ruby.git/ext/openssl/ossl.c, branch v4.0.4 The Ruby Programming Language [ruby/openssl] ossl.c: improve docs for constants and methods under ::OpenSSL 2025-12-15T09:09:49+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-08T19:01:58+00:00 f06eb75646e7a8d17d9c41988207a2a29a3b006c https://github.com/ruby/openssl/commit/b0de8ba9bd 
https://github.com/ruby/openssl/commit/b0de8ba9bd
[ruby/openssl] Freeze more constants for Ractor compatibility 2025-12-15T09:09:49+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-14T10:55:28+00:00 ee6ba41bfdc82110468598467cd10ce850b44f0c https://github.com/ruby/openssl/commit/695126f582 
https://github.com/ruby/openssl/commit/695126f582
[ruby/openssl] ossl.c: implement OpenSSL::OpenSSLError#detailed_message 2025-12-13T16:57:53+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-04T14:15:57+00:00 e8d32dddc04b34e2454b1c37b271bc242dddb06e An OpenSSL function sometimes puts more than one error entry into the thread-local OpenSSL error queue. Currently, we use the highest-level entry for generating the exception message and discard the rest. Let ossl_make_error() capture all current OpenSSL error queue contents into OpenSSL::OpenSSLError#errors and extend OpenSSL::OpenSSLError#detailed_message to include the information. An example: $ ruby -Ilib -ropenssl -e'OpenSSL::X509::ExtensionFactory.new.create_ext("a", "b")' -e:1:in 'OpenSSL::X509::ExtensionFactory#create_ext': a = b: error in extension (name=a, value=b) (OpenSSL::X509::ExtensionError) OpenSSL error queue reported 2 errors: error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension (name=a, value=b) from -e:1:in '<main>' https://github.com/ruby/openssl/commit/d28f7a9a13 
An OpenSSL function sometimes puts more than one error entry into the
thread-local OpenSSL error queue. Currently, we use the highest-level
entry for generating the exception message and discard the rest.

Let ossl_make_error() capture all current OpenSSL error queue contents
into OpenSSL::OpenSSLError#errors and extend
OpenSSL::OpenSSLError#detailed_message to include the information.

An example:

    $ ruby -Ilib -ropenssl -e'OpenSSL::X509::ExtensionFactory.new.create_ext("a", "b")'
    -e:1:in 'OpenSSL::X509::ExtensionFactory#create_ext': a = b: error in extension (name=a, value=b) (OpenSSL::X509::ExtensionError)
    OpenSSL error queue reported 2 errors:
    error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name
    error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension (name=a, value=b)
            from -e:1:in '<main>'

https://github.com/ruby/openssl/commit/d28f7a9a13
[ruby/openssl] const correct ossl_bin2hex() 2025-12-06T16:50:16+00:00 Theo Buehler tb@openbsd.org 2025-12-05T12:14:45+00:00 9dfb7bd7d44ac99bc4d7233cef00e0e6e0743905 This helper only reads from its in parameter. Making that const avoids a couple of casts in an upcoming change. https://github.com/ruby/openssl/commit/970d5764e3 
This helper only reads from its in parameter. Making that const
avoids a couple of casts in an upcoming change.

https://github.com/ruby/openssl/commit/970d5764e3
[ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] ossl.c: avoid using sk_*() functions with NULL 2025-02-11T16:42:25+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-06T17:14:46+00:00 8888ad6902b0bb12bab0a1d16389e30f4916f413 Always use explicit NULL checks before interacting with STACK_OF(*). Even though most OpenSSL functions named sk_*() do not crash if we pass NULL as the receiver object, depending on this behavior would be a bad idea. Checks for a negative number return from sk_*_num() are removed. This can only happen when the stack is NULL. ossl_*_sk2ary() must no longer be called with NULL. https://github.com/ruby/openssl/commit/84cffd4f77 
Always use explicit NULL checks before interacting with STACK_OF(*).
Even though most OpenSSL functions named sk_*() do not crash if we pass
NULL as the receiver object, depending on this behavior would be a bad
idea.

