openssl 2.1.0.beta1 → 2.1.0.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4cc6326c79cf145b9fb1f5a44a7b55a455ae0980
-  data.tar.gz: 6a7dfe45eb2335413661a03fe31b883890052b78
+SHA256:
+  metadata.gz: 4dea8ca704a58adc4312acd244662598b72371fb69228c123b0adf64fdca4e42
+  data.tar.gz: e45d8324405378f31a70fc2b56d580279b4fd765531d8569955eb0b4de06d604
 SHA512:
-  metadata.gz: 621847e9bf167872c49c12c6adea64b4516b74818377808918ff7cb1a032381f88e1c5b3d3679da80ee7a1c89d4848c620c2876436e41af82ed9a15330a57fdd
-  data.tar.gz: 352c40ced871126e88f96ef339a7c455e974794ef98688527a9fddcc4e0e6c6e6297bd0591dbd74c185bee19bdc7500a16f50b8c6c17fd08fe09584d14b9b94f
+  metadata.gz: b42ba538068f938ae0f5301e202ca7aabc0cfbb78d8f66b06898dc248afd96e84944a8578159aed34f4a90d7d3e0f92cca4afd65ca311034ff48ec26e01c993a
+  data.tar.gz: 2ca3439c2e39e598716df0bfc657b60a024abedc0a937f6120760008ae159363cb3d03d067ce15eba7745b8462cf9b2cf2d43b5a6a2b000a87e06ba176fb894f

data/History.md

@@ -1,18 +1,21 @@
-Version 2.1.0.beta1
+Version 2.1.0.beta2
 ===================
 
 Notable changes
 ---------------
 
-* Support for OpenSSL versions before 1.0.1 is removed.
+* Support for OpenSSL versions before 1.0.1 and LibreSSL versions before 2.5
+  is removed.
   [[GitHub #86]](https://github.com/ruby/openssl/pull/86)
 * OpenSSL::BN#negative?, #+@, and #-@ are added.
 * OpenSSL::SSL::SSLSocket#connect raises a more informative exception when
   certificate verification fails.
   [[GitHub #99]](https://github.com/ruby/openssl/pull/99)
-* OpenSSL::KDF module is newly added. Support for scrypt is added.
+* OpenSSL::KDF module is newly added. In addition to PBKDF2-HMAC that has moved
+  from OpenSSL::PKCS5, scrypt and HKDF are supported.
   [[GitHub #109]](https://github.com/ruby/openssl/pull/109)
-* OpenSSL.fips_mode is added. We have had the setter, but not the getter.
+  [[GitHub #173]](https://github.com/ruby/openssl/pull/173)
+* OpenSSL.fips_mode is added. We had the setter, but not the getter.
   [[GitHub #125]](https://github.com/ruby/openssl/pull/125)
 * OpenSSL::OCSP::Request#signed? is added.
 * OpenSSL::ASN1 handles the indefinite length form better. OpenSSL::ASN1.decode
@@ -22,11 +25,51 @@ Notable changes
 * OpenSSL::X509::Name#add_entry now accepts two additional keyword arguments
   'loc' and 'set'.
   [[GitHub #94]](https://github.com/ruby/openssl/issues/94)
-* OpenSSL::SSL::SSLContext#min_version= and #max_version= are added.
+* OpenSSL::SSL::SSLContext#min_version= and #max_version= are added to replace
+  #ssl_version= that was built on top of the deprecated OpenSSL C API. Use of
+  that method and the constant OpenSSL::SSL::SSLContext::METHODS is now
+  deprecated.
   [[GitHub #142]](https://github.com/ruby/openssl/pull/142)
 * OpenSSL::X509::Name#to_utf8 is added.
   [[GitHub #26]](https://github.com/ruby/openssl/issues/26)
   [[GitHub #143]](https://github.com/ruby/openssl/pull/143)
+* OpenSSL::X509::{Extension,Attribute,Certificate,CRL,Revoked,Request} can be
+  compared with == operator.
+  [[GitHub #161]](https://github.com/ruby/openssl/pull/161)
+* TLS Fallback Signaling Cipher Suite Value (SCSV) support is added.
+  [[GitHub #165]](https://github.com/ruby/openssl/pull/165)
+* Build failure with OpenSSL 1.1 built with no-deprecated is fixed.
+  [[GitHub #160]](https://github.com/ruby/openssl/pull/160)
+* OpenSSL::Buffering#write accepts an arbitrary number of arguments.
+  [[Feature #9323]](https://bugs.ruby-lang.org/issues/9323)
+  [[GitHub #162]](https://github.com/ruby/openssl/pull/162)
+* OpenSSL::PKey::RSA#sign_pss and #verify_pss are added. They perform RSA-PSS
+  signature and verification.
+  [[GitHub #75]](https://github.com/ruby/openssl/issues/75)
+  [[GitHub #76]](https://github.com/ruby/openssl/pull/76)
+  [[GitHub #169]](https://github.com/ruby/openssl/pull/169)
+* OpenSSL::SSL::SSLContext#add_certificate is added.
+  [[GitHub #167]](https://github.com/ruby/openssl/pull/167)
+
+
+Version 2.0.6
+=============
+
+Bug fixes
+---------
+
+* The session_remove_cb set to an OpenSSL::SSL::SSLContext is no longer called
+  during GC.
+* A possible deadlock in OpenSSL::SSL::SSLSocket#sysread is fixed.
+  [[GitHub #139]](https://github.com/ruby/openssl/pull/139)
+* OpenSSL::BN#hash could return an unnormalized fixnum value on Windows.
+  [[Bug #13877]](https://bugs.ruby-lang.org/issues/13877)
+* OpenSSL::SSL::SSLSocket#sysread and #sysread_nonblock set the length of the
+  destination buffer String to 0 on error.
+  [[GitHub #153]](https://github.com/ruby/openssl/pull/153)
+* Possible deadlock is fixed. This happened only when built with older versions
+  of OpenSSL (before 1.1.0) or LibreSSL.
+  [[GitHub #155]](https://github.com/ruby/openssl/pull/155)
 
