bump openssl requirement to 1.1.1

Summary: OpenSSL v1.1.0 was released in 2016 and v1.1.1 in 2018. It is reasonable to bump.

Reviewed By: skrueger

Differential Revision: D60099611

fbshipit-source-id: 2bbe8817adb00deb4995107235c8973268bcc71d

folly/io/async/AsyncSSLSocket.cpp

@@ -1284,13 +1284,9 @@ void AsyncSSLSocket::handleAccept() noexcept {
 }
 
 const char* AsyncSSLSocket::getNegotiatedGroup() const {
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
   auto nid = SSL_get_shared_group(const_cast<SSL*>(this->getSSL()), 0);
   const char* longname = OBJ_nid2ln((int)nid);
   return longname;
-#else
-  return nullptr;
-#endif
 }
 
 void AsyncSSLSocket::handleReturnFromSSLAccept(int ret) {

folly/io/async/SSLContext.cpp

@@ -62,11 +62,9 @@ void configureProtocolVersion(SSL_CTX* ctx, SSLContext::SSLVersion version) {
     case SSLContext::SSLVersion::TLSv1_2:
       minVersion = TLS1_2_VERSION;
       break;
-#if FOLLY_OPENSSL_HAS_TLS13
     case SSLContext::SSLVersion::TLSv1_3:
       minVersion = TLS1_3_VERSION;
       break;
-#endif
     case SSLContext::SSLVersion::SSLv2:
     default:
       // do nothing
@@ -153,14 +151,12 @@ void SSLContext::setSupportedGroups(const std::vector<std::string>& groups) {
   if (groups.empty()) {
     return;
   }
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
   std::string groupsList;
   join(":", groups, groupsList);
   int rc = SSL_CTX_set1_groups_list(ctx_, groupsList.c_str());
   if (rc == 0) {
     throw std::runtime_error("SSL_CTX_set1_curves " + getErrors());
   }
-#endif
 }
 
 void SSLContext::setServerECCurve(const std::string& curveName) {
@@ -865,7 +861,6 @@ void SSLContext::setSessionLifecycleCallbacks(
   sessionLifecycleCallbacks_ = std::move(cb);
 }
 
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
 void SSLContext::setCiphersuitesOrThrow(const std::string& ciphersuites) {
   auto rc = SSL_CTX_set_ciphersuites(ctx_, ciphersuites.c_str());
   if (rc == 0) {
@@ -881,7 +876,6 @@ void SSLContext::setAllowNoDheKex(bool flag) {
     SSL_CTX_clear_options(ctx_, opt);
   }
 }
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
 
 void SSLContext::setTicketHandler(
     std::unique_ptr<OpenSSLTicketHandler> handler) {

folly/io/async/SSLContext.h

@@ -75,9 +75,7 @@ class SSLContext {
     SSLv3,
     TLSv1, // support TLS 1.0+
     TLSv1_2, // support for only TLS 1.2+
-#if FOLLY_OPENSSL_HAS_TLS13
     TLSv1_3,
-#endif
   };
 
   /**
@@ -646,7 +644,6 @@ class SSLContext {
   void setSessionLifecycleCallbacks(
       std::unique_ptr<SessionLifecycleCallbacks> cb);
 
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
   /**
    * Set the TLS 1.3 ciphersuites to be used in the SSL handshake, in
    * order of preference.
@@ -660,7 +657,6 @@ class SSLContext {
    * mode gives up forward secrecy on the resumed session.
    */
   void setAllowNoDheKex(bool flag);
-#endif
 
  protected:
   SSL_CTX* ctx_;

folly/io/async/SSLOptions.h

@@ -69,22 +69,16 @@ struct SSLOptionsCompatibility {
    */
   static constexpr auto sigalgs() {
     return folly::make_array(
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha512",
         "rsa_pss_rsae_sha512",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA512",
         "ECDSA+SHA512",
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha384",
         "rsa_pss_rsae_sha384",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA384",
         "ECDSA+SHA384",
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha256",
         "rsa_pss_rsae_sha256",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA256",
         "ECDSA+SHA256",
         "RSA+SHA1",
@@ -171,22 +165,16 @@ struct SSLOptions2021 {
 
   static constexpr auto sigalgs() {
     return folly::make_array(
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha512",
         "rsa_pss_rsae_sha512",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA512",
         "ECDSA+SHA512",
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha384",
         "rsa_pss_rsae_sha384",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA384",
         "ECDSA+SHA384",
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "rsa_pss_pss_sha256",
         "rsa_pss_rsae_sha256",
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
         "RSA+SHA256",
         "ECDSA+SHA256");
   }
@@ -203,11 +191,9 @@ using SSLServerOptions = SSLOptions2021;
 template <typename TSSLOptions>
 void setCipherSuites(SSLContext& ctx) {
   try {
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
     std::string ciphersuites;
     folly::join(':', TSSLOptions::ciphersuites(), ciphersuites);
     ctx.setCiphersuitesOrThrow(std::move(ciphersuites));
-#endif
     ctx.setCipherList(TSSLOptions::ciphers());
   } catch (std::runtime_error const& e) {
     ssl_options_detail::logDfatal(e);

folly/io/async/test/AsyncSSLSocketTest.cpp

@@ -3194,7 +3194,6 @@ TEST(AsyncSSLSocketTest, TestNullConnectCallbackError) {
   EXPECT_FALSE(server.handshakeSuccess_);
 }
 
