ruby.git/ext/openssl/ossl_pkcs7.c, branch v4.0.2 The Ruby Programming Language [ruby/openssl] pkcs7: raise OpenSSL::PKCS7::PKCS7Error in #initialize 2025-12-14T10:46:27+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-14T10:33:16+00:00 674c3d73e0f92d730bd2e544be344585a638ab37 When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input, OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice in ruby/openssl where an error originates from the underlying OpenSSL library is to raise OpenSSL::OpenSSLError. Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with OpenSSL::PKCS7.read_smime and all other existing #initialize methods that handle DER/PEM-encoded inputs. https://github.com/ruby/openssl/commit/67a608ce53 
When d2i_PKCS7_bio() and PEM_read_bio_PKCS7() fail to decode the input,
OpenSSL::PKCS7.new currently raises ArgumentError. The usual practice
in ruby/openssl where an error originates from the underlying OpenSSL
library is to raise OpenSSL::OpenSSLError.

Raise OpenSSL::PKCS7::PKCS7Error instead for consistency with
OpenSSL::PKCS7.read_smime and all other existing #initialize methods
that handle DER/PEM-encoded inputs.

https://github.com/ruby/openssl/commit/67a608ce53
[ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] Remove dummy declarations for mOSSL and eOSSLError 2025-11-29T17:05:19+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:47:26+00:00 bae06ce22c5ab6a4a3085300274f258d55858e90 These declarations were added to every source file because older versions of RDoc did not resolve ancestor tree across files. Since RDoc 6.9.0 supports this, this workaround is no longer needed. https://redirect.github.com/ruby/rdoc/pull/1217 https://github.com/ruby/openssl/commit/6491ce63be 
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.

    https://redirect.github.com/ruby/rdoc/pull/1217

https://github.com/ruby/openssl/commit/6491ce63be
[ruby/openssl] cipher: use EVP_CIPHER_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-09T09:36:49+00:00 57aaf86bdbdaacb66ebbd29d1e2551d87167cbfe Likewise, use EVP_MD_fetch() if it is available. This adds support for AES-GCM-SIV with OpenSSL 3.2 or later. https://github.com/ruby/openssl/commit/0e565a215e 
Likewise, use EVP_MD_fetch() if it is available.

This adds support for AES-GCM-SIV with OpenSSL 3.2 or later.

https://github.com/ruby/openssl/commit/0e565a215e
[ruby/openssl] digest: use EVP_MD_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-24T10:31:31+00:00 10d2311e136212549d36f90ec7cb86108e682088 With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime. https://github.com/ruby/openssl/commit/9fc2179403 
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.

For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:

 - EVP_MD_fetch() does not support all algorithm name aliases recognized
   by EVP_get_digestbyname().

 - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
   sometimes reference counted and the user has to explicitly release
   it with EVP_MD_free().

So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.

https://github.com/ruby/openssl/commit/9fc2179403
[ruby/openssl] pkcs7: make PKCS7#add_recipient actually useful 2025-08-01T12:04:06+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T12:02:36+00:00 497782856a6054ab6bf3c195b10146161bebcf11 Add a simple test case that creates an enveloped-data structure without using the shorthand method, and fix two issues preventing this from working correctly. First, OpenSSL::PKey::PKCS7#add_recipient currently inserts an incomplete PKCS7_RECIP_INFO object into the PKCS7 object. When duplicating an unfinalized PKCS7_RECIP_INFO, the internal X509 reference must also be copied, as it is later used by #add_data to fill the rest. A similar issue with #add_signer was fixed in commit https://github.com/ruby/openssl/commit/20ca7a27a86e (pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO, 2021-03-24). Second, #add_data calls PKCS7_dataFinal(), which for enveloped-data appears to require the BIO to be flushed explicitly with BIO_flush(). Without this, the last block of the encrypted data would be missing. https://github.com/ruby/openssl/commit/9595ecf643 
Add a simple test case that creates an enveloped-data structure without
using the shorthand method, and fix two issues preventing this from
working correctly.

