openssl 2.2.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64981d6d16c53d08f9f88d54e28340769b26651ac6b4b1325f085b125255a60e
-  data.tar.gz: 5f0eff4a8e8610696fbd755c081a94793ec8c28384adb167a22ffe910a3f662e
+  metadata.gz: d382c0c6e46a7009fa58a8378b052341712f115f73f90c2409fdfa990c5c3a41
+  data.tar.gz: dc54eb994bb6c4de4e425c32702ec551b5c9d1d677062e629cbf162d171a5dec
 SHA512:
-  metadata.gz: 02d5dd3dc0c04f98b25a24c00eb2a5bbad34ff0688c7a0e3c331c3c33e7d1662fcceef4d38f6d02d1fe2dc8e711f8232512731e1c3e6bfcf793f4993b0eb8071
-  data.tar.gz: 06c1a0f3aab1e27d3b5898652789ff299d53f30464b67e4bc015895d15ef3af70503cf79320af2061bee768b9671e2a1268e3133e66018b60aa76f6ca86a26d6
+  metadata.gz: 8516105c4fb7d40619519c8165d45c602dd6ed65971ad8289ad70e9a7fc89d36c16a801c62ecf7c82e9068f07a3a63df69c3d9faf693796b071c059cdb10f805
+  data.tar.gz: 5c6cc181f035383b724b6bd5d249e36797c5079482e88efa137e9dc74b0b338fd4be7d6d27d7e39a67054429a64d79305a15146c645ee23c97696f1838640c7a

data/CONTRIBUTING.md

@@ -12,16 +12,17 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
 security issues here, there is a separate procedure which is described on
 ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
 
-When reporting a bug, please make sure you include: 
-* Ruby version 
-* OpenSSL gem version
-* OpenSSL library version 
+When reporting a bug, please make sure you include:
+
+* Ruby version (`ruby -v`)
+* `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
+* OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
 * A sample file that illustrates the problem or link to the repository or 
   gem that is associated with the bug.
 
 There are a number of unresolved issues and feature requests for openssl that
 need review. Before submitting a new ticket, it is recommended to check
-[known issues] and [bugs.ruby-lang.org], the previous issue tracker.
+[known issues].
 
 ## Submitting patches
 
@@ -34,62 +35,50 @@ Make sure that your branch does:
 * Have good commit messages
 * Follow Ruby's coding style ([DeveloperHowTo])
 * Pass the test suite successfully (see "Testing")
-* Add an entry to [History.md] if necessary
 
 ## Testing
 
 We have a test suite!
 
 Test cases are located under the
-[`test/`](https://github.com/ruby/openssl/tree/master/test) directory.
+[`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
+directory.
 
 You can run it with the following three commands:
 
 ```
-$ rake install_dependencies # installs rake-compiler, test-unit, ...
-$ rake compile
-$ rake test
+$ bundle install # installs rake-compiler, test-unit, ...
+$ bundle exec rake compile
+$ bundle exec rake test
 ```
 
-### Docker
-
-You can also use Docker Compose to run tests. It can be used to check that your
-changes work correctly with various supported versions of Ruby and OpenSSL.
-
-First, you need to install [Docker](https://www.docker.com/products/docker) and
-[Docker Compose](https://www.docker.com/products/docker-compose) on your
-computer.
+### With different versions of OpenSSL
 
-If you're on MacOS or Windows, we recommended to use the official [Docker
-Toolbox](https://www.docker.com/products/docker-toolbox). On Linux, follow the
-instructions for your package manager. For further information, please check
-the [official documentation](https://docs.docker.com/).
+Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
+to pass on all supported combinations.
 
-Once you have Docker and Docker Compose, running the following commands will
-build the container and execute the openssl tests. In this example, we will use
-Ruby version 2.3 with OpenSSL version 1.0.2.
+Similarly to when installing `openssl` gem via the `gem` command,
+you can pass a `--with-openssl-dir` argument to `rake compile`
+to specify the OpenSSL library to build against.
 
 ```
-$ docker-compose build
-$ export RUBY_VERSION=ruby-2.3
-$ export OPENSSL_VERSION=openssl-1.0.2
-$ docker-compose run test
-
-# You may want an interactive shell for dubugging
-$ docker-compose run debug
+$ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
+    tar xf openssl-3.0.1.tar.gz &&
+    cd openssl-3.0.1 &&
+    ./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
+    make -j4 &&
+    make install )
+
+$ # in Ruby/OpenSSL's source directory
+$ bundle exec rake clean
+$ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
+$ bundle exec rake test
 ```
 
-All possible values for `RUBY_VERSION` and `OPENSSL_VERSION` can be found in
-[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml).
-
-**NOTE**: these commands must be run from the openssl repository root, in order
-to use the
-[`docker-compose.yml`](https://github.com/ruby/openssl/blob/master/docker-compose.yml)
-file we have provided.
-
-This Docker image is built using the
-[Dockerfile](https://github.com/ruby/openssl/tree/master/tool/ruby-openssl-docker)
-provided in the repository.
+The GitHub Actions workflow file
+[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
+contains useful information for building OpenSSL/LibreSSL and testing against
+them.
 
 
 ## Relation with Ruby source tree
@@ -124,7 +113,6 @@ _Thanks for your contributions!_
 
 [GitHub]: https://github.com/ruby/openssl
 [known issues]: https://github.com/ruby/openssl/issues
-[bugs.ruby-lang.org]: https://bugs.ruby-lang.org/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=7150&f%5B%5D=&c%5B%5D=project&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=
 [DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
 [HackerOne]: https://hackerone.com/ruby
 [Security]: https://www.ruby-lang.org/en/security/

data/History.md

@@ -1,3 +1,105 @@
+Version 3.0.0
+=============
+
+Compatibility notes
+-------------------
+
+* OpenSSL 1.0.1 and Ruby 2.3-2.5 are no longer supported.
+  [[GitHub #396]](https://github.com/ruby/openssl/pull/396)
+  [[GitHub #466]](https://github.com/ruby/openssl/pull/466)
+
+* OpenSSL 3.0 support is added. It is the first major version bump from OpenSSL
+  1.1 and contains incompatible changes that affect Ruby/OpenSSL.
+  Note that OpenSSL 3.0 support is preliminary and not all features are
+  currently available:
+  [[GitHub #369]](https://github.com/ruby/openssl/issues/369)
+
+  - Deprecate the ability to modify `OpenSSL::PKey::PKey` instances. OpenSSL 3.0
+    made EVP_PKEY structure immutable, and hence the following methods are not
+    available when Ruby/OpenSSL is linked against OpenSSL 3.0.
+    [[GitHub #480]](https://github.com/ruby/openssl/pull/480)
+
+    - `OpenSSL::PKey::RSA#set_key`, `#set_factors`, `#set_crt_params`
+    - `OpenSSL::PKey::DSA#set_pqg`, `#set_key`
+    - `OpenSSL::PKey::DH#set_pqg`, `#set_key`, `#generate_key!`
+    - `OpenSSL::PKey::EC#private_key=`, `#public_key=`, `#group=`, `#generate_key!`
+
+  - Deprecate `OpenSSL::Engine`. The ENGINE API has been deprecated in OpenSSL 3.0
+    in favor of the new "provider" concept and will be removed in a future
+    version.
+    [[GitHub #481]](https://github.com/ruby/openssl/pull/481)
+
+* `OpenSSL::SSL::SSLContext#tmp_ecdh_callback` has been removed. It has been
+  deprecated since v2.0.0 because it is incompatible with modern OpenSSL
+  versions.
+  [[GitHub #394]](https://github.com/ruby/openssl/pull/394)
+
+* `OpenSSL::SSL::SSLSocket#read` and `#write` now raise `OpenSSL::SSL::SSLError`
+  if called before a TLS connection is established. Historically, they
+  read/wrote unencrypted data to the underlying socket directly in that case.
+  [[GitHub #9]](https://github.com/ruby/openssl/issues/9)
+  [[GitHub #469]](https://github.com/ruby/openssl/pull/469)
+
+
+Notable changes
+---------------
+
+* Enhance OpenSSL::PKey's common interface.
+  [[GitHub #370]](https://github.com/ruby/openssl/issues/370)
+
+  - Key deserialization: Enhance `OpenSSL::PKey.read` to handle PEM encoding of
+    DH parameters, which used to be only deserialized by `OpenSSL::PKey::DH.new`.
+    [[GitHub #328]](https://github.com/ruby/openssl/issues/328)
+  - Key generation: Add `OpenSSL::PKey.generate_parameters` and
+    `OpenSSL::PKey.generate_key`.
+    [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
+  - Public key signing: Enhance `OpenSSL::PKey::PKey#sign` and `#verify` to use
+    the new EVP_DigestSign() family to enable PureEdDSA support on OpenSSL 1.1.1
+    or later. They also now take optional algorithm-specific parameters for more
+    control.
+    [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
+  - Low-level public key signing and verification: Add
+    `OpenSSL::PKey::PKey#sign_raw`, `#verify_raw`, and `#verify_recover`.
+    [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
+  - Public key encryption: Add `OpenSSL::PKey::PKey#encrypt` and `#decrypt`.
+    [[GitHub #382]](https://github.com/ruby/openssl/issues/382)
+  - Key agreement: Add `OpenSSL::PKey::PKey#derive`.
+    [[GitHub #329]](https://github.com/ruby/openssl/issues/329)
+  - Key comparison: Add `OpenSSL::PKey::PKey#compare?` to conveniently check
+    that two keys have common parameters and a public key.
+    [[GitHub #383]](https://github.com/ruby/openssl/issues/383)
+
+* Add `OpenSSL::BN#set_flags` and `#get_flags`. This can be used in combination
+  with `OpenSSL::BN::CONSTTIME` to force constant-time computation.
+  [[GitHub #417]](https://github.com/ruby/openssl/issues/417)
+
+* Add `OpenSSL::BN#abs` to get the absolute value of the BIGNUM.
+  [[GitHub #430]](https://github.com/ruby/openssl/issues/430)
+
+* Add `OpenSSL::SSL::SSLSocket#getbyte`.
+  [[GitHub #438]](https://github.com/ruby/openssl/issues/438)
+
+* Add `OpenSSL::SSL::SSLContext#tmp_dh=`.
+  [[GitHub #459]](https://github.com/ruby/openssl/pull/459)
+
+* Add `OpenSSL::X509::Certificate.load` to load a PEM-encoded and concatenated
+  list of X.509 certificates at once.
+  [[GitHub #441]](https://github.com/ruby/openssl/pull/441)
+
+* Change `OpenSSL::X509::Certificate.new` to attempt to deserialize the given
+  string first as DER encoding first and then as PEM encoding to ensure the
+  round-trip consistency.
+  [[GitHub #442]](https://github.com/ruby/openssl/pull/442)
+
+* Update various part of the code base to use the modern API. No breaking
+  changes are intended with this. This includes:
+
+  - `OpenSSL::HMAC` uses the EVP API.
+    [[GitHub #371]](https://github.com/ruby/openssl/issues/371)
+  - `OpenSSL::Config` uses native OpenSSL API to parse config files.
+    [[GitHub #342]](https://github.com/ruby/openssl/issues/342)
+
+
 Version 2.2.1
 =============
 
@@ -113,7 +215,7 @@ Bug fixes
   [[GitHub #453]](https://github.com/ruby/openssl/pull/453)
 * Fix misuse of input record separator in `OpenSSL::Buffering` where it was
   for output.
-* Fix wrong interger casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
+* Fix wrong integer casting in `OpenSSL::PKey::EC#dsa_verify_asn1`.
   [[GitHub #460]](https://github.com/ruby/openssl/pull/460)
 * `extconf.rb` explicitly checks that OpenSSL's version number is 1.0.1 or
   newer but also less than 3.0. Ruby/OpenSSL v2.1.x and v2.2.x will not support

data/ext/openssl/extconf.rb

@@ -26,6 +26,8 @@ if with_config("debug") or enable_config("debug")
   $defs.push("-DOSSL_DEBUG")
 end
 
+have_func("rb_io_maybe_wait") # Ruby 3.1
+
 Logging::message "=== Checking for system dependent stuff... ===\n"
 have_library("nsl", "t_open")
 have_library("socket", "socket")
@@ -102,15 +104,14 @@ end
 
 version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
   is_libressl = true
-  checking_for("LibreSSL version >= 2.5.0") {
-    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") }
+  checking_for("LibreSSL version >= 3.1.0") {
+    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30100000L", "openssl/opensslv.h") }
 else
-  checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") {
-    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") &&
-    !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
+  checking_for("OpenSSL version >= 1.0.2") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10002000L", "openssl/opensslv.h") }
 end
 unless version_ok
-  raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
+  raise "OpenSSL >= 1.0.2 or LibreSSL >= 3.1.0 is required"
 end
 
 # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
@@ -127,29 +128,13 @@ engines.each { |name|
   have_func("ENGINE_load_#{name}()", "openssl/engine.h")
 }
 
