[pull] master from ruby:master

.github/auto_request_review.yml

@@ -12,9 +12,8 @@ files:
   'tool/zjit_bisect.rb': [team:jit]
   'doc/jit/*': [team:jit]
   # Skip github workflow files because the team don't necessarily need to review dependabot updates for GitHub Actions. It's noisy in notifications, and they're auto-merged anyway.
+  '.github/workflows/yjit-*.yml': []
+  '.github/workflows/zjit-*.yml': []
 options:
   ignore_draft: true
-  # This currently doesn't work as intended. We want to skip reviews when only
-  # cruby_bingings.inc.rs is modified, but this skips reviews even when other
-  # files are modified as well. To be enabled after fixing the behavior.
-  #last_files_match_only: true
+  last_files_match_only: true

.github/workflows/auto_request_review.yml

@@ -14,7 +14,8 @@ jobs:
     if: ${{ github.repository == 'ruby/ruby' && github.base_ref == 'master' }}
     steps:
       - name: Request review based on files changes and/or groups the author belongs to
-        uses: necojackarc/auto-request-review@e89da1a8cd7c8c16d9de9c6e763290b6b0e3d424 # v0.13.0
+        # Using a fork until https://github.com/necojackarc/auto-request-review/pull/135 is merged
+        uses: k0kubun/auto-request-review@0df295a0ff5c5d302770f589497280132131c63d # master
         with:
           # scope: public_repo
           token: ${{ secrets.MATZBOT_AUTO_REQUEST_REVIEW_TOKEN }}

.github/workflows/post_push.yml

@@ -15,6 +15,8 @@ jobs:
     if: ${{ github.repository == 'ruby/ruby' }}
     steps:
       - name: Sync git.ruby-lang.org
+        id: sync-git
+        continue-on-error: true
         run: |
           mkdir -p ~/.ssh
           (umask 066; printenv RUBY_GIT_SYNC_PRIVATE_KEY > ~/.ssh/id_ed25519)
@@ -73,6 +75,8 @@ jobs:
         if: ${{ github.ref == 'refs/heads/master' }}
 
       - name: Push PR notes to GitHub
+        id: pr-notes
+        continue-on-error: true
         run: ruby tool/notes-github-pr.rb "$(pwd)/.git" "$GITHUB_OLD_SHA" "$GITHUB_NEW_SHA" refs/heads/master
         env:
           GITHUB_OLD_SHA: ${{ github.event.before }}
@@ -83,6 +87,10 @@ jobs:
           EMAIL: svn-admin@ruby-lang.org
         if: ${{ github.ref == 'refs/heads/master' }}
 
+      - name: Check for failures
+        run: exit 1
+        if: ${{ steps.sync-git.outcome == 'failure' || steps.pr-notes.outcome == 'failure' }}
+
       - uses: ./.github/actions/slack
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SIMPLER_ALERTS_URL }} # ruby-lang slack: ruby/simpler-alerts-bot

ext/openssl/extconf.rb

@@ -169,6 +169,9 @@ def find_openssl_library
 # added in 3.5.0
 have_func("SSL_get0_peer_signature_name(NULL, NULL)", ssl_h)
 
+# added in 4.0.0
+have_func("ASN1_BIT_STRING_set1(NULL, NULL, 0, 0)", "openssl/asn1.h")
+
 Logging::message "=== Checking done. ===\n"
 
 # Append flags from environment variables.

ext/openssl/openssl_missing.h

@@ -29,4 +29,27 @@
 #  define EVP_PKEY_eq(a, b) EVP_PKEY_cmp(a, b)
 #endif
 
+/* added in 4.0.0 */
+#ifndef HAVE_ASN1_BIT_STRING_SET1
+static inline int
+ASN1_BIT_STRING_set1(ASN1_BIT_STRING *bitstr, const uint8_t *data,
+                     size_t length, int unused_bits)
+{
+    if (length > INT_MAX || !ASN1_STRING_set(bitstr, data, (int)length))
+        return 0;
+    bitstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
+    bitstr->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits;
+    return 1;
+}
+
+static inline int
+ASN1_BIT_STRING_get_length(const ASN1_BIT_STRING *bitstr, size_t *length,
+                           int *unused_bits)
+{
+    *length = bitstr->length;
+    *unused_bits = bitstr->flags & 0x07;
+    return 1;
+}
+#endif
+
 #endif /* _OSSL_OPENSSL_MISSING_H_ */

