[pull] master from ruby:master

NEWS.md

@@ -82,6 +82,11 @@ Note: We're only listing outstanding class updates.
     * A deprecated behavior, process creation by `Kernel#open` with a
       leading `|`, was removed.  [[Feature #19630]]
 
+* Array
+
+    * `Array#rfind` has been added as a more efficient alternative to `array.reverse_each.find` [[Feature #21678]]
+    * `Array#find` has been added as a more efficient override of `Enumerable#find` [[Feature #21678]]
+
 * Binding
 
     * `Binding#local_variables` does no longer include numbered parameters.
@@ -286,7 +291,7 @@ The following default gems are updated.
 * ipaddr 1.2.8
 * json 2.18.0
 * net-http 0.8.0
-* openssl 4.0.0.pre
+* openssl 4.0.0
 * optparse 0.8.1
 * pp 0.6.3
 * prism 1.6.0
@@ -478,4 +483,5 @@ A lot of work has gone into making Ractors more stable, performant, and usable.
 [Feature #21550]: https://bugs.ruby-lang.org/issues/21550
 [Feature #21557]: https://bugs.ruby-lang.org/issues/21557
 [Bug #21654]:     https://bugs.ruby-lang.org/issues/21654
+[Feature #21678]: https://bugs.ruby-lang.org/issues/21678
 [Feature #21701]: https://bugs.ruby-lang.org/issues/21701

box.c

@@ -31,16 +31,8 @@ VALUE rb_cBox = 0;
 VALUE rb_cBoxEntry = 0;
 VALUE rb_mBoxLoader = 0;
 
-static rb_box_t root_box_data = {
-    /* Initialize values lazily in Init_Box() */
-    (VALUE)NULL, 0,
-    (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL, (VALUE)NULL,
-    (struct st_table *)NULL, (struct st_table *)NULL, (VALUE)NULL, (VALUE)NULL,
-    false, false
-};
-
-static rb_box_t * root_box = &root_box_data;
-static rb_box_t * main_box = 0;
+static rb_box_t root_box[1]; /* Initialize in initialize_root_box() */
+static rb_box_t *main_box;
 static char *tmp_dir;
 static bool tmp_dir_has_dirsep;
 
@@ -290,7 +282,7 @@ box_entry_memsize(const void *ptr)
         rb_st_memsize(box->loading_table);
 }
 
-const rb_data_type_t rb_box_data_type = {
+static const rb_data_type_t rb_box_data_type = {
     "Ruby::Box::Entry",
     {
         rb_box_entry_mark,
@@ -301,7 +293,7 @@ const rb_data_type_t rb_box_data_type = {
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY // TODO: enable RUBY_TYPED_WB_PROTECTED when inserting write barriers
 };
 
-const rb_data_type_t rb_root_box_data_type = {
+static const rb_data_type_t rb_root_box_data_type = {
     "Ruby::Box::Root",
     {
         rb_box_entry_mark,
@@ -838,8 +830,6 @@ rb_box_require_relative(VALUE box, VALUE fname)
 static void
 initialize_root_box(void)
 {
-    VALUE root_box, entry;
-    ID id_box_entry;
     rb_vm_t *vm = GET_VM();
     rb_box_t *root = (rb_box_t *)rb_root_box();
 
@@ -864,6 +854,8 @@ initialize_root_box(void)
     vm->root_box = root;
 
     if (rb_box_available()) {
+        VALUE root_box, entry;
+        ID id_box_entry;
         CONST_ID(id_box_entry, "__box_entry__");
 
         root_box = rb_obj_alloc(rb_cBox);

