Skip to content

Improve OpenSSL 4.0 compatibility, part 1#1005

Open
rhenium wants to merge 4 commits intoruby:masterfrom
rhenium:ky/openssl-4.0-const-part1
Open

Improve OpenSSL 4.0 compatibility, part 1#1005
rhenium wants to merge 4 commits intoruby:masterfrom
rhenium:ky/openssl-4.0-const-part1

Conversation

@rhenium
Copy link
Member

@rhenium rhenium commented Feb 16, 2026

OpenSSL's master branch is going to be OpenSSL 4.0. These functions return const pointers:

  • PKCS7_get_signed_attribute()
  • X509_ATTRIBUTE_get0_object()
  • X509_ATTRIBUTE_get0_type()

@rhenium
Copy link
Member Author

rhenium commented Feb 16, 2026

It seems there have been other changes in OpenSSL master between 2026-02-03 and today. I will check these later.

@swhitt swhitt mentioned this pull request Feb 16, 2026
Closed
@rhenium rhenium force-pushed the ky/openssl-4.0-const-part1 branch from 9bc8c24 to d37837e Compare February 26, 2026 12:54
@rhenium rhenium changed the title Fix discarding const qualifier with OpenSSL master branch Improve OpenSSL 4.0 compatibility, part 1 Feb 26, 2026
@rhenium rhenium force-pushed the ky/openssl-4.0-const-part1 branch from d37837e to 727c4a7 Compare February 26, 2026 12:56
@rhenium
Copy link
Member Author

rhenium commented Feb 26, 2026

I will not rush merging this until 4.0 alpha is out, as I expect there will be additional breakages, and I want to avoid cluttering the git history with incremental fixes.

rhenium added 4 commits March 15, 2026 03:30
@rhenium
Add const qualifiers for OpenSSL 4.0 compatibility
fe7e623 
OpenSSL's master branch is changing functions to return const pointers
where the returned objects are not meant to be modified by the caller.

Update ossl_*_new() to take const pointers accordingly. Unfortunately,
*_dup() in older versions of OpenSSL and in LibreSSL/AWS-LC take
non-const pointers, so const casts are required.
@rhenium
pkey: remove unnecessary prototype from ossl_pkey.h
2f75b2e 
ossl_ec_new() was removed in commit 94aeab2 (pkey: simplify
ossl_pkey_new(), 2017-03-16), but it forgot to remove the declaration
while doing so.
@rhenium
asn1: use new ASN1_BIT_STRING accessor functions with OpenSSL 4.0
a2ab3e2 
ASN1_STRING has been made opaque in OpenSSL's master branch. Use the
new accessor functions instead of accessing fields directly.

Other uses of ASN1_STRING fields were already updated in
<ruby#978>. This patch converts the
remaining ones, which require the new functions added in OpenSSL 4.0
and were not available at that time.
@rhenium
ssl: fix test_tmp_dh and test_tmp_dh_callback with OpenSSL 4.0
47676b9 
OpenSSL master added support for RFC 7919 groups in TLS 1.2. They are
preferred over SSLContext#tmp_dh= or #tmp_dh_callback= values if the
client advertises them in the supported_groups extension.
@rhenium rhenium force-pushed the ky/openssl-4.0-const-part1 branch from 67f20c0 to 47676b9 Compare March 14, 2026 18:37
@rhenium
Copy link
Member Author

rhenium commented Mar 14, 2026

4.0.0-alpha1 was tagged this week. Test failures with OpenSSL::PKCS12 seem to be an issue in OpenSSL.

@junaruga
Copy link
Member

junaruga commented Mar 16, 2026

Thank you for working on this issue.

When trying to compile the current latest Ruby master branch commit ruby/ruby@77b5ab1 with the current latest OpenSSL 4.1 dev master commit openssl/openssl@e1eb881, I hit an compile error related to this ticket. Maybe thie PR's patches fix it.