ext/openssl/ossl_asn1.c

@@ -228,19 +228,19 @@ obj_to_asn1int(VALUE obj)
 }
 
 static ASN1_BIT_STRING*
-obj_to_asn1bstr(VALUE obj, long unused_bits)
+obj_to_asn1bstr(VALUE obj, int unused_bits)
 {
     ASN1_BIT_STRING *bstr;
 
     if (unused_bits < 0 || unused_bits > 7)
         ossl_raise(eASN1Error, "unused_bits for a bitstring value must be in "\
                    "the range 0 to 7");
     StringValue(obj);
-    if(!(bstr = ASN1_BIT_STRING_new()))
-        ossl_raise(eASN1Error, NULL);
-    ASN1_BIT_STRING_set(bstr, (unsigned char *)RSTRING_PTR(obj), RSTRING_LENINT(obj));
-    bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-    bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits;
+    if (!(bstr = ASN1_BIT_STRING_new()))
+        ossl_raise(eASN1Error, "ASN1_BIT_STRING_new");
+    if (!ASN1_BIT_STRING_set1(bstr, (uint8_t *)RSTRING_PTR(obj),
+                              RSTRING_LEN(obj), unused_bits))
+        ossl_raise(eASN1Error, "ASN1_BIT_STRING_set1");
 
     return bstr;
 }
@@ -364,22 +364,25 @@ decode_int(unsigned char* der, long length)
 }
 
 static VALUE
-decode_bstr(unsigned char* der, long length, long *unused_bits)
+decode_bstr(unsigned char* der, long length, int *unused_bits)
 {
     ASN1_BIT_STRING *bstr;
     const unsigned char *p;
-    long len;
+    size_t len;
     VALUE ret;
+    int state;
 
     p = der;
-    if(!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length)))
-        ossl_raise(eASN1Error, NULL);
-    len = bstr->length;
-    *unused_bits = 0;
-    if(bstr->flags & ASN1_STRING_FLAG_BITS_LEFT)
-        *unused_bits = bstr->flags & 0x07;
-    ret = rb_str_new((const char *)bstr->data, len);
+    if (!(bstr = d2i_ASN1_BIT_STRING(NULL, &p, length)))
+        ossl_raise(eASN1Error, "d2i_ASN1_BIT_STRING");
+    if (!ASN1_BIT_STRING_get_length(bstr, &len, unused_bits)) {
+        ASN1_BIT_STRING_free(bstr);
+        ossl_raise(eASN1Error, "ASN1_BIT_STRING_get_length");
+    }
+    ret = ossl_str_new((const char *)ASN1_STRING_get0_data(bstr), len, &state);
     ASN1_BIT_STRING_free(bstr);
+    if (state)
+        rb_jump_tag(state);
 
     return ret;
 }
@@ -763,7 +766,7 @@ int_ossl_asn1_decode0_prim(unsigned char **pp, long length, long hlen, int tag,
 {
     VALUE value, asn1data;
     unsigned char *p;
-    long flag = 0;
+    int flag = 0;
 
     p = *pp;
 
@@ -820,7 +823,7 @@ int_ossl_asn1_decode0_prim(unsigned char **pp, long length, long hlen, int tag,
         asn1data = rb_obj_alloc(klass);
         ossl_asn1_initialize(4, args, asn1data);
         if(tag == V_ASN1_BIT_STRING){
-            rb_ivar_set(asn1data, sivUNUSED_BITS, LONG2NUM(flag));
+            rb_ivar_set(asn1data, sivUNUSED_BITS, INT2NUM(flag));
         }
     }
     else {

ext/openssl/ossl_ocsp.c

@@ -922,7 +922,7 @@ ossl_ocspbres_get_status(VALUE self)
         VALUE ext = rb_ary_new();
         int ext_count = OCSP_SINGLERESP_get_ext_count(single);
         for (int j = 0; j < ext_count; j++) {
-            X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j);
+            const X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j);
             rb_ary_push(ext, ossl_x509ext_new(x509ext));
         }
         rb_ary_push(ary, ext);
@@ -1341,7 +1341,6 @@ static VALUE
 ossl_ocspsres_get_extensions(VALUE self)
 {
     OCSP_SINGLERESP *sres;
-    X509_EXTENSION *ext;
     int count, i;
     VALUE ary;
 
