15 files changed, 32 insertions, 287 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 7033b0e2..2d846132 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -47,30 +47,18 @@ unless result
   end
 end
 
-result = checking_for("OpenSSL version is 0.9.8 or later") {
-  try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h")
-}
-unless result
-  raise "OpenSSL 0.9.8 or later required."
-end
-
-unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h")
-  raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')"
+unless checking_for("OpenSSL version is 1.0.1 or later") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
+  raise "OpenSSL >= 1.0.1 or LibreSSL is required"
 end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
 # compile options
 
-# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols
-# exist even if compiled with no-ssl2 or no-ssl3-method.
-unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h")
-  have_func("SSLv2_method")
-end
-unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h")
-  have_func("SSLv3_method")
-end
-have_func("TLSv1_1_method")
-have_func("TLSv1_2_method")
+# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
+# like OPENSSL_NO_SSL2 may not be defined.
+have_func("SSLv2_method")
+have_func("SSLv3_method")
 have_func("RAND_egd")
 engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
              cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
@@ -78,30 +66,6 @@ engines.each { |name|
   OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
 }
 
-# added in 0.9.8X
-have_func("EVP_CIPHER_CTX_new")
-have_func("EVP_CIPHER_CTX_free")
-OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h")
-
-# added in 1.0.0
-have_func("ASN1_TIME_adj")
-have_func("EVP_CIPHER_CTX_copy")
-have_func("EVP_PKEY_base_id")
-have_func("HMAC_CTX_copy")
-have_func("PKCS5_PBKDF2_HMAC")
-have_func("X509_NAME_hash_old")
-have_func("X509_STORE_CTX_get0_current_crl")
-have_func("X509_STORE_set_verify_cb")
-have_func("i2d_ASN1_SET_ANY")
-have_func("SSL_SESSION_cmp") # removed
-OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h")
-have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h")
-have_func("EVP_PKEY_get0")
-
-# added in 1.0.1
-have_func("SSL_CTX_set_next_proto_select_cb")
-have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION")
-
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
 have_func("X509_REVOKED_dup")
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index 94ce85af..b36ef028 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -20,73 +20,6 @@
 
 #include "openssl_missing.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *
-ossl_EVP_CIPHER_CTX_new(void)
-{
-    EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX));
-    if (!ctx)
-	return NULL;
-    EVP_CIPHER_CTX_init(ctx);
-    return ctx;
-}
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void
-ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
-{
-    if (ctx) {
-	EVP_CIPHER_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
-    }
-}
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-/*
- * this function does not exist in OpenSSL yet... or ever?.
- * a future version may break this function.
- * tested on 0.9.7d.
- */
-int
-ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
-{
-    memcpy(out, in, sizeof(EVP_CIPHER_CTX));
-
-#if !defined(OPENSSL_NO_ENGINE)
-    if (in->engine) ENGINE_add(out->engine);
-    if (in->cipher_data) {
-	out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
-	memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
-    }
-#endif
-
-    return 1;
-}
-#endif
-
-#if !defined(OPENSSL_NO_HMAC)
-#if !defined(HAVE_HMAC_CTX_COPY)
-int
-ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
-{
-    if (!out || !in)
-	return 0;
-
-    memcpy(out, in, sizeof(HMAC_CTX));
-
-    EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx);
-    EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx);
-    EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx);
-
-    return 1;
-}
-#endif /* HAVE_HMAC_CTX_COPY */
-#endif /* NO_HMAC */
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 3d11aec2..cc31f6ac 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -12,53 +12,6 @@
 
 #include "ruby/config.h"
 
-/* added in 0.9.8X */
-#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
-EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void);
-#  define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
-void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free
-#endif
-
-#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS)
-#  define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op))
-#endif
-
-/* added in 1.0.0 */
-#if !defined(HAVE_EVP_PKEY_BASE_ID)
-#  define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
-#endif
-
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *);
-#  define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy
-#endif
-
-#if !defined(HAVE_HMAC_CTX_COPY)
-int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
-#  define HMAC_CTX_copy ossl_HMAC_CTX_copy
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
-#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
-#endif
-
-#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
-#  define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
-#endif
-
-#if !defined(HAVE_I2D_ASN1_SET_ANY)
-#  define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
-		i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
-#endif
-
-#if !defined(HAVE_EVP_PKEY_GET0)
-#  define EVP_PKEY_get0(pk) (pk->pkey.ptr)
-#endif
-
 /* added in 1.0.2 */
 #if !defined(OPENSSL_NO_EC)
 #if !defined(HAVE_EC_CURVE_NIST2NID)
@@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #undef IMPL_KEY_ACCESSOR3
 #endif /* HAVE_OPAQUE_OPENSSL */
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
+#if !defined(EVP_CTRL_AEAD_GET_TAG)
 #  define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
 #  define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
 #  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index eb71b643..a4fa0e73 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -473,19 +473,11 @@ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int
     OPENSSL_free(l);
 }
 
