Backport OpenSSL 4.0 support#1051
Merged
Merged
Conversation
[ This is a backport to the 3.2 branch. ] Move the #include from ossl_provider.c to ossl.h. As OpenSSL 3 provider functions will be used in multiple source files, having it in the common header file is convenient. (cherry picked from commit f831bb6)
[ This is a backport to the 3.2 branch. ] Algorithms implemented only in OpenSSL 3 providers may not have a corresponding NID. The *_ex() variants have been added in OpenSSL 3.0 to handle such algorithms, by taking algorithm names as a string. (cherry picked from commit e730e45)
[ This is a backport to the 3.2 branch. ] For algorithms implemented solely in an OpenSSL 3 provider, without an associated EVP_PKEY_METHOD, EVP_PKEY_id() returns a special value EVP_PKEY_KEYMGMT. Let OpenSSL::PKey::PKey#oid raise an exception as necessary. Update PKey#inspect to include the string returned by EVP_PKEY_get0_type_name(), if available. (cherry picked from commit bd3e322)
[ This is a backport to the 3.2 branch. ] This test case seems to fail with OpenSSL 4.0.0. Let's disable it for now. It is an impossible state with our master branch as of commit affd569 (pkey: disallow {DH,DSA,EC,RSA}.new without arguments with OpenSSL 3.0, 2025-01-30) and the test is disabled there, too.
[ This is a backport to the 3.2 branch. ] OpenSSL master added support for RFC 7919 groups in TLS 1.2. They are preferred over SSLContext#tmp_dh= or #tmp_dh_callback= values if the client advertises them in the supported_groups extension. (cherry picked from commit 3e01c80)
[ This is a backport to the 3.2 branch. ]
Backport the following commits from master:
a41cf28 Convert ossl_x509ext.c to opaque ASN1_STRING
8945f37 Convert ossl_ts.c to opaque ASN1_STRING
0941ebb Convert ossl_ns_spki.c to opaque ASN1_STRING
ba3d1cc Convert some of ossl_asn1.c to opaque ASN1_STRING
3742624 Convert ossl_ocsp.c to opaque ASN1_STRING
ebb505f asn1: use new ASN1_BIT_STRING accessor functions with OpenSSL 4.0
Also, additional changes were required:
- ASN1_STRING_get0_data() is defined in openssl_missing.h because it
does not exist in OpenSSL 1.0.2.
- asn1time_to_time() in ossl_asn1.c is manually converted. It had
been rewritten in master, but older branches need to be converted
to use those accessors.
[ This is a backport to the 3.2 branch. ] This helper only reads from its in parameter. Making that const avoids a couple of casts in an upcoming change. (cherry picked from commit 970d576)
[ This is a backport to the 3.2 branch. ] OpenSSL's master branch is changing functions to return const pointers where the returned objects are not meant to be modified by the caller. Update ossl_*_new() to take const pointers accordingly. Unfortunately, *_dup() in older versions of OpenSSL and in LibreSSL/AWS-LC take non-const pointers, so const casts are required. (cherry picked from commit 34c49e6)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of: #1028
OpenSSL 4.0 ended up requiring ~250 lines of changes in ruby/openssl. While not trivial, this is much smaller compared to the previous major releases of OpenSSL.
I think we can backport these changes to the default gems in Ruby 3.3+.