@@ -1350,7 +1349,7 @@ ossl_ocspsres_get_extensions(VALUE self)
     count = OCSP_SINGLERESP_get_ext_count(sres);
     ary = rb_ary_new2(count);
     for (i = 0; i < count; i++) {
-        ext = OCSP_SINGLERESP_get_ext(sres, i);
+        const X509_EXTENSION *ext = OCSP_SINGLERESP_get_ext(sres, i);
         rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
     }
 

ext/openssl/ossl_pkey.h

@@ -71,7 +71,6 @@ void Init_ossl_dh(void);
  * EC
  */
 extern VALUE cEC;
-VALUE ossl_ec_new(EVP_PKEY *);
 void Init_ossl_ec(void);
 
 #define OSSL_PKEY_BN_DEF_GETTER0(_keytype, _type, _name, _get)          \

ext/openssl/ossl_ts.c

@@ -706,7 +706,7 @@ ossl_ts_resp_get_tsa_certificate(VALUE self)
     TS_RESP *resp;
     PKCS7 *p7;
     PKCS7_SIGNER_INFO *ts_info;
-    X509 *cert;
+    const X509 *cert;
 
     GetTSResponse(self, resp);
     if (!(p7 = TS_RESP_get_token(resp)))

ext/openssl/ossl_x509.h

@@ -29,7 +29,7 @@ void Init_ossl_x509(void);
  */
 extern VALUE cX509Attr;
 
-VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
+VALUE ossl_x509attr_new(const X509_ATTRIBUTE *);
 X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
 void Init_ossl_x509attr(void);
 
@@ -38,15 +38,15 @@ void Init_ossl_x509attr(void);
  */
 extern VALUE cX509Cert;
 
-VALUE ossl_x509_new(X509 *);
+VALUE ossl_x509_new(const X509 *);
 X509 *GetX509CertPtr(VALUE);
 X509 *DupX509CertPtr(VALUE);
 void Init_ossl_x509cert(void);
 
 /*
  * X509CRL
  */
-VALUE ossl_x509crl_new(X509_CRL *);
+VALUE ossl_x509crl_new(const X509_CRL *);
 X509_CRL *GetX509CRLPtr(VALUE);
 void Init_ossl_x509crl(void);
 
@@ -55,14 +55,14 @@ void Init_ossl_x509crl(void);
  */
 extern VALUE cX509Ext;
 
-VALUE ossl_x509ext_new(X509_EXTENSION *);
+VALUE ossl_x509ext_new(const X509_EXTENSION *);
 X509_EXTENSION *GetX509ExtPtr(VALUE);
 void Init_ossl_x509ext(void);
 
 /*
  * X509Name
  */
-VALUE ossl_x509name_new(X509_NAME *);
+VALUE ossl_x509name_new(const X509_NAME *);
 X509_NAME *GetX509NamePtr(VALUE);
 void Init_ossl_x509name(void);
 
@@ -77,7 +77,7 @@ void Init_ossl_x509req(void);
  */
 extern VALUE cX509Rev;
 
-VALUE ossl_x509revoked_new(X509_REVOKED *);
+VALUE ossl_x509revoked_new(const X509_REVOKED *);
 X509_REVOKED *DupX509RevokedPtr(VALUE);
 void Init_ossl_x509revoked(void);
 

ext/openssl/ossl_x509attr.c

@@ -48,13 +48,14 @@ static const rb_data_type_t ossl_x509attr_type = {
  * Public
  */
 VALUE
-ossl_x509attr_new(X509_ATTRIBUTE *attr)
+ossl_x509attr_new(const X509_ATTRIBUTE *attr)
 {
     X509_ATTRIBUTE *new;
     VALUE obj;
 
