digest.new(oid.oid)
     assert_not_nil(d)
   end
-
-  def libressl?
-    OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
-  end
-
-  def version_since(verary)
-    (OpenSSL::OPENSSL_LIBRARY_VERSION.scan(/\d+/).map(&:to_i) <=> verary) != -1
-  end
 end
 
 end
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb
index 865bb523..0440634a 100644
--- a/test/test_ocsp.rb
+++ b/test/test_ocsp.rb
@@ -122,7 +122,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
 
     assert_equal true, req.verify([@cert], store, OpenSSL::OCSP::NOINTERN)
     ret = req.verify([@cert], store)
-    if ret || OpenSSL::OPENSSL_VERSION =~ /OpenSSL/ && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
+    if ret || openssl?(1, 0, 2) || libressl?(2, 4, 2)
       assert_equal true, ret
     else
       # RT2560; OCSP_request_verify() does not find signer cert from 'certs' when
diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb
index 3fb4dc4c..474f2388 100644
--- a/test/test_pkey_dsa.rb
+++ b/test/test_pkey_dsa.rb
@@ -41,7 +41,7 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase
       assert_equal true, dsa512.verify(OpenSSL::Digest::DSS1.new, signature, data)
     end
 
-    return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000
+    return unless openssl?(1, 0, 0)
     signature = dsa512.sign("SHA1", data)
     assert_equal true, dsa512.verify("SHA1", signature, data)
 
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index 3917793e..872dd226 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -839,7 +839,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) && OpenSSL::SSL::SSLCont
       ctx.ssl_version = :TLSv1_2_client
       server_connect(port, ctx) { |ssl| assert_equal("TLSv1.2", ssl.ssl_version) }
     }
-  end if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000
+  end
 
   def test_forbid_tls_v1_1_for_client
     ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 }
@@ -888,7 +888,7 @@ end
     }
   end
 
-if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
+if openssl?(1, 0, 2) || libressl?
   def test_alpn_protocol_selection_ary
     advertised = ["http/1.1", "spdy/2"]
     ctx_proc = Proc.new { |ctx|
@@ -1216,8 +1216,7 @@ end
         end
       }
 
-      if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 &&
-          !OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
+      if openssl?(1, 0, 2) || libressl?(2, 5, 1)
         ctx = OpenSSL::SSL::SSLContext.new
         ctx.ecdh_curves = "P-256"
 
diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb
index d4a8941b..aadbc3b7 100644
--- a/test/test_ssl_session.rb
+++ b/test/test_ssl_session.rb
@@ -150,7 +150,7 @@ __EOS__
 
   def test_session_exts_read
     assert(OpenSSL::SSL::Session.new(DUMMY_SESSION))
-  end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf
+  end
 
   def test_client_session
     last_session = nil
diff --git a/test/test_x509name.rb b/test/test_x509name.rb
index 60e8ddb8..c1dacf4f 100644
--- a/test/test_x509name.rb
+++ b/test/test_x509name.rb
@@ -306,7 +306,6 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
   end
 
   def test_add_entry_street
-    return if OpenSSL::OPENSSL_VERSION_NUMBER < 0x009080df # 0.9.8m
     # openssl/crypto/objects/obj_mac.h 1.83
     dn = [
       ["DC", "org"],
diff --git a/test/test_x509store.rb b/test/test_x509store.rb
index 983437e7..b40534c6 100644
--- a/test/test_x509store.rb
+++ b/test/test_x509store.rb
@@ -209,7 +209,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
   end
 
   def test_set_errors
-    return if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000
+    return if openssl?(1, 1, 0) || libressl?
     now = Time.now
     ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil)
     store = OpenSSL::X509::Store.new
@@ -225,17 +225,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [],
                      ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     store.add_crl(crl1)
-    if /0\.9\.8.*-rhel/ =~ OpenSSL::OPENSSL_VERSION
-      # RedHat is distributing a patched version of OpenSSL that allows
-      # multiple CRL for a key (multi-crl.patch)
-      assert_nothing_raised do
-        store.add_crl(crl2) # add CRL issued by same CA twice.
-      end
-    else
-      assert_raise(OpenSSL::X509::StoreError){
-        store.add_crl(crl2) # add CRL issued by same CA twice.
-      }
-    end
+    assert_raise(OpenSSL::X509::StoreError){
+      store.add_crl(crl2) # add CRL issued by same CA twice.
+    }
   end
 
   def test_dup
diff --git a/test/utils.rb b/test/utils.rb
index 6d551164..b6cca79e 100644
--- a/test/utils.rb
+++ b/test/utils.rb
@@ -122,6 +122,19 @@ module OpenSSL::TestUtils
     pkvalue   = publickey.value
     OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase
   end
+
+  def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
+    return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
+    return true unless major
+    OpenSSL::OPENSSL_VERSION_NUMBER >=
+      major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
+  end
+
+  def libressl?(major = nil, minor = nil, fix = nil)
+    version = OpenSSL::OPENSSL_VERSION.scan(/LibreSSL (\d+)\.(\d+)\.(\d+).*/)[0]
+    return false unless version
+    !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
+  end
 end
 
 class OpenSSL::TestCase < Test::Unit::TestCase