ext/openssl/History.md

@@ -1,3 +1,88 @@
+Version 4.0.0
+=============
+
+Compatibility
+-------------
+
+* Ruby >= 2.7
+* OpenSSL >= 1.1.1, LibreSSL >= 3.9, and AWS-LC 1.66.0
+  - Removed support for OpenSSL 1.0.2-1.1.0 and LibreSSL 3.1-3.8.
+    [[GitHub #835]](https://github.com/ruby/openssl/issues/835)
+  - Added support for AWS-LC.
+    [[GitHub #833]](https://github.com/ruby/openssl/issues/833)
+
+
+Notable changes
+---------------
+
+* `OpenSSL::SSL`
+  - Reduce overhead when writing to `OpenSSL::SSL::SSLSocket`. `#syswrite` no
+    longer creates a temporary String object.
+    [[GitHub #831]](https://github.com/ruby/openssl/pull/831)
+  - Make `OpenSSL::SSL::SSLContext#min_version=` and `#max_version=` wrap the
+    corresponding OpenSSL APIs directly, and remove the fallback to SSL options.
+    [[GitHub #849]](https://github.com/ruby/openssl/pull/849)
+  - Add `OpenSSL::SSL::SSLContext#sigalgs=` and `#client_sigalgs=` for
+    specifying signature algorithms to use for connections.
+    [[GitHub #895]](https://github.com/ruby/openssl/pull/895)
+  - Rename `OpenSSL::SSL::SSLContext#ecdh_curves=` to `#groups=` following
+    the underlying OpenSSL API rename. This method is no longer specific to
+    ECDHE. The old method remains as an alias.
+    [[GitHub #900]](https://github.com/ruby/openssl/pull/900)
+  - Add `OpenSSL::SSL::SSLSocket#sigalg`, `#peer_sigalg`, and `#group` for
+    getting the signature algorithm and the key agreement group used in the
+    current connection.
+    [[GitHub #908]](https://github.com/ruby/openssl/pull/908)
+  - Enable `SSL_CTX_set_dh_auto()` for servers by default.
+    [[GitHub #924]](https://github.com/ruby/openssl/pull/924)
+  - Improve Ractor compatibility. Note that the internal-use constant
+    `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS` is now frozen.
+    [[GitHub #925]](https://github.com/ruby/openssl/pull/925)
+* `OpenSSL::PKey`
+  - Remove `OpenSSL::PKey::EC::Point#mul` support with array arguments. The
+    underlying OpenSSL API has been removed, and the method has been deprecated
+    since ruby/openssl v3.0.0.
+    [[GitHub #843]](https://github.com/ruby/openssl/pull/843)
+  - `OpenSSL::PKey::{RSA,DSA,DH}#params` uses `nil` to indicate missing fields
+    instead of the number `0`.
+    [[GitHub #774]](https://github.com/ruby/openssl/pull/774)
+  - Unify `OpenSSL::PKey::PKeyError` classes. The former subclasses
+    `OpenSSL::PKey::DHError`, `OpenSSL::PKey::DSAError`,
+    `OpenSSL::PKey::ECError`, and `OpenSSL::PKey::RSAError` have been merged
+    into a single class.
+    [[GitHub #929]](https://github.com/ruby/openssl/pull/929)
+* `OpenSSL::Cipher`
+  - `OpenSSL::Cipher#encrypt` and `#decrypt` no longer accept arguments.
+    Passing passwords has been deprecated since Ruby 1.8.2 (released in 2004).
+    [[GitHub #887]](https://github.com/ruby/openssl/pull/887)
+  - `OpenSSL::Cipher#final` raises `OpenSSL::Cipher::AuthTagError` when the
+    integrity check fails for AEAD ciphers. `OpenSSL::Cipher::AuthTagError` is a
+    new subclass of `OpenSSL::Cipher::CipherError`, which was previously raised.
+    [[GitHub #939]](https://github.com/ruby/openssl/pull/939)
+  - `OpenSSL::Cipher.new` now raises `OpenSSL::Cipher::CipherError` instead of
+    `RuntimeError` when OpenSSL does not recognize the algorithm.
+    [[GitHub #958]](https://github.com/ruby/openssl/pull/958)
+  - Add support for "fetched" cipher algorithms with OpenSSL 3.0 or later.
+    [[GitHub #958]](https://github.com/ruby/openssl/pull/958)
+* `OpenSSL::Digest`
+  - `OpenSSL::Digest.new` now raises `OpenSSL::Digest::DigestError` instead of
+    `RuntimeError` when OpenSSL does not recognize the algorithm.
+    [[GitHub #958]](https://github.com/ruby/openssl/pull/958)
+  - Add support for "fetched" digest algorithms with OpenSSL 3.0 or later.
+    [[GitHub #958]](https://github.com/ruby/openssl/pull/958)
+* `OpenSSL::ASN1.decode` now assumes a 1950-2049 year range for `UTCTime`
+  according to RFC 5280. It previously used a 1969-2068 range. The encoder
+  has always used the 1950-2049 range.
+  [[GitHub #909]](https://github.com/ruby/openssl/pull/909)
+* `OpenSSL::OpenSSLError`, the base class for all ruby/openssl errors, carry
+  an additional attribute `#errors` to keep the content of OpenSSL's error
+  queue. Also, add `#detailed_message` for Ruby 3.2 or later.
+  [[GitHub #976]](https://github.com/ruby/openssl/pull/976)
+* `OpenSSL::PKCS7.new` raises `OpenSSL::PKCS7::PKCS7Error` instead of
+  `ArgumentError` on error to be consistent with other constructors.
+  [[GitHub #983]](https://github.com/ruby/openssl/pull/983)
+
+
 Version 3.3.2
 =============
 

ext/openssl/lib/openssl.rb

@@ -23,12 +23,16 @@
 require_relative 'openssl/x509'
 
 module OpenSSL
-  # call-seq:
-  #   OpenSSL.secure_compare(string, string) -> boolean
+  # :call-seq:
+  #    OpenSSL.secure_compare(string, string) -> true or false
   #
   # Constant time memory comparison. Inputs are hashed using SHA-256 to mask
   # the length of the secret. Returns +true+ if the strings are identical,
   # +false+ otherwise.
+  #
+  # This method is expensive due to the SHA-256 hashing. In most cases, where
+  # the input lengths are known to be equal or are not sensitive,
+  # OpenSSL.fixed_length_secure_compare should be used instead.
   def self.secure_compare(a, b)
     hashed_a = OpenSSL::Digest.digest('SHA256', a)
     hashed_b = OpenSSL::Digest.digest('SHA256', b)

ext/openssl/lib/openssl/digest.rb

@@ -57,7 +57,7 @@ class Digest < Digest; end # :nodoc:
   #   OpenSSL::Digest("MD5")
   #   # => OpenSSL::Digest::MD5
   #
-  #   Digest("Foo")
+  #   OpenSSL::Digest("Foo")
   #   # => NameError: wrong constant name Foo
 
   def Digest(name)

ext/openssl/lib/openssl/version.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
 module OpenSSL
-  VERSION = "4.0.0.pre"
+  # The version string of Ruby/OpenSSL.
+  VERSION = "4.0.0"
 end

ext/openssl/openssl.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "openssl"
-  spec.version       = "4.0.0.pre"
+  spec.version       = "4.0.0"
   spec.authors       = ["Martin Bosslet", "SHIBATA Hiroshi", "Zachary Scott", "Kazuki Yamaguchi"]
   spec.email         = ["ruby-core@ruby-lang.org"]
   spec.summary       = %q{SSL/TLS and general-purpose cryptography for Ruby}