     obj = NewX509Attr(cX509Attr);
-    new = X509_ATTRIBUTE_dup(attr);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_ATTRIBUTE_dup((X509_ATTRIBUTE *)attr);
     if (!new)
         ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
     SetX509Attr(obj, new);
@@ -196,7 +197,7 @@ ossl_x509attr_set_value(VALUE self, VALUE value)
         ossl_raise(eX509AttrError, "attribute value must be ASN1::Set");
 
     if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */
-        ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+        const ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
         X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
         if (!new_attr) {
             sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
@@ -240,7 +241,7 @@ ossl_x509attr_get_value(VALUE self)
 
     count = X509_ATTRIBUTE_count(attr);
     for (i = 0; i < count; i++)
-        sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+        sk_ASN1_TYPE_push(sk, (ASN1_TYPE *)X509_ATTRIBUTE_get0_type(attr, i));
 
     if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
         sk_ASN1_TYPE_free(sk);

ext/openssl/ossl_x509cert.c

@@ -48,13 +48,14 @@ static const rb_data_type_t ossl_x509_type = {
  * Public
  */
 VALUE
-ossl_x509_new(X509 *x509)
+ossl_x509_new(const X509 *x509)
 {
     X509 *new;
     VALUE obj;
 
     obj = NewX509(cX509Cert);
-    new = X509_dup(x509);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    new = X509_dup((X509 *)x509);
     if (!new)
         ossl_raise(eX509CertError, "X509_dup");
     SetX509(obj, new);
@@ -345,7 +346,7 @@ static VALUE
 ossl_x509_get_subject(VALUE self)
 {
     X509 *x509;
-    X509_NAME *name;
+    const X509_NAME *name;
 
     GetX509(self, x509);
     if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */
@@ -380,7 +381,7 @@ static VALUE
 ossl_x509_get_issuer(VALUE self)
 {
     X509 *x509;
-    X509_NAME *name;
+    const X509_NAME *name;
 
     GetX509(self, x509);
     if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */
@@ -603,14 +604,13 @@ ossl_x509_get_extensions(VALUE self)
 {
     X509 *x509;
     int count, i;
-    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509(self, x509);
     count = X509_get_ext_count(x509);
     ary = rb_ary_new_capa(count);
     for (i=0; i<count; i++) {
-        ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
+        const X509_EXTENSION *ext = X509_get_ext(x509, i);
         rb_ary_push(ary, ossl_x509ext_new(ext));
     }
 

ext/openssl/ossl_x509crl.c

@@ -58,13 +58,14 @@ GetX509CRLPtr(VALUE obj)
 }
 
 VALUE
-ossl_x509crl_new(X509_CRL *crl)
+ossl_x509crl_new(const X509_CRL *crl)
 {
     X509_CRL *tmp;
     VALUE obj;
 
     obj = NewX509CRL(cX509CRL);
-    tmp = X509_CRL_dup(crl);
+    /* OpenSSL 1.1.1 takes a non-const pointer */
+    tmp = X509_CRL_dup((X509_CRL *)crl);
     if (!tmp)
         ossl_raise(eX509CRLError, "X509_CRL_dup");
     SetX509CRL(obj, tmp);
@@ -289,7 +290,7 @@ ossl_x509crl_get_revoked(VALUE self)
     num = sk_X509_REVOKED_num(sk);
     ary = rb_ary_new_capa(num);
     for(i=0; i<num; i++) {
-        X509_REVOKED *rev = sk_X509_REVOKED_value(sk, i);
+        const X509_REVOKED *rev = sk_X509_REVOKED_value(sk, i);
         rb_ary_push(ary, ossl_x509revoked_new(rev));
     }
 
@@ -443,14 +444,13 @@ ossl_x509crl_get_extensions(VALUE self)
 {
     X509_CRL *crl;
     int count, i;
-    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509CRL(self, crl);
     count = X509_CRL_get_ext_count(crl);
     ary = rb_ary_new_capa(count);
     for (i=0; i<count; i++) {
-        ext = X509_CRL_get_ext(crl, i); /* NO DUP - don't free! */
+        const X509_EXTENSION *ext = X509_CRL_get_ext(crl, i);
         rb_ary_push(ary, ossl_x509ext_new(ext));
     }