Add support for "fetched" EVP_MD and EVP_CIPHER #958
Merged
+277
−159
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhenium
force-pushed
the
ky/digest-fetch-md
branch
2 times, most recently
from
c601f4c to
1e68061
Compare
Use explicit strings instead of relying on OpenSSL::ASN1::ObjectId methods. It is reduced to just SHA-256 because testing other algorithms does not improve test coverage for ruby/openssl.
We generally raise OpenSSL::OpenSSLError or its subclass for errors originating from the OpenSSL library, which may include extra details appended by ossl_raise().
Raise OpenSSL::Cipher::CipherError instead of ArgumentError or RuntimeError for consistency.
rhenium
force-pushed
the
ky/digest-fetch-md
branch
from
1e68061 to
7412c63
Compare
With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new EVP_*_fetch() functions. For digest algorithms, we have to use EVP_MD_fetch() instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because: - EVP_MD_fetch() does not support all algorithm name aliases recognized by EVP_get_digestbyname(). - Both return an EVP_MD, but the one returned by EVP_MD_fetch() is sometimes reference counted and the user has to explicitly release it with EVP_MD_free(). So, keep using EVP_get_digestbyname() for all OpenSSL versions for now, and fall back to EVP_MD_fetch() if it fails. In the latter case, prepare a T_DATA object to manage the fetched EVP_MD's lifetime.
Likewise, use EVP_MD_fetch() if it is available. This adds support for AES-GCM-SIV with OpenSSL 3.2 or later.
rhenium
force-pushed
the
ky/digest-fetch-md
branch
from
7412c63 to
0e565a2
Compare
rhenium
added a commit
to rhenium/ruby
that referenced
this pull request
Nov 6, 2025
ruby/openssl#958 changed the common logic for digest algorithm lookup: - If the argument is neither an OpenSSL::Digest instance nor a String, it is now implicitly converted to String with #to_str. This is consistent with algorithm name lookup logic in ruby/openssl for pkeys and ciphers. - If the name is not recognized, OpenSSL::Digest::DigestError is raised instead of RuntimeError. Update the specs accordingly: - Remove specs that expect #to_str not to be called. - Relax regexps matching TypeError messages. - Expect OpenSSL::Digest::DigestError instead of RuntimeError for ruby/openssl 4.0.0 and later.
rhenium
added a commit
to ruby/ruby
that referenced
this pull request
Nov 6, 2025
ruby/openssl#958 changed the common logic for digest algorithm lookup: - If the argument is neither an OpenSSL::Digest instance nor a String, it is now implicitly converted to String with #to_str. This is consistent with algorithm name lookup logic in ruby/openssl for pkeys and ciphers. - If the name is not recognized, OpenSSL::Digest::DigestError is raised instead of RuntimeError. Update the specs accordingly: - Remove specs that expect #to_str not to be called. - Relax regexps matching TypeError messages. - Expect OpenSSL::Digest::DigestError instead of RuntimeError for ruby/openssl 4.0.0 and later.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #902
With the introduction of OpenSSL 3 providers, newly implemented algorithms do not necessarily have a corresponding NID assigned. To use such an algorithm, it has to be "fetched" from providers using the new
EVP_*_fetch()functions.For digest algorithms, we have to use
EVP_MD_fetch()instead of the existing EVP_get_digestbyname(). However, it is not a drop-in replacement because:EVP_MD_fetch()does not support all algorithm name aliases recognized byEVP_get_digestbyname().Both return an
EVP_MD, but the one returned byEVP_MD_fetch()is sometimes reference counted and the user has to explicitly release it withEVP_MD_free().So, keep using
EVP_get_digestbyname()for all OpenSSL versions for now, and fall back toEVP_MD_fetch()if it fails. In the latter case, prepare aT_DATAobject to manage the fetchedEVP_MD's lifetime.