ruby.git/ext/openssl/ossl_pkey.c, branch v3_2_11 The Ruby Programming Language [ruby/openssl] Use EVP_Digest{Sign,Verify} when available 2022-12-13T09:07:41+00:00 Theo Buehler tb@openbsd.org 2022-11-10T13:50:22+00:00 d92f4fe4d74d929cec9ca36ec3dbec070b314902 LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7. https://github.com/ruby/openssl/commit/475b2bf766 
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.

https://github.com/ruby/openssl/commit/475b2bf766
[ruby/openssl] pkey: restore support for decoding "openssl ecparam -genkey" output 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-02T13:40:54+00:00 0677b2fb87fa4bdff64e650e5df0fd7bf684bd2e Scan through the input for a private key, then fallback to generic decoder. OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding formats. While this is useful for OpenSSL::PKey::PKey, an edge case has been discovered. The openssl CLI command line "openssl ecparam -genkey" prints two PEM blocks in a row, one for EC parameters and another for the private key. Feeding the whole output into OSSL_DECODER results in only the first PEM block, the key parameters, being decoded. Previously, ruby/openssl did not support decoding key parameters and it would decode the private key PEM block instead. While the new behavior is technically correct, "openssl ecparam -genkey" is so widely used that ruby/openssl does not want to break existing applications. Fixes https://github.com/ruby/openssl/pull/535 https://github.com/ruby/openssl/commit/d486c82833 
Scan through the input for a private key, then fallback to generic
decoder.

OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.

The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.

While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.

Fixes https://github.com/ruby/openssl/pull/535

https://github.com/ruby/openssl/commit/d486c82833
[ruby/openssl] pkey: clear error queue before each OSSL_DECODER_from_bio() call 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-02T09:14:57+00:00 4fb2845c7b71d94f01a224020e4eb91c99f99d66 Fix potential error queue leak. https://github.com/ruby/openssl/commit/3992b6f208 
Fix potential error queue leak.

https://github.com/ruby/openssl/commit/3992b6f208
[ruby/openssl] Check if the option is an Hash in `pkey_ctx_apply_options0()` 2022-10-17T07:35:35+00:00 Nobuhiro IMAI nov@yo.rim.or.jp 2022-08-05T09:42:06+00:00 a98096349ec7280edabf3822d2c6932ac6e63634 causes SEGV if it is an Array or something like that. https://github.com/ruby/openssl/commit/ef23525210 
causes SEGV if it is an Array or something like that.

https://github.com/ruby/openssl/commit/ef23525210
[ruby/openssl] Fix build with LibreSSL 3.5 2022-07-08T14:18:14+00:00 Jeremy Evans code@jeremyevans.net 2022-03-25T20:11:31+00:00 aee36dd7880316a647ac2b3da98c2c1a14bf41c6 https://github.com/ruby/openssl/commit/e25fb0d0d8 
https://github.com/ruby/openssl/commit/e25fb0d0d8
[ruby/openssl] pkey: use EVP_PKEY_CTX_new_from_name() on OpenSSL 3.0 2021-12-20T14:42:04+00:00 Kazuki Yamaguchi k@rhe.jp 2021-04-12T01:43:46+00:00 ac757b218c66569be6789144b149d6d798c72d98 Replace EVP_PKEY_CTX_new_id() with the new EVP_PKEY_CTX_new_from_name() which takes the algorithm name in a string instead of in an NID. https://github.com/ruby/openssl/commit/d6535d13d1 
Replace EVP_PKEY_CTX_new_id() with the new EVP_PKEY_CTX_new_from_name()
which takes the algorithm name in a string instead of in an NID.

https://github.com/ruby/openssl/commit/d6535d13d1
[ruby/openssl] pkey: assume a pkey always has public key components on OpenSSL 3.0 2021-12-20T14:42:04+00:00 Kazuki Yamaguchi k@rhe.jp 2021-03-20T14:16:41+00:00 61e426ae059945088b2bf84cdf1c8bdef273f314 OpenSSL 3.0's EVP_PKEY_get0() returns NULL for provider-backed pkeys. This causes segfault because it was supposed to never return NULL before. We can't check the existence of public key components in this way on OpenSSL 3.0. Let's just skip it for now. https://github.com/ruby/openssl/commit/ccdb6f7bfa 
OpenSSL 3.0's EVP_PKEY_get0() returns NULL for provider-backed pkeys.
This causes segfault because it was supposed to never return NULL
before.

We can't check the existence of public key components in this way on
OpenSSL 3.0. Let's just skip it for now.

https://github.com/ruby/openssl/commit/ccdb6f7bfa
[ruby/openssl] engine: disable OpenSSL::Engine on OpenSSL 3.0 2021-12-20T14:42:03+00:00 Kazuki Yamaguchi k@rhe.jp 2021-04-14T15:51:58+00:00 b2fb503dabaf421997f20fa96cbf4e11e5d5206d The entire ENGINE API is deprecated in OpenSSL 3.0 in favor of the new "Provider" concept. OpenSSL::Engine will not be defined when compiled with OpenSSL 3.0. We would need a way to interact with providers from Ruby programs, but since the concept is completely different from the ENGINE API, it will not be through the current OpenSSL::Engine interface. https://github.com/ruby/openssl/commit/69a27d8de4 
The entire ENGINE API is deprecated in OpenSSL 3.0 in favor of the new
"Provider" concept.

OpenSSL::Engine will not be defined when compiled with OpenSSL 3.0.
We would need a way to interact with providers from Ruby programs, but
since the concept is completely different from the ENGINE API, it will
not be through the current OpenSSL::Engine interface.

https://github.com/ruby/openssl/commit/69a27d8de4
[ruby/openssl] pkey: use EVP_PKEY_dup() if available 2021-12-20T14:42:01+00:00 Kazuki Yamaguchi k@rhe.jp 2021-04-22T07:33:59+00:00 df6589e418adb2a4018e40d53dab2fd5556ed41e We can use it to implement OpenSSL::PKey::PKey#initialize_copy. This should work on all key types, not just DH/DSA/EC/RSA types. https://github.com/ruby/openssl/commit/66cd8cbaaf 
We can use it to implement OpenSSL::PKey::PKey#initialize_copy. This
should work on all key types, not just DH/DSA/EC/RSA types.

https://github.com/ruby/openssl/commit/66cd8cbaaf
[ruby/openssl] pkey: allocate EVP_PKEY on #initialize 2021-12-20T14:42:01+00:00 Kazuki Yamaguchi k@rhe.jp 2021-04-12T09:32:40+00:00 c1a36ebfda8ba570173e2844bc584786852e6190 Allocate an EVP_PKEY when the content is ready: when #initialize or #initialize_copy is called, rather than when a T_DATA is allocated. This is more natural because the lower level API has been deprecated and an EVP_PKEY is becoming the minimum unit of handling keys. https://github.com/ruby/openssl/commit/74f6c61756 
Allocate an EVP_PKEY when the content is ready: when #initialize
or #initialize_copy is called, rather than when a T_DATA is allocated.
This is more natural because the lower level API has been deprecated
and an EVP_PKEY is becoming the minimum unit of handling keys.

https://github.com/ruby/openssl/commit/74f6c61756