 
 Version 2.0.5
@@ -181,7 +224,7 @@ Notable changes
   - A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
     is enabled, and the SNI hostname is also set, the hostname verification on
     the server certificate is automatically performed. It is now enabled by
-    OpenSSL::SSL::Context#set_params.
+    OpenSSL::SSL::SSLContext#set_params.
     [[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
 
 Removals

data/ext/openssl/openssl_missing.h

@@ -209,6 +209,10 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #  define X509_get0_notAfter(x) X509_get_notAfter(x)
 #  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
 #  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
+#  define X509_set1_notBefore(x, t) X509_set_notBefore(x, t)
+#  define X509_set1_notAfter(x, t) X509_set_notAfter(x, t)
+#  define X509_CRL_set1_lastUpdate(x, t) X509_CRL_set_lastUpdate(x, t)
+#  define X509_CRL_set1_nextUpdate(x, t) X509_CRL_set_nextUpdate(x, t)
 #endif
 
 #if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)

data/ext/openssl/ossl.c

@@ -517,40 +517,53 @@ print_mem_leaks(VALUE self)
 /**
  * Stores locks needed for OpenSSL thread safety
  */
-static rb_nativethread_lock_t *ossl_locks;
+struct CRYPTO_dynlock_value {
+    rb_nativethread_lock_t lock;
+    rb_nativethread_id_t owner;
+    size_t count;
+};
 
 static void
-ossl_lock_unlock(int mode, rb_nativethread_lock_t *lock)
+ossl_lock_init(struct CRYPTO_dynlock_value *l)
 {
-    if (mode & CRYPTO_LOCK) {
-	rb_nativethread_lock_lock(lock);
-    } else {
-	rb_nativethread_lock_unlock(lock);
-    }
+    rb_nativethread_lock_initialize(&l->lock);
+    l->count = 0;
 }
 