-# added in 1.0.2
-have_func("EC_curve_nist2nid")
-have_func("X509_REVOKED_dup")
-have_func("X509_STORE_CTX_get0_store")
-have_func("SSL_CTX_set_alpn_select_cb")
-have_func("SSL_CTX_set1_curves_list(NULL, NULL)", "openssl/ssl.h")
-have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
-have_func("SSL_get_server_tmp_key(NULL, NULL)", "openssl/ssl.h")
-have_func("SSL_is_server")
-
 # added in 1.1.0
-if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
-    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
+if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
   $defs.push("-DHAVE_OPAQUE_OPENSSL")
 end
-have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
-have_func("BN_GENCB_new")
-have_func("BN_GENCB_free")
-have_func("BN_GENCB_get_arg")
 have_func("EVP_MD_CTX_new")
 have_func("EVP_MD_CTX_free")
-have_func("HMAC_CTX_new")
-have_func("HMAC_CTX_free")
+have_func("EVP_MD_CTX_pkey_ctx")
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
 have_func("X509_STORE_get_ex_new_index")
@@ -168,7 +153,6 @@ have_func("X509_CRL_up_ref")
 have_func("X509_STORE_up_ref")
 have_func("SSL_SESSION_up_ref")
 have_func("EVP_PKEY_up_ref")
-have_func("SSL_CTX_set_tmp_ecdh_callback(NULL, NULL)", "openssl/ssl.h") # removed
 have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
 have_func("SSL_CTX_get_security_level")
 have_func("X509_get0_notBefore")
@@ -176,13 +160,27 @@ have_func("SSL_SESSION_get_protocol_version")
 have_func("TS_STATUS_INFO_get0_status")
 have_func("TS_STATUS_INFO_get0_text")
 have_func("TS_STATUS_INFO_get0_failure_info")
-have_func("TS_VERIFY_CTS_set_certs")
+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
 have_func("TS_VERIFY_CTX_set_store")
 have_func("TS_VERIFY_CTX_add_flags")
 have_func("TS_RESP_CTX_set_time_cb")
 have_func("EVP_PBE_scrypt")
 have_func("SSL_CTX_set_post_handshake_auth")
 
+# added in 1.1.1
+have_func("EVP_PKEY_check")
+
+# added in 3.0.0
+have_func("SSL_set0_tmp_dh_pkey")
+have_func("ERR_get_error_all")
+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
+have_func("SSL_CTX_load_verify_file")
+have_func("BN_check_prime")
+have_func("EVP_MD_CTX_get0_md")
+have_func("EVP_MD_CTX_get_pkey_ctx")
+have_func("EVP_PKEY_eq")
+have_func("EVP_PKEY_dup")
+
 Logging::message "=== Checking done. ===\n"
 
 create_header

data/ext/openssl/openssl_missing.c

@@ -10,77 +10,11 @@
 #include RUBY_EXTCONF_H
 
 #include <string.h> /* memcpy() */
-#if !defined(OPENSSL_NO_ENGINE)
-# include <openssl/engine.h>
-#endif
-#if !defined(OPENSSL_NO_HMAC)
-# include <openssl/hmac.h>
-#endif
 #include <openssl/x509_vfy.h>
 
 #include "openssl_missing.h"
 
-/* added in 1.0.2 */
-#if !defined(OPENSSL_NO_EC)
-#if !defined(HAVE_EC_CURVE_NIST2NID)
-static struct {
-    const char *name;
-    int nid;
-} nist_curves[] = {
-    {"B-163", NID_sect163r2},
-    {"B-233", NID_sect233r1},
-    {"B-283", NID_sect283r1},
-    {"B-409", NID_sect409r1},
-    {"B-571", NID_sect571r1},
-    {"K-163", NID_sect163k1},
-    {"K-233", NID_sect233k1},
-    {"K-283", NID_sect283k1},
-    {"K-409", NID_sect409k1},
-    {"K-571", NID_sect571k1},
-    {"P-192", NID_X9_62_prime192v1},
-    {"P-224", NID_secp224r1},
-    {"P-256", NID_X9_62_prime256v1},
-    {"P-384", NID_secp384r1},
-    {"P-521", NID_secp521r1}
-};
-
-int
-ossl_EC_curve_nist2nid(const char *name)
-{
-    size_t i;
-    for (i = 0; i < (sizeof(nist_curves) / sizeof(nist_curves[0])); i++) {
-	if (!strcmp(nist_curves[i].name, name))
-	    return nist_curves[i].nid;
-    }
-    return NID_undef;
-}
-#endif
-#endif
-
 /*** added in 1.1.0 ***/
-#if !defined(HAVE_HMAC_CTX_NEW)
-HMAC_CTX *
-ossl_HMAC_CTX_new(void)
-{
-    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
-    if (!ctx)
-	return NULL;
-    HMAC_CTX_init(ctx);
-    return ctx;
-}
-#endif
-
-#if !defined(HAVE_HMAC_CTX_FREE)
-void
-ossl_HMAC_CTX_free(HMAC_CTX *ctx)
-{
-    if (ctx) {
-	HMAC_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
-    }
-}
-#endif
-
 #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
 void
 ossl_X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,