-#ifdef HAVE_CRYPTO_THREADID_PTR
 static void ossl_threadid_func(CRYPTO_THREADID *id)
 {
     /* register native thread id */
     CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
 }
-#else
-static unsigned long ossl_thread_id(void)
-{
-    /* before OpenSSL 1.0, this is 'unsigned long' */
-    return (unsigned long)rb_nativethread_self();
-}
-#endif
 
 static void Init_ossl_locks(void)
 {
@@ -503,11 +495,7 @@ static void Init_ossl_locks(void)
 	rb_nativethread_lock_initialize(&ossl_locks[i]);
     }
 
-#ifdef HAVE_CRYPTO_THREADID_PTR
     CRYPTO_THREADID_set_callback(ossl_threadid_func);
-#else
-    CRYPTO_set_id_callback(ossl_thread_id);
-#endif
     CRYPTO_set_locking_callback(ossl_lock_callback);
     CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback);
     CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index 534796f5..1977fdd2 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -72,7 +72,6 @@ asn1time_to_time(const ASN1_TIME *time)
     return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
 }
 
-#if defined(HAVE_ASN1_TIME_ADJ)
 void
 ossl_time_split(VALUE time, time_t *sec, int *days)
 {
@@ -88,13 +87,6 @@ ossl_time_split(VALUE time, time_t *sec, int *days)
 	*sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400)));
     }
 }
-#else
-time_t
-time_to_time_t(VALUE time)
-{
-    return (time_t)NUM2TIMET(rb_Integer(time));
-}
-#endif
 
 /*
  * STRING conversion
@@ -269,15 +261,10 @@ obj_to_asn1utime(VALUE time)
     time_t sec;
     ASN1_UTCTIME *t;
 
-#if defined(HAVE_ASN1_TIME_ADJ)
     int off_days;
 
     ossl_time_split(time, &sec, &off_days);
     if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0)))
-#else
-    sec = time_to_time_t(time);
-    if (!(t = ASN1_UTCTIME_set(NULL, sec)))
-#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;
@@ -289,15 +276,10 @@ obj_to_asn1gtime(VALUE time)
     time_t sec;
     ASN1_GENERALIZEDTIME *t;
 
-#if defined(HAVE_ASN1_TIME_ADJ)
     int off_days;
 
     ossl_time_split(time, &sec, &off_days);
     if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0)))
-#else
-    sec = time_to_time_t(time);
-    if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec)))
-#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;
diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h
index d6a170c8..939a96ce 100644
--- a/ext/openssl/ossl_asn1.h
+++ b/ext/openssl/ossl_asn1.h
@@ -14,15 +14,11 @@
  * ASN1_DATE conversions
  */
 VALUE asn1time_to_time(const ASN1_TIME *);
-#if defined(HAVE_ASN1_TIME_ADJ)
 /* Splits VALUE to seconds and offset days. VALUE is typically a Time or an
  * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or
  * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because
  * they have the Year 2038 issue on sizeof(time_t) == 4 environment */
 void ossl_time_split(VALUE, time_t *, int *);
-#else
-time_t time_to_time_t(VALUE);
-#endif
 
 /*
  * ASN1_STRING conversions
diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index 73b667b2..aed7fbb4 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -512,10 +512,8 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
     StringValue(iv);
     GetCipher(self, ctx);
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
-#endif
     if (!iv_len)
 	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
     if (RSTRING_LEN(iv) != iv_len)
@@ -541,14 +539,9 @@ ossl_cipher_is_authenticated(VALUE self)
 
     GetCipher(self, ctx);
 
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
-#else
-    return Qfalse;
-#endif
 }
 
-#ifdef HAVE_AUTHENTICATED_ENCRYPTION
 /*
  *  call-seq:
  *     cipher.auth_data = string -> string
@@ -722,13 +715,6 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
 
     return iv_length;
 }
-#else
-#define ossl_cipher_set_auth_data rb_f_notimplement
-#define ossl_cipher_get_auth_tag rb_f_notimplement
-#define ossl_cipher_set_auth_tag rb_f_notimplement
-#define ossl_cipher_set_auth_tag_len rb_f_notimplement
-#define ossl_cipher_set_iv_length rb_f_notimplement
-#endif
 
 /*
  *  call-seq:
@@ -806,10 +792,8 @@ ossl_cipher_iv_length(VALUE self)
     int len = 0;
 
     GetCipher(self, ctx);
-#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
     if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
-#endif
     if (!len)
 	len = EVP_CIPHER_CTX_iv_length(ctx);
 
diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c
index 47c5bfa3..7811c5fe 100644
--- a/ext/openssl/ossl_pkcs5.c
+++ b/ext/openssl/ossl_pkcs5.c
@@ -6,7 +6,6 @@
 VALUE mPKCS5;
 VALUE ePKCS5;
 
-#ifdef HAVE_PKCS5_PBKDF2_HMAC
 /*
  * call-seq:
  *    PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string
@@ -18,8 +17,6 @@ VALUE ePKCS5;
  * * +keylen+ - integer
  * * +digest+ - a string or OpenSSL::Digest object.
  *
- * Available in OpenSSL >= 1.0.0.
- *
  * Digests other than SHA1 may not be supported by other cryptography libraries.
  */
 static VALUE
@@ -43,10 +40,6 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
 
     return str;
 }
-#else
-#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement
-#endif
-
 
 /*
  * call-seq:
@@ -99,8 +92,7 @@ Init_ossl_pkcs5(void)
      * slowed down artificially in order to render possible attacks infeasible.
      *
      * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based
-     * HMAC, or an arbitrary Digest if the underlying version of OpenSSL
-     * already supports it (>= 1.0.0).
+     * HMAC, or an arbitrary Digest.
      *
      * === Parameters
      * ==== Password
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index 6ab1b618..e161277d 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -92,7 +92,7 @@ pkey_new0(EVP_PKEY *pkey)
     case EVP_PKEY_DH:
 	return ossl_dh_new(pkey);
 #endif
-#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL)
+#if !defined(OPENSSL_NO_EC)
     case EVP_PKEY_EC:
 	return ossl_ec_new(pkey);
 #endif
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
index 85085419..b21abc42 100644
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@@ -627,12 +627,6 @@ Init_ossl_dsa(void)
      * DSA, the Digital Signature Algorithm, is specified in NIST's
      * FIPS 186-3. It is an asymmetric public key algorithm that may be used
      * similar to e.g. RSA.
-     * Please note that for OpenSSL versions prior to 1.0.0 the digest
-     * algorithms OpenSSL::Digest::DSS (equivalent to SHA) or
-     * OpenSSL::Digest::DSS1 (equivalent to SHA-1) must be used for issuing
-     * signatures with a DSA key using OpenSSL::PKey#sign.
-     * Starting with OpenSSL 1.0.0, digest algorithms are no longer restricted,
-     * any Digest may be used for signing.
      */
     cDSA = rb_define_class_under(mPKey, "DSA", cPKey);
 
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index fc3f034a..ce347516 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -4,7 +4,7 @@
 
 #include "ossl.h"
 
-#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL)
+#if !defined(OPENSSL_NO_EC)
 
 #define EXPORT_PEM 0
 #define EXPORT_DER 1
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index eef7dbec..ef948dc5 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -51,31 +51,33 @@ static ID id_i_io, id_i_context, id_i_hostname;
  */
 static const struct {
     const char *name;
-    SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */
+    const SSL_METHOD *(*func)(void);
     int version;
 } ossl_ssl_method_tab[] = {
 #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
 #define OSSL_SSL_METHOD_ENTRY(name, version) \
-    { #name,          (SSL_METHOD *(*)(void))TLS_method, version }, \
-    { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \
-    { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version }
+    { #name,          TLS_method, version }, \
+    { #name"_server", TLS_server_method, version }, \
+    { #name"_client", TLS_client_method, version }
 #else
 #define OSSL_SSL_METHOD_ENTRY(name, version) \
-    { #name,          (SSL_METHOD *(*)(void))name##_method, version }, \
-    { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \
-    { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version }
+    { #name,          name##_method, version }, \
+    { #name"_server", name##_server_method, version }, \
+    { #name"_client", name##_client_method, version }
 #endif
-#if defined(HAVE_SSLV2_METHOD)
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD)
     OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
 #endif
-#if defined(HAVE_SSLV3_METHOD)
+#if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD)
     OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
 #endif
+#if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
-#if defined(HAVE_TLSV1_1_METHOD)
+#endif
+#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
 #endif
-#if defined(HAVE_TLSV1_2_METHOD)
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
 #endif
     OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
@@ -109,14 +111,12 @@ static VALUE
 ossl_sslctx_s_alloc(VALUE klass)
 {
     SSL_CTX *ctx;
-    long mode = SSL_MODE_ENABLE_PARTIAL_WRITE |
-	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+    long mode = 0 |
+	SSL_MODE_ENABLE_PARTIAL_WRITE |
+	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+	SSL_MODE_RELEASE_BUFFERS;
     VALUE obj;
 
-#ifdef SSL_MODE_RELEASE_BUFFERS
-    mode |= SSL_MODE_RELEASE_BUFFERS;
-#endif
-
     obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0);
     ctx = SSL_CTX_new(SSLv23_method());
     if (!ctx) {
@@ -168,7 +168,7 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
 #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
 	    int version = ossl_ssl_method_tab[i].version;
 #endif
-	    SSL_METHOD *method = ossl_ssl_method_tab[i].func();
+	    const SSL_METHOD *method = ossl_ssl_method_tab[i].func();
 
 	    if (SSL_CTX_set_ssl_version(ctx, method) != 1)
 		ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
@@ -514,7 +514,6 @@ ossl_sslctx_add_extra_chain_cert_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, arg))
 
 static VALUE ossl_sslctx_setup(VALUE self);
 
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
 static VALUE
 ossl_call_servername_cb(VALUE ary)
 {
@@ -571,7 +570,6 @@ ssl_servername_cb(SSL *ssl, int *ad, void *arg)
 
     return SSL_TLSEXT_ERR_OK;
 }
-#endif
 
 static void
 ssl_renegotiation_cb(const SSL *ssl)
@@ -944,13 +942,11 @@ ossl_sslctx_setup(VALUE self)
 	OSSL_Debug("SSL SESSION remove callback added");
     }
 
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
     val = rb_attr_get(self, id_i_servername_cb);
     if (!NIL_P(val)) {
         SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
 	OSSL_Debug("SSL TLSEXT servername callback added");
     }
-#endif
 
     return Qtrue;
 }
@@ -2092,7 +2088,6 @@ ossl_ssl_set_session(VALUE self, VALUE arg1)
     return arg1;
 }
 
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
 /*
  * call-seq:
  *    ssl.hostname = hostname -> hostname
@@ -2119,7 +2114,6 @@ ossl_ssl_set_hostname(VALUE self, VALUE arg)
 
     return arg;
 }
-#endif
 
 /*
  * call-seq:
@@ -2437,11 +2431,7 @@ Init_ossl_ssl(void)
      */
     rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
 
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
     rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue);
-#else
-    rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qfalse);
-#endif
 
 #ifdef TLS_DH_anon_WITH_AES_256_GCM_SHA384
     rb_define_const(mSSLExtConfig, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", Qtrue);
@@ -2646,10 +2636,8 @@ Init_ossl_ssl(void)
     rb_define_method(cSSLSocket, "session=",    ossl_ssl_set_session, 1);
     rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0);
     rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0);
-#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
     /* #hostname is defined in lib/openssl/ssl.rb */
     rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
-#endif
 # ifdef HAVE_SSL_GET_SERVER_TMP_KEY
     rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0);
 # endif
@@ -2691,18 +2679,10 @@ Init_ossl_ssl(void)
     ossl_ssl_def_const(OP_NO_SSLv2);
     ossl_ssl_def_const(OP_NO_SSLv3);
     ossl_ssl_def_const(OP_NO_TLSv1);
-#if defined(SSL_OP_NO_TLSv1_1)
     ossl_ssl_def_const(OP_NO_TLSv1_1);
-#endif
-#if defined(SSL_OP_NO_TLSv1_2)
     ossl_ssl_def_const(OP_NO_TLSv1_2);
-#endif
-#if defined(SSL_OP_NO_TICKET)
     ossl_ssl_def_const(OP_NO_TICKET);
-#endif
-#if defined(SSL_OP_NO_COMPRESSION)
     ossl_ssl_def_const(OP_NO_COMPRESSION);
-#endif
     ossl_ssl_def_const(OP_PKCS1_CHECK_1);
     ossl_ssl_def_const(OP_PKCS1_CHECK_2);
     ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG);
diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c
index 1b602a6c..fefbf28b 100644
--- a/ext/openssl/ossl_ssl_session.c
+++ b/ext/openssl/ossl_ssl_session.c
@@ -93,8 +93,8 @@ ossl_ssl_session_initialize_copy(VALUE self, VALUE other)
     return self;
 }
 