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
 TEST(AsyncSSLSocketTest, TestSSLSetClientOptionsP256) {
   EventBase evb;
   std::array<NetworkSocket, 2> fds;
@@ -3262,7 +3261,6 @@ TEST(AsyncSSLSocketTest, TestSSLSetClientOptionsX25519) {
   auto sharedGroupName = serverSocket->getNegotiatedGroup();
   EXPECT_THAT(sharedGroupName, testing::HasSubstr("X25519"));
 }
-#endif
 
 /**
  * Test overriding the flags passed to "sendmsg()" system call,

folly/io/async/test/SSLContextRegressionTest.cpp

@@ -25,9 +25,6 @@ using namespace folly::test;
  * This test is meant to verify that SSLContext correctly sets its minimum
  * protocol version and is not blocked by OpenSSL's default config.
  */
-// need OpenSSL version 1.1.1 for the SSL_CTX_get_min_proto_version function
-// should reduce this prereq's scope if new tests are added that don't need it
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
 
 /*
  * The default OpenSSL config file contents for version OpenSSL 1.1.1c FIPS  28
@@ -58,4 +55,3 @@ TEST_F(SSLContextRegressionTest, IsNotAffectedBySystemEnvironment) {
   auto ctx = std::make_shared<SSLContext>(SSLContext::SSLVersion::TLSv1);
   ASSERT_EQ(SSL_CTX_get_min_proto_version(ctx->getSSLCtx()), TLS1_VERSION);
 }
-#endif

folly/io/async/test/SSLContextTest.cpp

@@ -283,7 +283,6 @@ TEST_F(SSLContextTest, TestInvalidSigAlgThrows) {
   }
 }
 
-#if FOLLY_OPENSSL_PREREQ(1, 1, 1)
 TEST_F(SSLContextTest, TestSetCiphersuites) {
   std::vector<std::string> ciphersuitesList{
       "TLS_AES_128_CCM_SHA256",
@@ -301,15 +300,12 @@ TEST_F(SSLContextTest, TestSetInvalidCiphersuite) {
       ctx.setCiphersuitesOrThrow("ECDHE-ECDSA-AES256-GCM-SHA384"),
       std::runtime_error);
 }
-#endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
 
-#if FOLLY_OPENSSL_HAS_TLS13
 TEST_F(SSLContextTest, TestTLS13MinVersion) {
   SSLContext sslContext{SSLContext::SSLVersion::TLSv1_3};
   int minProtoVersion = SSL_CTX_get_min_proto_version(sslContext.getSSLCtx());
   EXPECT_EQ(minProtoVersion, TLS1_3_VERSION);
 }
-#endif
 
 TEST_F(SSLContextTest, AdvertisedNextProtocols) {
   EXPECT_EQ(ctx.getAdvertisedNextProtocols(), "");

folly/portability/OpenSSL.h

@@ -58,8 +58,8 @@
 #include <openssl/ocsp.h>
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#error openssl < 1.1.0
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+#error openssl < 1.1.1
 #endif
 
 // BoringSSL doesn't have notion of versioning although it defines
@@ -87,14 +87,6 @@
   (OPENSSL_VERSION_NUMBER >= FOLLY_OPENSSL_CALCULATE_VERSION(major, minor, fix))
 #endif
 
-/**
- * OpenSSL 1.1.1 specific checks.
- */
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-
-// TLS 1.3 was introduced in OpenSSL 1.1.1
-#define FOLLY_OPENSSL_HAS_TLS13 1
-
 // OpenSSL 1.1.1 introduced several new ciphers and digests. Unless they are
 // explicitly compiled out, they are assumed to be present
 #if !defined(OPENSSL_NO_BLAKE2)
@@ -103,11 +95,6 @@
 #define FOLLY_OPENSSL_HAS_BLAKE2B 0
 #endif
 
-#else
-#define FOLLY_OPENSSL_HAS_TLS13 0
-#define FOLLY_OPENSSL_HAS_BLAKE2B 0
-#endif
-
 #if !defined(OPENSSL_NO_CHACHA) || !defined(OPENSSL_NO_POLY1305)
 #define FOLLY_OPENSSL_HAS_CHACHA 1
 #else