ruby.git/ext/openssl/ossl_pkey.c, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] Fix references to the license text 2024-06-08T10:59:17+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-01T08:10:44+00:00 69c0b1438a45938e79e63407035f116de4634dcb Update the references to the file "LICENCE" with "COPYING". The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has been always the case since OpenSSL for Ruby 2 was merged to the ruby tree as a standard library in 2003. In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained an old version of the Ruby License, identical to the COPYING file that was in Ruby's tree at that time (r4128[2]). [1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup [2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING https://github.com/ruby/openssl/commit/5bccf07d04 
Update the references to the file "LICENCE" with "COPYING".

The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.

In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).

[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING

https://github.com/ruby/openssl/commit/5bccf07d04
[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections. 2023-08-28T03:05:33+00:00 Jun Aruga jaruga@redhat.com 2023-08-24T17:04:23+00:00 b0ec1db8a72c530460abd9462ac75845362886bd This is a workaround for the decoding issue in ossl_pkey_read_generic(). The issue happens in the case that a key management provider is different from a decoding provider. Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3 to avoid the issue. https://github.com/ruby/openssl/commit/db688fa739 
This is a workaround for the decoding issue in ossl_pkey_read_generic().
The issue happens in the case that a key management provider is different from
a decoding provider.

Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
to avoid the issue.

https://github.com/ruby/openssl/commit/db688fa739
[ruby/openssl] [DOC] enhance RDoc for exporting pkeys 2023-08-16T05:48:40+00:00 Kazuki Yamaguchi k@rhe.jp 2023-06-28T03:09:27+00:00 0eaee5c000bf2fc6e1866881a6f9a4d7820c16d4 Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem and #to_der more clearly. They return a different result depending on whether the pkey is a public or private key. This was not documented adequately. Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem and #public_to_pem instead, if possible. https://github.com/ruby/openssl/commit/d22769af8f 
Describe the behavior of OpenSSL::PKey::{DH,DSA,EC,RSA}#to_pem
and #to_der more clearly. They return a different result depending on
whether the pkey is a public or private key. This was not documented
adequately.

Also, suggest the use of OpenSSL::PKey::PKey#private_to_pem
and #public_to_pem instead, if possible.

https://github.com/ruby/openssl/commit/d22769af8f
[ruby/openssl] Add support for raw private/public keys 2023-07-12T14:40:58+00:00 Ryo Kajiwara sylph01@gmail.com 2023-07-12T13:06:46+00:00 4b6d667c63481abd17ce5446bceb053c0881739f (https://github.com/ruby/openssl/pull/646) Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public equivalents. These methods are useful for importing and exporting keys that support "raw private/public key". Currently, OpenSSL implements X25519/X448 and Ed25519/Ed448 keys. [rhe: rewrote commit message] https://github.com/ruby/openssl/commit/3f29525618 Co-authored-by: Bart de Water <bartdewater@gmail.com> 
(https://github.com/ruby/openssl/pull/646)

Add OpenSSL::PKey.new_raw_private_key, #raw_private_key and public
equivalents. These methods are useful for importing and exporting keys
that support "raw private/public key". Currently, OpenSSL implements
X25519/X448 and Ed25519/Ed448 keys.

[rhe: rewrote commit message]

https://github.com/ruby/openssl/commit/3f29525618

Co-authored-by: Bart de Water <bartdewater@gmail.com>
[ruby/openssl] pkey: use unsigned type for bit fields 2023-06-18T16:57:09+00:00 Kazuki Yamaguchi k@rhe.jp 2023-06-06T18:46:43+00:00 af66b9b7203a22e6029872513c59a7284f381cf9 clang generates a warning: ../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion] arg->interrupted = 1; ^ ~ 1 error generated. https://github.com/ruby/openssl/commit/4b2ba7b022 
clang generates a warning:

	../../../../ext/openssl/ossl_pkey.c:326:22: error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
	    arg->interrupted = 1;
	                     ^ ~
	1 error generated.