 static void
-ossl_lock_callback(int mode, int type, const char *file, int line)
+ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l)
 {
-    ossl_lock_unlock(mode, &ossl_locks[type]);
+    if (mode & CRYPTO_LOCK) {
+	/* TODO: rb_nativethread_id_t is not necessarily compared with ==. */
+	rb_nativethread_id_t tid = rb_nativethread_self();
+	if (l->count && l->owner == tid) {
+	    l->count++;
+	    return;
+	}
+	rb_nativethread_lock_lock(&l->lock);
+	l->owner = tid;
+	l->count = 1;
+    } else {
+	if (!--l->count)
+	    rb_nativethread_lock_unlock(&l->lock);
+    }
 }
 
-struct CRYPTO_dynlock_value {
-    rb_nativethread_lock_t lock;
-};
-
 static struct CRYPTO_dynlock_value *
 ossl_dyn_create_callback(const char *file, int line)
 {
-    struct CRYPTO_dynlock_value *dynlock = (struct CRYPTO_dynlock_value *)OPENSSL_malloc((int)sizeof(struct CRYPTO_dynlock_value));
-    rb_nativethread_lock_initialize(&dynlock->lock);
+    /* Do not use xmalloc() here, since it may raise NoMemoryError */
+    struct CRYPTO_dynlock_value *dynlock =
+	OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value));
+    if (dynlock)
+	ossl_lock_init(dynlock);
     return dynlock;
 }
 
 static void
 ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
 {
-    ossl_lock_unlock(mode, &l->lock);
+    ossl_lock_unlock(mode, l);
 }
 
 static void
@@ -566,21 +579,22 @@ static void ossl_threadid_func(CRYPTO_THREADID *id)
     CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self());
 }
 
+static struct CRYPTO_dynlock_value *ossl_locks;
+
+static void
+ossl_lock_callback(int mode, int type, const char *file, int line)
+{
+    ossl_lock_unlock(mode, &ossl_locks[type]);
+}
+
 static void Init_ossl_locks(void)
 {
     int i;
     int num_locks = CRYPTO_num_locks();
 
-    if ((unsigned)num_locks >= INT_MAX / (int)sizeof(VALUE)) {
-	rb_raise(rb_eRuntimeError, "CRYPTO_num_locks() is too big: %d", num_locks);
-    }
-    ossl_locks = (rb_nativethread_lock_t *) OPENSSL_malloc(num_locks * (int)sizeof(rb_nativethread_lock_t));
-    if (!ossl_locks) {
-	rb_raise(rb_eNoMemError, "CRYPTO_num_locks() is too big: %d", num_locks);
-    }
-    for (i = 0; i < num_locks; i++) {
-	rb_nativethread_lock_initialize(&ossl_locks[i]);
-    }
+    ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks);
+    for (i = 0; i < num_locks; i++)
+	ossl_lock_init(&ossl_locks[i]);
 
     CRYPTO_THREADID_set_callback(ossl_threadid_func);
     CRYPTO_set_locking_callback(ossl_lock_callback);
@@ -1095,25 +1109,14 @@ Init_openssl(void)
     /*
      * Init all digests, ciphers
      */
-    /* CRYPTO_malloc_init(); */
-    /* ENGINE_load_builtin_engines(); */
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+    if (!OPENSSL_init_ssl(0, NULL))
+        rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl");
+#else
     OpenSSL_add_ssl_algorithms();
     OpenSSL_add_all_algorithms();
     ERR_load_crypto_strings();
     SSL_load_error_strings();
-
-    /*
-     * FIXME:
-     * On unload do:
-     */
-#if 0
-    CONF_modules_unload(1);
-    destroy_ui_method();
-    EVP_cleanup();
-    ENGINE_cleanup();
-    CRYPTO_cleanup_all_ex_data();
-    ERR_remove_state(0);
-    ERR_free_strings();
 #endif
 
     /*
@@ -1135,7 +1138,11 @@ Init_openssl(void)
     /*
      * Version of OpenSSL the ruby OpenSSL extension is running with
      */
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+    rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION)));
+#else
     rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
+#endif
 