$./configure \
  --prefix=/home/jaruga/.local/ruby-4.1.0dev-debug-77b5ab1f6f-openssl-4.1.0-dev-e1eb88118a \
  --with-openssl-dir=/home/jaruga/.local/openssl-4.1.0-dev-fips-debug-e1eb88118a \
  ...

$ make
...
ossl_asn1.c: In function ‘obj_to_asn1bstr’:
ossl_asn1.c:242:9: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  242 |     bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
      |         ^~
ossl_asn1.c:242:22: error: ‘ASN1_STRING_FLAG_BITS_LEFT’ undeclared (first use in this function)
  242 |     bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
ossl_asn1.c:242:22: note: each undeclared identifier is reported only once for each function it appears in
ossl_asn1.c:243:9: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  243 |     bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits;
      |         ^~
ossl_asn1.c: In function ‘decode_bstr’:
ossl_asn1.c:377:15: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  377 |     len = bstr->length;
      |               ^~
ossl_asn1.c:379:12: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  379 |     if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT)
      |            ^~
ossl_asn1.c:379:22: error: ‘ASN1_STRING_FLAG_BITS_LEFT’ undeclared (first use in this function)
  379 |     if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT)
      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
ossl_asn1.c:380:28: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  380 |         *unused_bits = bstr->flags & 0x07;
      |                            ^~
In file included from ../.././include/ruby/internal/value_type.h:30,
                 from ../.././include/ruby/internal/fl_type.h:38,
                 from ../.././include/ruby/internal/core/rstring.h:30,
                 from ../.././include/ruby/internal/arithmetic/char.h:29,
                 from ../.././include/ruby/internal/arithmetic.h:24,
                 from ../.././include/ruby/ruby.h:28,
                 from ../.././include/ruby.h:38,
                 from ossl.h:16,
                 from ossl_asn1.c:10:
ossl_asn1.c:381:40: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  381 |     ret = rb_str_new((const char *)bstr->data, len);
      |                                        ^~
../.././include/ruby/internal/constant_p.h:33:55: note: in definition of macro ‘RBIMPL_CONSTANT_P’
   33 | # define RBIMPL_CONSTANT_P(expr) __builtin_constant_p(expr)
      |                                                       ^~~~
ossl_asn1.c:381:11: note: in expansion of macro ‘rb_str_new’
  381 |     ret = rb_str_new((const char *)bstr->data, len);
      |           ^~~~~~~~~~
In file included from ../.././include/ruby/intern.h:57,
                 from ../.././include/ruby/ruby.h:194:
ossl_asn1.c:381:40: error: invalid use of incomplete typedef ‘ASN1_BIT_STRING’ {aka ‘struct asn1_string_st’}
  381 |     ret = rb_str_new((const char *)bstr->data, len);
      |                                        ^~
../.././include/ruby/internal/intern/string.h:1503:21: note: in definition of macro ‘rb_str_new’
 1503 |       rb_str_new) ((str), (len)))
      |                     ^~~
At top level:
cc1: note: unrecognized command-line option ‘-Wno-self-assign’ may have been intended to silence earlier diagnostics
cc1: note: unrecognized command-line option ‘-Wno-parentheses-equality’ may have been intended to silence earlier diagnostics
cc1: note: unrecognized command-line option ‘-Wno-constant-logical-operand’ may have been intended to silence earlier diagnostics
make[2]: *** [Makefile:330: ossl_asn1.o] Error 1
make[2]: Leaving directory '/home/jaruga/var/git/ruby/ruby/ext/openssl'
make[1]: *** [exts.mk:297: ext/openssl/all] Error 2
make[1]: Leaving directory '/home/jaruga/var/git/ruby/ruby'
make: *** [uncommon.mk:346: build-ext] Error 2

@junaruga
Copy link
Member

junaruga commented Mar 16, 2026

I see the test failure on CI openssl maser branch case below. It is the same with the above failure.

https://github.com/ruby/openssl/actions/runs/23138225126/job/67207433887#step:8:52

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhenium @junaruga