-#if !defined(HAVE_SSL_SESSION_CMP)
-int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
+static int
+ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
 {
     unsigned int a_len;
     const unsigned char *a_sid = SSL_SESSION_get_id(a, &a_len);
@@ -108,8 +108,6 @@ int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
 
     return CRYPTO_memcmp(a_sid, b_sid, a_len);
 }
-#define SSL_SESSION_cmp(a, b) ossl_SSL_SESSION_cmp(a, b)
-#endif
 
 /*
  * call-seq:
@@ -124,7 +122,7 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
 	GetSSLSession(val1, ctx1);
 	SafeGetSSLSession(val2, ctx2);
 
-	switch (SSL_SESSION_cmp(ctx1, ctx2)) {
+	switch (ossl_SSL_SESSION_cmp(ctx1, ctx2)) {
 	case 0:		return Qtrue;
 	default:	return Qfalse;
 	}
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index 19ec274a..8a061b06 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -20,15 +20,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
 {
     time_t sec;
 
-#if defined(HAVE_ASN1_TIME_ADJ)
     int off_days;
 
     ossl_time_split(time, &sec, &off_days);
     return X509_time_adj_ex(s, off_days, 0, &sec);
-#else
-    sec = time_to_time_t(time);
-    return X509_time_adj(s, 0, &sec);
-#endif
 }
 
 void
@@ -112,21 +107,15 @@ Init_ossl_x509(void)
     DefX509Const(V_FLAG_INHIBIT_MAP);
     /* Set by Store#flags= and StoreContext#flags=. */
     DefX509Const(V_FLAG_NOTIFY_POLICY);
-#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT)
     /* Set by Store#flags= and StoreContext#flags=. Enables some additional
      * features including support for indirect signed CRLs. */
     DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
-#endif
-#if defined(X509_V_FLAG_USE_DELTAS)
     /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
      * specified, deltas are ignored. */
     DefX509Const(V_FLAG_USE_DELTAS);
-#endif
-#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE)
     /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
      * signature of the root self-signed CA. */
     DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
-#endif
 #if defined(X509_V_FLAG_TRUSTED_FIRST)
     /* Set by Store#flags= and StoreContext#flags=. When constructing a
      * certificate chain, search the Store first for the issuer certificate.
@@ -161,10 +150,8 @@ Init_ossl_x509(void)
     DefX509Const(PURPOSE_ANY);
     /* Set by Store#purpose=. OCSP helper. */
     DefX509Const(PURPOSE_OCSP_HELPER);
-#if defined(X509_PURPOSE_TIMESTAMP_SIGN)
     /* Set by Store#purpose=. Time stamps signer. */
     DefX509Const(PURPOSE_TIMESTAMP_SIGN);
-#endif
 
     DefX509Const(TRUST_COMPAT);
     DefX509Const(TRUST_SSL_CLIENT);
@@ -173,9 +160,7 @@ Init_ossl_x509(void)
     DefX509Const(TRUST_OBJECT_SIGN);
     DefX509Const(TRUST_OCSP_SIGN);
     DefX509Const(TRUST_OCSP_REQUEST);
-#if defined(X509_TRUST_TSA)
     DefX509Const(TRUST_TSA);
-#endif
 
     DefX509Default(CERT_AREA, cert_area);
     DefX509Default(CERT_DIR, cert_dir);
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index 4523e0d7..56816bdc 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -398,7 +398,6 @@ ossl_x509name_hash(VALUE self)
     return ULONG2NUM(hash);
 }
 
-#ifdef HAVE_X509_NAME_HASH_OLD
 /*
  * call-seq:
  *    name.hash_old => integer
@@ -417,7 +416,6 @@ ossl_x509name_hash_old(VALUE self)
 
     return ULONG2NUM(hash);
 }
-#endif
 
 /*
  * call-seq:
@@ -486,9 +484,7 @@ Init_ossl_x509name(void)
     rb_define_alias(cX509Name, "<=>", "cmp");
     rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1);
     rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0);
-#ifdef HAVE_X509_NAME_HASH_OLD
     rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0);
-#endif
     rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0);
 
     utf8str = INT2NUM(V_ASN1_UTF8STRING);