ruby.git/ext/openssl/ossl_pkey.c, branch v4.0.4 The Ruby Programming Language [ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] Remove dummy declarations for mOSSL and eOSSLError 2025-11-29T17:05:19+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:47:26+00:00 bae06ce22c5ab6a4a3085300274f258d55858e90 These declarations were added to every source file because older versions of RDoc did not resolve ancestor tree across files. Since RDoc 6.9.0 supports this, this workaround is no longer needed. https://redirect.github.com/ruby/rdoc/pull/1217 https://github.com/ruby/openssl/commit/6491ce63be 
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.

    https://redirect.github.com/ruby/rdoc/pull/1217

https://github.com/ruby/openssl/commit/6491ce63be
[ruby/openssl] pkey: unify error classes into PKeyError 2025-11-06T13:33:15+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-02T14:23:20+00:00 16b1aa4e4ab1b81914c58eae8b2f31c963b4bd4c Remove the following subclasses of OpenSSL::PKey::PKeyError and make them aliases of it. - OpenSSL::PKey::DHError - OpenSSL::PKey::DSAError - OpenSSL::PKey::ECError - OpenSSL::PKey::RSAError Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlying EVP_PKEY API. I think this convention comes from the fact that OpenSSL::PKey::{DH, DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA, and RSA, before they were unified to wrap EVP_PKEY, way back in 2002. OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error are out of scope of this change, as they are not subclasses of OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY API. https://github.com/ruby/openssl/commit/e74ff3e272 
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.

 - OpenSSL::PKey::DHError
 - OpenSSL::PKey::DSAError
 - OpenSSL::PKey::ECError
 - OpenSSL::PKey::RSAError

Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.

I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.

OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.

https://github.com/ruby/openssl/commit/e74ff3e272
[ruby/openssl] cipher: use EVP_CIPHER_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-09T09:36:49+00:00 57aaf86bdbdaacb66ebbd29d1e2551d87167cbfe Likewise, use EVP_MD_fetch() if it is available. This adds support for AES-GCM-SIV with OpenSSL 3.2 or later. https://github.com/ruby/openssl/commit/0e565a215e 
Likewise, use EVP_MD_fetch() if it is available.

This adds support for AES-GCM-SIV with OpenSSL 3.2 or later.

https://github.com/ruby/openssl/commit/0e565a215e
[ruby/openssl] digest: use EVP_MD_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-24T10:31:31+00:00 10d2311e136212549d36f90ec7cb86108e682088 With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime. https://github.com/ruby/openssl/commit/9fc2179403 
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.

For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:

 - EVP_MD_fetch() does not support all algorithm name aliases recognized
   by EVP_get_digestbyname().

 - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
   sometimes reference counted and the user has to explicitly release
   it with EVP_MD_free().

So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.

https://github.com/ruby/openssl/commit/9fc2179403
[ruby/openssl] pkey: define and use OSSL_HAVE_IMMUTABLE_PKEY macro 2025-09-30T11:59:27+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-25T06:50:03+00:00 986d9177dd63aaecbbb6e3a02fe20370cbd21bc5 Introduce a useful macro indicating that the low-level struct wrapped in an EVP_PKEY cannot be modified. Currently, the macro is defined for OpenSSL 3.0 or later only. LibreSSL and AWS-LC can follow suit in the future. https://github.com/ruby/openssl/commit/032ed63096 
Introduce a useful macro indicating that the low-level struct wrapped
in an EVP_PKEY cannot be modified.

Currently, the macro is defined for OpenSSL 3.0 or later only. LibreSSL
and AWS-LC can follow suit in the future.

https://github.com/ruby/openssl/commit/032ed63096
[ruby/openssl] Revert "pkey: stop retrying after non-retryable error from OSSL_DECODER" 2025-09-17T12:18:17+00:00 Kazuki Yamaguchi k@rhe.jp 2025-09-16T10:29:08+00:00 08e7b5f2bdef276c7ea65fa3b01f53c1062acf8d This reverts commit https://github.com/ruby/openssl/commit/5347880c6eb0 and https://github.com/ruby/openssl/commit/985ba27d6339. These commits attempted to stop processing after the first relevant PEM block, whether it is successful or not, when the input contains multiple keys. It turned out that it cannot be reliably determined using the OSSL_DECODER API. There is an edge case where OSSL_DECODER_from_bio() reports "unsupported" even though the input actually contains an error: https://redirect.github.com/ruby/openssl/pull/931#discussion_r2347813807 Revert the changes for now and keep the existing behavior, as partial support does not seem worth the added complexity. https://github.com/ruby/openssl/commit/319cd4952a 
This reverts commit https://github.com/ruby/openssl/commit/5347880c6eb0 and
https://github.com/ruby/openssl/commit/985ba27d6339.

These commits attempted to stop processing after the first relevant PEM
block, whether it is successful or not, when the input contains multiple
keys.

It turned out that it cannot be reliably determined using the
OSSL_DECODER API. There is an edge case where OSSL_DECODER_from_bio()
reports "unsupported" even though the input actually contains an error:

https://redirect.github.com/ruby/openssl/pull/931#discussion_r2347813807

Revert the changes for now and keep the existing behavior, as partial
support does not seem worth the added complexity.

https://github.com/ruby/openssl/commit/319cd4952a
[ruby/openssl] pkey: fix loading public keys with early OpenSSL 3.0.x releases 2025-09-12T14:22:29+00:00 Kazuki Yamaguchi k@rhe.jp 2025-09-12T14:02:27+00:00 8a30594d2cf22c223d57f0fb3832c67b5bbdc76d Treat an empty error queue after calling OSSL_DECODER_from_bio() as a retryable error. This is a follow-up to the previous commit https://github.com/ruby/openssl/commit/985ba27d6339 (pkey: stop retrying after non-retryable error from OSSL_DECODER). The commit broke loading public keys on Ubuntu 22.04 LTS, which ships OpenSSL 3.0.2. https://github.com/ruby/openssl/commit/5347880c6e 
Treat an empty error queue after calling OSSL_DECODER_from_bio() as a
retryable error.

This is a follow-up to the previous commit https://github.com/ruby/openssl/commit/985ba27d6339 (pkey: stop
retrying after non-retryable error from OSSL_DECODER). The commit broke
loading public keys on Ubuntu 22.04 LTS, which ships OpenSSL 3.0.2.

https://github.com/ruby/openssl/commit/5347880c6e
[ruby/openssl] pkey: stop retrying after non-retryable error from OSSL_DECODER 2025-09-12T12:26:07+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-12T18:08:22+00:00 c0820058243842d1391d896baf67914a8ea50e13 Continue processing only when OSSL_DECODER_from_bio() returns the error code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying decoding the input in another format. This fixes another case where OpenSSL::PKey.read prompts for a passphrase multiple times when the input contains multiple passphrase-protected PEM blocks and the first one cannot be decoded. I am not entirely sure if the error code ERR_R_UNSUPPORTED is considered part of the public interface of OpenSSL, but this seems to be the only option available and is the approach used internally by the PEM_read_bio_*() functions. Fixes https://github.com/ruby/openssl/issues/927 https://github.com/ruby/openssl/commit/985ba27d63 
Continue processing only when OSSL_DECODER_from_bio() returns the error
code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying
decoding the input in another format.

This fixes another case where OpenSSL::PKey.read prompts for a
passphrase multiple times when the input contains multiple
passphrase-protected PEM blocks and the first one cannot be decoded.

I am not entirely sure if the error code ERR_R_UNSUPPORTED is considered
part of the public interface of OpenSSL, but this seems to be the only
option available and is the approach used internally by the
PEM_read_bio_*() functions.

Fixes https://github.com/ruby/openssl/issues/927

https://github.com/ruby/openssl/commit/985ba27d63
[ruby/openssl] pkey: pass pem_password_cb to OSSL_DECODER only when it is needed 2025-09-12T12:26:07+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-03T10:50:04+00:00 8af8582d4c3baf0ba41f8b54b43839ec8ba3dc3d Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a passphrase-protected private key. OSSL_DECODER appears to try to decrypt every PEM block in the input even when the PEM header does not match the requested selection. This can cause repeated prompts for a passphrase in a single OpenSSL::PKey.read call. https://github.com/ruby/openssl/commit/933503f49f 
Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a
passphrase-protected private key.

OSSL_DECODER appears to try to decrypt every PEM block in the input even
when the PEM header does not match the requested selection. This can
cause repeated prompts for a passphrase in a single OpenSSL::PKey.read
call.

https://github.com/ruby/openssl/commit/933503f49f