Checks for a negative number return from sk_*_num() are removed. This
can only happen when the stack is NULL.

ossl_*_sk2ary() must no longer be called with NULL.

https://github.com/ruby/openssl/commit/84cffd4f77
[ruby/openssl] Add build support for AWS-LC 2025-02-11T15:35:03+00:00 Samuel Chiang sachiang@amazon.com 2025-01-24T02:16:14+00:00 06faf28558c2f1925f37dd78ff61ba1bef6e894e CI Changes 1. I've split the original patch up to make it easier to digest, but that forces my hand to turn off testing in the AWS-LC CI for the time being. However, do let me know if you would prefer to review the test adjustments in the same PR and I can remove the temporary CI workaround. 2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations to alert the consuming application of these. I've leveraged the skip-warnings CI option so that the build doesn't fail. Build Adjustments 1. AWS-LC FIPS mode is decided at compile time. This is different from OpenSSL's togglable FIPS switch, so I've adjusted the build to account for this. 2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were only ever supported by old MSIE. 3. AWS-LC has no current support for post handshake authentication in TLS 1.3. 4. EC_GROUP structures for named curves in AWS-LC are constant, static, and immutable by default. This means that the EC_GROUP_set_* functions are essentially no-ops due to the immutability of the structure. We've introduced a new API for consumers that depend on the OpenSSL's default mutability of the EC_GROUP structure called EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of functionality that's dependent on the mutability of these structures, I've made the corresponding adjustments to allow things to work as expected. https://github.com/ruby/openssl/commit/e53ec5a101 
CI Changes
1. I've split the original patch up to make it easier to digest, but
that forces my hand to turn off testing in the AWS-LC CI for the time
being. However, do let me know if you would prefer to review the test
adjustments in the same PR and I can remove the temporary CI workaround.
2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations
to alert the consuming application of these. I've leveraged the
skip-warnings CI option so that the build doesn't fail.

Build Adjustments
1. AWS-LC FIPS mode is decided at compile time. This is different from
OpenSSL's togglable FIPS switch, so I've adjusted the build to account
for this.
2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were
only ever supported by old MSIE.
3. AWS-LC has no current support for post handshake authentication in
TLS 1.3.
4. EC_GROUP structures for named curves in AWS-LC are constant, static,
and immutable by default. This means that the EC_GROUP_set_* functions
are essentially no-ops due to the immutability of the structure. We've
introduced a new API for consumers that depend on the OpenSSL's default
mutability of the EC_GROUP structure called
EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of
functionality that's dependent on the mutability of these structures,
I've made the corresponding adjustments to allow things to work as
expected.

https://github.com/ruby/openssl/commit/e53ec5a101
[ruby/openssl] Require OpenSSL 1.1.0 or later 2025-01-20T17:12:57+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-14T12:49:12+00:00 441862dc9f11d83e9e35c3b965fe84e42e178a35 Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) https://github.com/ruby/openssl/commit/38ec6fd50e 
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e
[ruby/openssl] ossl.c: use OPENSSL_init_ssl() and OpenSSL_version() with LibreSSL 2025-01-14T12:38:16+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-09T11:56:43+00:00 731d3ec3012f125131d5c992394af17c5ff9e9e3 LibreSSL 2.7.0 added support for OPENSSL_init_ssl() and OpenSSL_version(). https://github.com/ruby/openssl/commit/1328415097 
LibreSSL 2.7.0 added support for OPENSSL_init_ssl() and
OpenSSL_version().

https://github.com/ruby/openssl/commit/1328415097
[ruby/openssl] Call Init_ossl_*() functions in alphabetical order 2024-12-07T07:55:47+00:00 Kazuki Yamaguchi k@rhe.jp 2024-10-30T19:12:09+00:00 09d516b62e0859af364b23f9bd0128dae31d7e38 It was originally sorted in alphabetical order, but it has been broken over time. Let's fix it. https://github.com/ruby/openssl/commit/974c67f38f 
It was originally sorted in alphabetical order, but it has been broken
over time. Let's fix it.

https://github.com/ruby/openssl/commit/974c67f38f