ruby.git/ext/openssl/ossl_ts.c, branch v4.0.4 The Ruby Programming Language [ruby/openssl] Convert ossl_ts.c to opaque ASN1_STRING 2025-12-06T16:50:17+00:00 Theo Buehler tb@openbsd.org 2025-12-05T12:54:49+00:00 38ad0806d7270926ff6fc5c23092aa3e822f386b https://github.com/ruby/openssl/commit/8945f379b3 
https://github.com/ruby/openssl/commit/8945f379b3
[ruby/openssl] Expand tabs in C source files 2025-12-04T17:46:59+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-29T18:40:32+00:00 5062c0c621d887367af8a054e5e5d83d7ec57dd3 Since around 2018, we have been using spaces for indentation for newly added code[1]. The mixed use of tabs and spaces has repeatedly confused new contributors who configured their editors to use a different tab size than 8. Since git blame can now skip specific commits, ruby/ruby did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl. While at it, fix a few indentation issues, mainly in switch-case labels and in ossl_ssl_session.c, which used doubled indentation size. This patch contains white-space changes only. git diff -w output should be empty. [1] https://bugs.ruby-lang.org/issues/14246 [2] https://bugs.ruby-lang.org/issues/18891 https://github.com/ruby/openssl/commit/4d6214f507 
Since around 2018, we have been using spaces for indentation for newly
added code[1]. The mixed use of tabs and spaces has repeatedly confused
new contributors who configured their editors to use a different tab
size than 8. Since git blame can now skip specific commits, ruby/ruby
did a mass reformatting of tabs in 2022[2]. Do the same in ruby/openssl.

While at it, fix a few indentation issues, mainly in switch-case labels
and in ossl_ssl_session.c, which used doubled indentation size.

This patch contains white-space changes only. git diff -w output should
be empty.

[1] https://bugs.ruby-lang.org/issues/14246
[2] https://bugs.ruby-lang.org/issues/18891

https://github.com/ruby/openssl/commit/4d6214f507
[ruby/openssl] Remove dummy declarations for mOSSL and eOSSLError 2025-11-29T17:05:19+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:47:26+00:00 bae06ce22c5ab6a4a3085300274f258d55858e90 These declarations were added to every source file because older versions of RDoc did not resolve ancestor tree across files. Since RDoc 6.9.0 supports this, this workaround is no longer needed. https://redirect.github.com/ruby/rdoc/pull/1217 https://github.com/ruby/openssl/commit/6491ce63be 
These declarations were added to every source file because older
versions of RDoc did not resolve ancestor tree across files. Since
RDoc 6.9.0 supports this, this workaround is no longer needed.

    https://redirect.github.com/ruby/rdoc/pull/1217

https://github.com/ruby/openssl/commit/6491ce63be
[ruby/openssl] ts: fix docs for attrs on OpenSSL::Timestamp::Factory 2025-11-29T16:41:54+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-29T16:29:01+00:00 c8bfbd5700bc00ab06e715235818c099a0063436 Move attribute documentation out of the class-level section and into the appropriate sections so that they attach correctly. https://github.com/ruby/openssl/commit/61410acc50 
Move attribute documentation out of the class-level section and into
the appropriate sections so that they attach correctly.

https://github.com/ruby/openssl/commit/61410acc50
[ruby/openssl] asn1: refactor converting ASN1_OBJECT to string 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T16:41:35+00:00 dd489ee9c48fc8c2b499b80f3ebcd053de33bb0a ruby/openssl exposes OIDs to Ruby as strings in many places, but the conversion logic has been duplicated and the behavior is inconsistent. There are mainly two patterns: - Returns the short name associated with the OID/NID, or the dotted decimal notation if it is unknown to OpenSSL. - Returns the long name, or the dotted decimal notation. These patterns are implemented using different OpenSSL APIs and that caused subtle differences. Add helper functions ossl_asn1obj_to_string() and ossl_asn1obj_to_string_long_name() to unify the logic. Also, document the current behaviors where it is not yet done. The inconsistency was likely unintentional, but since it dates back to the original implementations, standardizing it now would cause more issues than it resolves. https://github.com/ruby/openssl/commit/2ea36c21a4 
ruby/openssl exposes OIDs to Ruby as strings in many places, but the
conversion logic has been duplicated and the behavior is inconsistent.
There are mainly two patterns:

 - Returns the short name associated with the OID/NID, or the dotted
   decimal notation if it is unknown to OpenSSL.
 - Returns the long name, or the dotted decimal notation.

These patterns are implemented using different OpenSSL APIs and that
caused subtle differences. Add helper functions ossl_asn1obj_to_string()
and ossl_asn1obj_to_string_long_name() to unify the logic.

Also, document the current behaviors where it is not yet done. The
inconsistency was likely unintentional, but since it dates back to the
original implementations, standardizing it now would cause more issues
than it resolves.

https://github.com/ruby/openssl/commit/2ea36c21a4
[ruby/openssl] ts: refactor converting string to ASN1_OBJECT 2025-11-22T16:48:13+00:00 Kazuki Yamaguchi k@rhe.jp 2025-05-17T09:42:28+00:00 424499dd10aa01b3d84957761b19dde63b28113c obj_to_asn1obj() in ossl_ts.c and ossl_asn1.c are identical. Let's remove one in ossl_ts.c. eASN1Error can now be made static to ossl_asn1.c. https://github.com/ruby/openssl/commit/dcb05c40c2 
obj_to_asn1obj() in ossl_ts.c and ossl_asn1.c are identical. Let's
remove one in ossl_ts.c.

eASN1Error can now be made static to ossl_asn1.c.

https://github.com/ruby/openssl/commit/dcb05c40c2
[ruby/openssl] digest: use EVP_MD_fetch() if available 2025-11-06T13:25:09+00:00 Kazuki Yamaguchi k@rhe.jp 2025-06-24T10:31:31+00:00 10d2311e136212549d36f90ec7cb86108e682088 With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime. https://github.com/ruby/openssl/commit/9fc2179403 
With the introduction of OpenSSL 3 providers, newly implemented
algorithms do not necessarily have a corresponding NID assigned. To use
such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch() functions.

For digest algorithms, we have to use EVP_MD_fetch() instead of the
existing EVP_get_digestbyname(). However, it is not a drop-in
replacement because:

 - EVP_MD_fetch() does not support all algorithm name aliases recognized
   by EVP_get_digestbyname().

 - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is
   sometimes reference counted and the user has to explicitly release
   it with EVP_MD_free().

So, keep using EVP_get_digestbyname() for all OpenSSL versions for now,
and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare
a T_DATA object to manage the fetched EVP_MD's lifetime.

https://github.com/ruby/openssl/commit/9fc2179403
[ruby/openssl] ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4 2025-01-22T16:45:52+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-21T18:22:22+00:00 495b1cad042b30c40b62b5ecea5a728ea3c2f4ac In OpenSSL 3.4, TS_VERIFY_CTX_set_certs() and TS_VERIFY_CTX_set_store() are deprecated in favor of the new functions with "set0" in the names. The new functions have a slightly different behavior. They will free the previous value automatically. Increment the reference counter of X509_STORE before setting it to TS_VERIFY_CTX, and do not try to manually unset it. We avoided doing this to work around a bug that was present in older versions of OpenSSL, which has now been fixed in OpenSSL 1.0.2 by commit https://github.com/openssl/openssl/commit/bff9ce4db38b. https://github.com/ruby/openssl/commit/ce37f7d93a 
In OpenSSL 3.4, TS_VERIFY_CTX_set_certs() and TS_VERIFY_CTX_set_store()
are deprecated in favor of the new functions with "set0" in the names.

The new functions have a slightly different behavior. They will free the
previous value automatically. Increment the reference counter of
X509_STORE before setting it to TS_VERIFY_CTX, and do not try to
manually unset it.

We avoided doing this to work around a bug that was present in older
versions of OpenSSL, which has now been fixed in OpenSSL 1.0.2 by commit
https://github.com/openssl/openssl/commit/bff9ce4db38b.

https://github.com/ruby/openssl/commit/ce37f7d93a
[ruby/openssl] Use X509_ALGOR_get0() accessor for X509_ALGOR 2025-01-21T18:17:06+00:00 Theo Buehler tb@openbsd.org 2023-10-19T20:37:22+00:00 72fdba156d2963609141867b815e202d558582bf While the struct is currently still public in OpenSSL, there has been an accessor since OpenSSL 0.9.8h. It would be nice if this accessor could be used so that the struct can be made opaque at some point in the future. https://github.com/ruby/openssl/commit/812aeab2f5 
While the struct is currently still public in OpenSSL, there has been
an accessor since OpenSSL 0.9.8h. It would be nice if this accessor
could be used so that the struct can be made opaque at some point in
the future.

https://github.com/ruby/openssl/commit/812aeab2f5
[ruby/openssl] Require OpenSSL 1.1.0 or later 2025-01-20T17:12:57+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-14T12:49:12+00:00 441862dc9f11d83e9e35c3b965fe84e42e178a35 Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) https://github.com/ruby/openssl/commit/38ec6fd50e 
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e