https://github.com/ruby/openssl/commit/4b2ba7b022
[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. 2023-06-18T16:57:09+00:00 Jun Aruga jaruga@redhat.com 2023-04-12T15:15:21+00:00 2a4834057b30a26c38ece3961b370c0b2ee59380 This commit is a workaround to avoid the error below that the `OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. ``` $ openssl genrsa -out key.pem 4096 $ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" -e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) from -e:1:in `<main>' ``` The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` doesn't apply the selection value properly if there are multiple providers, and a provider (e.g. "base" provider) handles the decoder implementation, and another provider (e.g. "fips" provider) handles the keys. The workaround is to create `OSSL_DECODER_CTX` variable each time without using the `OSSL_DECODER_CTX_set_selection`. https://github.com/ruby/openssl/commit/5ff4a31621 
This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.

```
$ openssl genrsa -out key.pem 4096

$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
  from -e:1:in `<main>'
```

The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g.  "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.

The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.

https://github.com/ruby/openssl/commit/5ff4a31621
[ruby/openssl] Implement Write Barrier for all OpenSSL types 2023-06-18T16:57:09+00:00 Jean Boussier jean.boussier@gmail.com 2023-03-13T08:51:53+00:00 1965c09ee50b5202d45462cd8bc6224ca6e45ae9 The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy. https://github.com/ruby/openssl/commit/2c7c6de69e 
The vast majority have no reference so it's just a matter of setting the flags.

For the couple exception, they have very little references so it's
easy.

https://github.com/ruby/openssl/commit/2c7c6de69e
[ruby/openssl] Use EVP_Digest{Sign,Verify} when available 2022-12-13T09:07:41+00:00 Theo Buehler tb@openbsd.org 2022-11-10T13:50:22+00:00 d92f4fe4d74d929cec9ca36ec3dbec070b314902 LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them when available to prepare for the addition of Ed25519 support in LibreSSL 3.7. https://github.com/ruby/openssl/commit/475b2bf766 
LibreSSL 3.4 added EVP_DigestSign() and EVP_DigestVerify(). Use them
when available to prepare for the addition of Ed25519 support in
LibreSSL 3.7.

https://github.com/ruby/openssl/commit/475b2bf766
[ruby/openssl] pkey: restore support for decoding "openssl ecparam -genkey" output 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-02T13:40:54+00:00 0677b2fb87fa4bdff64e650e5df0fd7bf684bd2e Scan through the input for a private key, then fallback to generic decoder. OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding formats. While this is useful for OpenSSL::PKey::PKey, an edge case has been discovered. The openssl CLI command line "openssl ecparam -genkey" prints two PEM blocks in a row, one for EC parameters and another for the private key. Feeding the whole output into OSSL_DECODER results in only the first PEM block, the key parameters, being decoded. Previously, ruby/openssl did not support decoding key parameters and it would decode the private key PEM block instead. While the new behavior is technically correct, "openssl ecparam -genkey" is so widely used that ruby/openssl does not want to break existing applications. Fixes https://github.com/ruby/openssl/pull/535 https://github.com/ruby/openssl/commit/d486c82833 
Scan through the input for a private key, then fallback to generic
decoder.

OpenSSL 3.0's OSSL_DECODER supports encoded key parameters. The PEM
header "-----BEGIN EC PARAMETERS-----" is used by one of such encoding
formats. While this is useful for OpenSSL::PKey::PKey, an edge case has
been discovered.

The openssl CLI command line "openssl ecparam -genkey" prints two PEM
blocks in a row, one for EC parameters and another for the private key.
Feeding the whole output into OSSL_DECODER results in only the first PEM
block, the key parameters, being decoded. Previously, ruby/openssl did
not support decoding key parameters and it would decode the private key
PEM block instead.

While the new behavior is technically correct, "openssl ecparam -genkey"
is so widely used that ruby/openssl does not want to break existing
applications.

Fixes https://github.com/ruby/openssl/pull/535

https://github.com/ruby/openssl/commit/d486c82833