data/ext/openssl/openssl_missing.h

@@ -12,40 +12,7 @@
 
 #include "ruby/config.h"
 
-/* added in 1.0.2 */
-#if !defined(OPENSSL_NO_EC)
-#if !defined(HAVE_EC_CURVE_NIST2NID)
-int ossl_EC_curve_nist2nid(const char *);
-#  define EC_curve_nist2nid ossl_EC_curve_nist2nid
-#endif
-#endif
-
-#if !defined(HAVE_X509_REVOKED_DUP)
-# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
-	(d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
-#endif
-
-#if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
-#  define X509_STORE_CTX_get0_store(x) ((x)->ctx)
-#endif
-
-#if !defined(HAVE_SSL_IS_SERVER)
-#  define SSL_is_server(s) ((s)->server)
-#endif
-
 /* added in 1.1.0 */
-#if !defined(HAVE_BN_GENCB_NEW)
-#  define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB)))
-#endif
-
-#if !defined(HAVE_BN_GENCB_FREE)
-#  define BN_GENCB_free(cb) OPENSSL_free(cb)
-#endif
-
-#if !defined(HAVE_BN_GENCB_GET_ARG)
-#  define BN_GENCB_get_arg(cb) (cb)->arg
-#endif
-
 #if !defined(HAVE_EVP_MD_CTX_NEW)
 #  define EVP_MD_CTX_new EVP_MD_CTX_create
 #endif
@@ -54,16 +21,6 @@ int ossl_EC_curve_nist2nid(const char *);
 #  define EVP_MD_CTX_free EVP_MD_CTX_destroy
 #endif
 
-#if !defined(HAVE_HMAC_CTX_NEW)
-HMAC_CTX *ossl_HMAC_CTX_new(void);
-#  define HMAC_CTX_new ossl_HMAC_CTX_new
-#endif
-
-#if !defined(HAVE_HMAC_CTX_FREE)
-void ossl_HMAC_CTX_free(HMAC_CTX *);
-#  define HMAC_CTX_free ossl_HMAC_CTX_free
-#endif
-
 #if !defined(HAVE_X509_STORE_GET_EX_DATA)
 #  define X509_STORE_get_ex_data(x, idx) \
 	CRYPTO_get_ex_data(&(x)->ex_data, (idx))
@@ -147,8 +104,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
 	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #endif
 
-#if !defined(HAVE_OPAQUE_OPENSSL) && \
-    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+#if !defined(HAVE_OPAQUE_OPENSSL)
 #define IMPL_PKEY_GETTER(_type, _name) \
 static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
 	return pkey->pkey._name; }
@@ -254,4 +210,29 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
     } while (0)
 #endif
 
+/* added in 3.0.0 */
+#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
+#  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
+#endif
+
+#ifndef HAVE_EVP_MD_CTX_GET0_MD
+#  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
+#endif
+
+/*
+ * OpenSSL 1.1.0 added EVP_MD_CTX_pkey_ctx(), and then it was renamed to
+ * EVP_MD_CTX_get_pkey_ctx(x) in OpenSSL 3.0.
+ */
+#ifndef HAVE_EVP_MD_CTX_GET_PKEY_CTX
+# ifdef HAVE_EVP_MD_CTX_PKEY_CTX
+#  define EVP_MD_CTX_get_pkey_ctx(x) EVP_MD_CTX_pkey_ctx(x)
+# else
+#  define EVP_MD_CTX_get_pkey_ctx(x) (x)->pctx
+# endif
+#endif
+
+#ifndef HAVE_EVP_PKEY_EQ
+#  define EVP_PKEY_eq(a, b) EVP_PKEY_cmp(a, b)
+#endif
+
 #endif /* _OSSL_OPENSSL_MISSING_H_ */