Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkey: avoid creating multiple wrapper objects for single EVP_PKEY #817

Closed
wants to merge 2 commits into from

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Nov 15, 2024

Currently, it is possible to create multiple OpenSSL::PKey::PKey instances that wrap the same EVP_PKEY object through ossl_pkey_wrap(). This behavior was not intentional and doesn't offer any useful functionality.

As a result, the frozen state of an OpenSSL::PKey::PKey instance is meaningless. An upcoming change to make OpenSSL classes shareable between ractors relies on the assumption that frozen objects are thread-safe without the GVL.

Let's keep track of the wrapper Ruby object associated with EVP_PKEY to ensure that only one Ruby object wraps a given EVP_PKEY.

While other OpenSSL types have reference counters, EVP_PKEY is the only type in ruby/openssl where duplicate wrapper objects can be created.

Among the functions named ossl_*_new(), ossl_pkey_new() is the only one
that takes the ownership of the passed OpenSSL object. Let's rename it
to avoid confusion.
Currently, it is possible to create multiple OpenSSL::PKey::PKey
instances that wrap the same EVP_PKEY object through ossl_pkey_wrap().
This behavior was not intentional and doesn't offer any useful
functionality.

As a result, the frozen state of an OpenSSL::PKey::PKey instance is
meaningless. An upcoming change to make OpenSSL classes shareable
between ractors relies on the assumption that frozen objects are
thread-safe without the GVL.

Let's keep track of the wrapper Ruby object associated with EVP_PKEY to
ensure that only one Ruby object wraps a given EVP_PKEY.

While other OpenSSL types have reference counters, EVP_PKEY is the only
type in ruby/openssl where duplicate wrapper objects can be created.
@rhenium
Copy link
Member Author

rhenium commented Nov 22, 2024

Apparently, EVP_PKEY did not have ex_data until OpenSSL 3.0.

This PR is also mostly intended for older OpenSSL than version 3.0 where a pkey is mutable and it's necessary to track the frozen state to make it safely shareable between ractors.

@rhenium rhenium closed this Nov 22, 2024
@HoneyryderChuck
Copy link
Contributor

@rhenium Is support for ruby 2.7 still necessary? Could one just drop it and move on with the assumption tha keys are immutable?

@rhenium
Copy link
Member Author

rhenium commented Dec 7, 2024

This depends on OpenSSL 3.0, not Ruby 3.0.

I don't think we can drop support for OpenSSL 1.1.1 yet, and not in a few years. For example, Ubuntu 20.04 and RHEL 8 use it: https://rubyci.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants