ruby.git/ext/openssl/ossl_pkcs12.c, branch v4.0.3 The Ruby Programming Language [ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] Remove dummy declarations for mOSSL and eOSSLError 2025-11-29T17:05:19+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:47:26+00:00 bae06ce22c5ab6a4a3085300274f258d55858e90 These declarations were added to every source file because older versions of RDoc did not resolve ancestor tree across files. Since RDoc 6.9.0 supports this, this workaround is no longer needed. https://redirect.github.com/ruby/rdoc/pull/1217 https://github.com/ruby/openssl/commit/6491ce63be 
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.

    https://redirect.github.com/ruby/rdoc/pull/1217

https://github.com/ruby/openssl/commit/6491ce63be
[ruby/openssl] digest: use EVP_MD_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-24T10:31:31+00:00 10d2311e136212549d36f90ec7cb86108e682088 With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime. https://github.com/ruby/openssl/commit/9fc2179403 
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.

For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:

 - EVP_MD_fetch() does not support all algorithm name aliases recognized
   by EVP_get_digestbyname().

 - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
   sometimes reference counted and the user has to explicitly release
   it with EVP_MD_free().

So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.

https://github.com/ruby/openssl/commit/9fc2179403
[ruby/openssl] pkey: rename ossl_pkey_new() to ossl_pkey_wrap() 2025-07-27T12:17:25+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-21T14:52:03+00:00 1c18ab81dbf4a8006222d7f10752dde362ba05a6 Among functions named ossl_*_new(), ossl_pkey_new() is now the only one that takes ownership of the passed OpenSSL object instead of making a copy or incrementing its reference counter. Rename it to make this behavior easier to understand. https://github.com/ruby/openssl/commit/54c1c26eb5 
Among functions named ossl_*_new(), ossl_pkey_new() is now the only one
that takes ownership of the passed OpenSSL object instead of making a
copy or incrementing its reference counter. Rename it to make this
behavior easier to understand.

https://github.com/ruby/openssl/commit/54c1c26eb5
[ruby/openssl] mark `initialize_copy` as :nodoc: 2025-03-12T16:03:47+00:00 Sarun Rattanasiri midnight_w@gmx.tw 2025-03-08T14:43:11+00:00 9ec8dc9c6504e62c6a3ff6b111cee53f67d5508c https://github.com/ruby/openssl/commit/17f87d2cf0 
https://github.com/ruby/openssl/commit/17f87d2cf0
[ruby/openssl] Add build support for AWS-LC 2025-02-11T15:35:03+00:00 Samuel Chiang sachiang@amazon.com 2025-01-24T02:16:14+00:00 06faf28558c2f1925f37dd78ff61ba1bef6e894e CI Changes 1. I've split the original patch up to make it easier to digest, but that forces my hand to turn off testing in the AWS-LC CI for the time being. However, do let me know if you would prefer to review the test adjustments in the same PR and I can remove the temporary CI workaround. 2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations to alert the consuming application of these. I've leveraged the skip-warnings CI option so that the build doesn't fail. Build Adjustments 1. AWS-LC FIPS mode is decided at compile time. This is different from OpenSSL's togglable FIPS switch, so I've adjusted the build to account for this. 2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were only ever supported by old MSIE. 3. AWS-LC has no current support for post handshake authentication in TLS 1.3. 4. EC_GROUP structures for named curves in AWS-LC are constant, static, and immutable by default. This means that the EC_GROUP_set_* functions are essentially no-ops due to the immutability of the structure. We've introduced a new API for consumers that depend on the OpenSSL's default mutability of the EC_GROUP structure called EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of functionality that's dependent on the mutability of these structures, I've made the corresponding adjustments to allow things to work as expected. https://github.com/ruby/openssl/commit/e53ec5a101 
CI Changes
1. I've split the original patch up to make it easier to digest, but
that forces my hand to turn off testing in the AWS-LC CI for the time
being. However, do let me know if you would prefer to review the test
adjustments in the same PR and I can remove the temporary CI workaround.
2. AWS-LC has a few no-op functions and we use -Wdeprecated-declarations
to alert the consuming application of these. I've leveraged the
skip-warnings CI option so that the build doesn't fail.

Build Adjustments
1. AWS-LC FIPS mode is decided at compile time. This is different from
OpenSSL's togglable FIPS switch, so I've adjusted the build to account
for this.
2. AWS-LC does not support for the two KEY_SIG or KEY_EX flags that were
only ever supported by old MSIE.
3. AWS-LC has no current support for post handshake authentication in
TLS 1.3.
4. EC_GROUP structures for named curves in AWS-LC are constant, static,
and immutable by default. This means that the EC_GROUP_set_* functions
are essentially no-ops due to the immutability of the structure. We've
introduced a new API for consumers that depend on the OpenSSL's default
mutability of the EC_GROUP structure called
EC_GROUP_new_by_curve_name_mutable. Since Ruby has a bit of
functionality that's dependent on the mutability of these structures,
I've made the corresponding adjustments to allow things to work as
expected.

https://github.com/ruby/openssl/commit/e53ec5a101
[ruby/openssl] Require OpenSSL 1.1.0 or later 2025-01-20T17:12:57+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-14T12:49:12+00:00 441862dc9f11d83e9e35c3b965fe84e42e178a35 Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) https://github.com/ruby/openssl/commit/38ec6fd50e 
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e
[ruby/openssl] pkcs12: add PKCS12#set_mac 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-03T10:40:07+00:00 c79b4354074742ca1cbbb25a4f04bbffeb58407d Add a binding for PKCS12_set_mac() to set MAC parameters and (re-)calculate MAC for the content. This allows generating PKCS #12 with consistent MAC parameters with different OpenSSL versions. OpenSSL 3.0 changed the default hash function used for HMAC and the KDF from SHA-1 to SHA-256. Fixes: https://github.com/ruby/openssl/issues/772 https://github.com/ruby/openssl/commit/f5ed2a74b6 
Add a binding for PKCS12_set_mac() to set MAC parameters and
(re-)calculate MAC for the content.

This allows generating PKCS #12 with consistent MAC parameters with
different OpenSSL versions. OpenSSL 3.0 changed the default hash
function used for HMAC and the KDF from SHA-1 to SHA-256.

Fixes: https://github.com/ruby/openssl/issues/772

https://github.com/ruby/openssl/commit/f5ed2a74b6
[ruby/openssl] Mark variables and functions as static whenever possible 2024-12-07T07:55:47+00:00 Kazuki Yamaguchi k@rhe.jp 2024-10-29T19:03:05+00:00 1df63d9451459209c00f5e8db033f18d145cc741 https://github.com/ruby/openssl/commit/85d6b7f192 
https://github.com/ruby/openssl/commit/85d6b7f192
[ruby/openssl] Fix references to the license text 2024-06-08T10:59:17+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-01T08:10:44+00:00 69c0b1438a45938e79e63407035f116de4634dcb Update the references to the file "LICENCE" with "COPYING". The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has been always the case since OpenSSL for Ruby 2 was merged to the ruby tree as a standard library in 2003. In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained an old version of the Ruby License, identical to the COPYING file that was in Ruby's tree at that time (r4128[2]). [1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup [2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING https://github.com/ruby/openssl/commit/5bccf07d04 
Update the references to the file "LICENCE" with "COPYING".

The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.

In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).

[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING

https://github.com/ruby/openssl/commit/5bccf07d04