First, OpenSSL::PKey::PKCS7#add_recipient currently inserts an
incomplete PKCS7_RECIP_INFO object into the PKCS7 object. When
duplicating an unfinalized PKCS7_RECIP_INFO, the internal X509 reference
must also be copied, as it is later used by #add_data to fill the rest.

A similar issue with #add_signer was fixed in commit https://github.com/ruby/openssl/commit/20ca7a27a86e
(pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO,
2021-03-24).

Second, #add_data calls PKCS7_dataFinal(), which for enveloped-data
appears to require the BIO to be flushed explicitly with BIO_flush().
Without this, the last block of the encrypted data would be missing.

https://github.com/ruby/openssl/commit/9595ecf643
[ruby/openssl] pkcs7: refactor error handling in PKCS7#add_data 2025-08-01T12:04:06+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T11:15:03+00:00 046780179b582c3f037e5cff27647091f71d6977 Raise an exception right after an OpenSSL function returns an error. Checking ERR_peek_error() is not reliable way to see if an error has occurred or not, as OpenSSL functions do not always populate the error queue. https://github.com/ruby/openssl/commit/cc3f1af73e 
Raise an exception right after an OpenSSL function returns an error.
Checking ERR_peek_error() is not reliable way to see if an error has
occurred or not, as OpenSSL functions do not always populate the error
queue.

https://github.com/ruby/openssl/commit/cc3f1af73e
[ruby/openssl] pkcs7: fix error queue leak in OpenSSL::PKCS7#detached 2025-08-01T12:03:39+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T17:40:02+00:00 3fe4ab0d23150f47e2ee6af0badbe08c070a9a95 Only call PKCS7_get_detached() if the PKCS7 object is a signed-data. This is only useful for the content type, and leaves an error entry if called on a PKCS7 object with a different content type. https://github.com/ruby/openssl/commit/8997f6d5e6 
Only call PKCS7_get_detached() if the PKCS7 object is a signed-data.
This is only useful for the content type, and leaves an error entry if
called on a PKCS7 object with a different content type.

https://github.com/ruby/openssl/commit/8997f6d5e6
[ruby/openssl] pkcs7: only set error_string in the error path 2025-07-31T17:38:35+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-31T16:57:31+00:00 69ff8f736b0ad1f6ad70fa3ce288bafb364b021c Set the error_string attribute to nil if PKCS7_verify() succeeds, since the error queue should be empty in that case. With AWS-LC, OpenSSL::PKCS#verify currently sets error_string to "invalid library (0)" when the verification succeeds, whereas with OpenSSL and LibreSSL, it becomes nil. ERR_reason_error_string() appears to behave differently when an invalid error code is passed. The branch to raise OpenSSL::PKCS7::PKCS7Error is removed because it does not appear to be reachable. https://github.com/ruby/openssl/commit/c11c6631fa 
Set the error_string attribute to nil if PKCS7_verify() succeeds, since
the error queue should be empty in that case.

With AWS-LC, OpenSSL::PKCS#verify currently sets error_string to
"invalid library (0)" when the verification succeeds, whereas with
OpenSSL and LibreSSL, it becomes nil. ERR_reason_error_string() appears
to behave differently when an invalid error code is passed.

The branch to raise OpenSSL::PKCS7::PKCS7Error is removed because it
does not appear to be reachable.

https://github.com/ruby/openssl/commit/c11c6631fa
[ruby/openssl] pkcs7: disallow ossl_pkcs7{si,ri}_new(NULL) 2025-07-27T12:17:24+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-05T18:02:03+00:00 e80c3f3ba933e9dae6c44350ddc99cab485a9a59 These functions are not actually called with NULL. https://github.com/ruby/openssl/commit/c089301e56 
These functions are not actually called with NULL.

https://github.com/ruby/openssl/commit/c089301e56