Skip to content

pkey: disallow {DH,DSA,EC,RSA}.new without arguments on OpenSSL 3.0 #848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 30, 2025
Merged

pkey: disallow {DH,DSA,EC,RSA}.new without arguments on OpenSSL 3.0 #848

merged 2 commits into from
Sep 30, 2025

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Jan 29, 2025
edited
Loading

When OpenSSL::PKey::{DH,DSA,EC,RSA}.new is called without any arguments, it sets up an empty corresponding low-level struct and wraps it in an EVP_PKEY. This form has been supported so that users can fill the fields later using low-level setter methods such as OpenSSL::PKey::RSA#set_key.

Such setter methods are not compatible with OpenSSL 3.0 or later, where pkeys are immutable once created. This means that the ability to create an empty instance is useless. Let's remove it and raise ArgumentError if attempted.

Related:

@rhenium rhenium mentioned this pull request Jan 29, 2025
Closed
@rhenium rhenium force-pushed the ky/pkey-disallow-empty-init branch from 63e9d09 to 43aa5ca Compare January 30, 2025 14:47
@rhenium
pkey: define and use OSSL_HAVE_IMMUTABLE_PKEY macro
032ed63 
Introduce a useful macro indicating that the low-level struct wrapped
in an EVP_PKEY cannot be modified.

Currently, the macro is defined for OpenSSL 3.0 or later only. LibreSSL
and AWS-LC can follow suit in the future.
@rhenium rhenium force-pushed the ky/pkey-disallow-empty-init branch from 43aa5ca to cf5ad9a Compare September 30, 2025 10:34
@rhenium
pkey: disallow {DH,DSA,EC,RSA}.new without arguments with OpenSSL 3.0
affd569 
Raise ArgumentError if this is attempted when the extension is compiled
with OpenSSL 3.0 or later. The form will be fully removed when we drop
support for OpenSSL 1.1.1.

When OpenSSL::PKey::{DH,DSA,EC,RSA}.new is called without any arguments,
it sets up an empty corresponding low-level struct and wraps it in an
EVP_PKEY. This is useful when the user later fills the missing fields
using low-level setter methods such as OpenSSL::PKey::RSA#set_key.

Such setter methods are not compatible with OpenSSL 3.0 or later, where
EVP_PKEY is immutable once created. This means that the ability to
create an empty instance is useless.
@rhenium rhenium force-pushed the ky/pkey-disallow-empty-init branch from cf5ad9a to affd569 Compare September 30, 2025 11:53
@rhenium rhenium merged commit c89f4e6 into ruby:master Sep 30, 2025
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rhenium