     /*
      * Version number of OpenSSL the ruby OpenSSL extension was built with

data/ext/openssl/ossl.h

@@ -35,6 +35,11 @@
 #if !defined(OPENSSL_NO_OCSP)
 #  include <openssl/ocsp.h>
 #endif
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/dh.h>
 
 /*
  * Common Module

data/ext/openssl/ossl_bn.c

@@ -979,20 +979,20 @@ static VALUE
 ossl_bn_hash(VALUE self)
 {
     BIGNUM *bn;
-    VALUE hash;
+    VALUE tmp, hash;
     unsigned char *buf;
     int len;
 
     GetBN(self, bn);
     len = BN_num_bytes(bn);
-    buf = xmalloc(len);
+    buf = ALLOCV(tmp, len);
     if (BN_bn2bin(bn, buf) != len) {
-	xfree(buf);
-	ossl_raise(eBNError, NULL);
+	ALLOCV_END(tmp);
+	ossl_raise(eBNError, "BN_bn2bin");
     }
 
-    hash = INT2FIX(rb_memhash(buf, len));
-    xfree(buf);
+    hash = ST2FIX(rb_memhash(buf, len));
+    ALLOCV_END(tmp);
 
     return hash;
 }

data/ext/openssl/ossl_cipher.c

@@ -508,7 +508,7 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
     StringValue(iv);
     GetCipher(self, ctx);
 
-    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
     if (!iv_len)
 	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
@@ -535,7 +535,7 @@ ossl_cipher_is_authenticated(VALUE self)
 
     GetCipher(self, ctx);
 
-    return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
+    return (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
 }
 
 /*
@@ -569,6 +569,8 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
     in_len = RSTRING_LEN(data);
 
     GetCipher(self, ctx);
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
+	ossl_raise(eCipherError, "AEAD not supported by this cipher");
 
     if (!ossl_cipher_update_long(ctx, NULL, &out_len, in, in_len))
         ossl_raise(eCipherError, "couldn't set additional authenticated data");
@@ -606,7 +608,7 @@ ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
 
     GetCipher(self, ctx);
 
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
 
     ret = rb_str_new(NULL, tag_len);
@@ -641,7 +643,7 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
     tag_len = RSTRING_LENINT(vtag);
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
@@ -668,7 +670,7 @@ ossl_cipher_set_auth_tag_len(VALUE self, VALUE vlen)
     EVP_CIPHER_CTX *ctx;
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "AEAD not supported by this cipher");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, NULL))
@@ -695,7 +697,7 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
     EVP_CIPHER_CTX *ctx;
 
     GetCipher(self, ctx);
-    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "cipher does not support AEAD");
 
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL))
@@ -786,7 +788,7 @@ ossl_cipher_iv_length(VALUE self)
     int len = 0;
 
     GetCipher(self, ctx);
-    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER)
 	len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
     if (!len)
 	len = EVP_CIPHER_CTX_iv_length(ctx);

data/ext/openssl/ossl_engine.c

@@ -46,13 +46,25 @@ VALUE eEngineError;
 /*
  * Private
  */
-#define OSSL_ENGINE_LOAD_IF_MATCH(x) \
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
+#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x) \
 do{\
-  if(!strcmp(#x, RSTRING_PTR(name))){\
-    ENGINE_load_##x();\
+  if(!strcmp(#engine_name, RSTRING_PTR(name))){\
+    if (OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_##x, NULL))\
+      return Qtrue;\
+    else\
+      ossl_raise(eEngineError, "OPENSSL_init_crypto"); \
+  }\
+}while(0)
+#else
+#define OSSL_ENGINE_LOAD_IF_MATCH(engine_name, x)  \
+do{\
+  if(!strcmp(#engine_name, RSTRING_PTR(name))){\
+    ENGINE_load_##engine_name();\
     return Qtrue;\
   }\
 }while(0)
+#endif
 
 static void
 ossl_engine_free(void *engine)
@@ -94,55 +106,55 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
     StringValueCStr(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
 #if HAVE_ENGINE_LOAD_DYNAMIC
-    OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+    OSSL_ENGINE_LOAD_IF_MATCH(dynamic, DYNAMIC);
 #endif
 #if HAVE_ENGINE_LOAD_4758CCA
-    OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
+    OSSL_ENGINE_LOAD_IF_MATCH(4758cca, 4758CCA);
 #endif
 #if HAVE_ENGINE_LOAD_AEP
-    OSSL_ENGINE_LOAD_IF_MATCH(aep);
+    OSSL_ENGINE_LOAD_IF_MATCH(aep, AEP);
 #endif
 #if HAVE_ENGINE_LOAD_ATALLA
-    OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+    OSSL_ENGINE_LOAD_IF_MATCH(atalla, ATALLA);
 #endif
 #if HAVE_ENGINE_LOAD_CHIL
-    OSSL_ENGINE_LOAD_IF_MATCH(chil);
+    OSSL_ENGINE_LOAD_IF_MATCH(chil, CHIL);
 #endif
 #if HAVE_ENGINE_LOAD_CSWIFT
-    OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+    OSSL_ENGINE_LOAD_IF_MATCH(cswift, CSWIFT);
 #endif
 #if HAVE_ENGINE_LOAD_NURON
-    OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+    OSSL_ENGINE_LOAD_IF_MATCH(nuron, NURON);
 #endif
 #if HAVE_ENGINE_LOAD_SUREWARE
-    OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+    OSSL_ENGINE_LOAD_IF_MATCH(sureware, SUREWARE);
 #endif
 #if HAVE_ENGINE_LOAD_UBSEC
-    OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+    OSSL_ENGINE_LOAD_IF_MATCH(ubsec, UBSEC);
 #endif
 #if HAVE_ENGINE_LOAD_PADLOCK
-    OSSL_ENGINE_LOAD_IF_MATCH(padlock);
+    OSSL_ENGINE_LOAD_IF_MATCH(padlock, PADLOCK);
 #endif
 #if HAVE_ENGINE_LOAD_CAPI
-    OSSL_ENGINE_LOAD_IF_MATCH(capi);
+    OSSL_ENGINE_LOAD_IF_MATCH(capi, CAPI);
 #endif
 #if HAVE_ENGINE_LOAD_GMP
-    OSSL_ENGINE_LOAD_IF_MATCH(gmp);
+    OSSL_ENGINE_LOAD_IF_MATCH(gmp, GMP);
 #endif
 #if HAVE_ENGINE_LOAD_GOST
-    OSSL_ENGINE_LOAD_IF_MATCH(gost);
+    OSSL_ENGINE_LOAD_IF_MATCH(gost, GOST);
 #endif
 #if HAVE_ENGINE_LOAD_CRYPTODEV
-    OSSL_ENGINE_LOAD_IF_MATCH(cryptodev);
+    OSSL_ENGINE_LOAD_IF_MATCH(cryptodev, CRYPTODEV);
 #endif
 #if HAVE_ENGINE_LOAD_AESNI
-    OSSL_ENGINE_LOAD_IF_MATCH(aesni);
+    OSSL_ENGINE_LOAD_IF_MATCH(aesni, AESNI);
 #endif
 #endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
-    OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
+    OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto, OPENBSD_DEV_CRYPTO);
 #endif
-    OSSL_ENGINE_LOAD_IF_MATCH(openssl);
+    OSSL_ENGINE_LOAD_IF_MATCH(openssl, OPENSSL);
     rb_warning("no such builtin loader for `%"PRIsVALUE"'", name);
     return Qnil;
 #endif /* HAVE_ENGINE_LOAD_BUILTIN_ENGINES */
@@ -160,7 +172,9 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
 static VALUE
 ossl_engine_s_cleanup(VALUE self)
 {
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
     ENGINE_cleanup();
+#endif
     return Qnil;
 }