openssl 3.0.3 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7e3734ac5044a3ae69b9fb618a0896867e28cfe1390220d802e9db114b449384
-  data.tar.gz: '0976489913ce74b9b7e83c013db968687c75d2b61715bdda5d6ced8a7b6cdd6a'
+  metadata.gz: 239c530562472710697b8da573b8aa64b477c02f5895907220e83e9f09c88fec
+  data.tar.gz: 62f2d04df3f693b995bf29be9d299c9f916f44a82b5bc5df60e9f46a748990d8
 SHA512:
-  metadata.gz: df86c47dd43a0d92ddaea6d9edd39cbac1eb963807eeb525c9e4be2a9820f1f5dfac017492082fcac63f93ceb3cb6d1a4e0d0574104bd61004c14b5a1866bd9f
-  data.tar.gz: 071d295fd05b9be5e941a9698977cdb62a02d6b1f83557243bf250d566db372f42df8338c6c9fb11af349c5df879c1ab7179042b2e5c44664431fa0eae1cd1b9
+  metadata.gz: 05f891730a9dea150a2cecedb8decbf7f7dbb500cc825226a635fce8ca195a2dbf036de38dbdb7462cbb18e2e3c8aca337c1e1d9d021a94bbc444312dcf26568
+  data.tar.gz: 4cff09ce02fc107422829ca552c97cf912f2b5f129c87e37137b153fd2c09d9a231493af7ce32f391c32828b3ffc64bf905adf6a1e3fad943e78ca81048a4f96

data/CONTRIBUTING.md

@@ -17,7 +17,7 @@ When reporting a bug, please make sure you include:
 * Ruby version (`ruby -v`)
 * `openssl` gem version (`gem list openssl` and `OpenSSL::VERSION`)
 * OpenSSL library version (`OpenSSL::OPENSSL_VERSION`)
-* A sample file that illustrates the problem or link to the repository or 
+* A sample file that illustrates the problem or link to the repository or
   gem that is associated with the bug.
 
 There are a number of unresolved issues and feature requests for openssl that

data/History.md

@@ -1,26 +1,37 @@
-Version 3.0.3
+Version 3.1.0
 =============
 
-Bug fixes
----------
+Ruby/OpenSSL 3.1 will be maintained for the lifetime of Ruby 3.2.
+
+Merged bug fixes in 2.2.3 and 3.0.2. Among the new features and changes are:
+
+Notable changes
+---------------
 
-* Fix a performance regression introduced in v2.1.3 on a buffered write to
-  `SSLSocket`.
-  [[GitHub #706]](https://github.com/ruby/openssl/pull/706)
-* Fix `OpenSSL::PKCS7` to handle PKCS#7 structures without content.
-  [[GitHub #690]](https://github.com/ruby/openssl/pull/690)
-  [[GitHub #752]](https://github.com/ruby/openssl/pull/752)
-* Fix `OpenSSL::ASN1::ObjectId#==` with OIDs without a known name.
-  [[GitHub #791]](https://github.com/ruby/openssl/issues/791)
-  [[GitHub #792]](https://github.com/ruby/openssl/pull/792)
-* Fix `OpenSSL::X509::Certificate#crl_uris` to handle CDP with multiple CRL
-  URIs.
-  [[GitHub #775]](https://github.com/ruby/openssl/issues/775)
-  [[GitHub #776]](https://github.com/ruby/openssl/pull/776)
-* Fix `OpenSSL::Cipher#update` to always make the output buffer `String`
-  independent.
-  [[Bug #20937]](https://bugs.ruby-lang.org/issues/20937)
-  [[GitHub #824]](https://github.com/ruby/openssl/pull/824)
+* Add `OpenSSL::SSL::SSLContext#ciphersuites=` to allow setting TLS 1.3 cipher
+  suites.
+  [[GitHub #493]](https://github.com/ruby/openssl/pull/493)
+* Add `OpenSSL::SSL::SSLSocket#export_keying_material` for exporting keying
+  material of the session, as defined in RFC 5705.
+  [[GitHub #530]](https://github.com/ruby/openssl/pull/530)
+* Add `OpenSSL::SSL::SSLContext#keylog_cb=` for setting the TLS key logging
+  callback, which is useful for supporting NSS's SSLKEYLOGFILE debugging output.
+  [[GitHub #536]](https://github.com/ruby/openssl/pull/536)
+* Remove the default digest algorithm from `OpenSSL::OCSP::BasicResponse#sign`
+  and `OpenSSL::OCSP::Request#sign`. Omitting the 5th parameter of these
+  methods used to be equivalent of specifying SHA-1. This default value is now
+  removed and we will let the underlying OpenSSL library decide instead.
+  [[GitHub #507]](https://github.com/ruby/openssl/pull/507)
+* Add `OpenSSL::BN#mod_sqrt`.
+  [[GitHub #553]](https://github.com/ruby/openssl/pull/553)
+* Allow calling `OpenSSL::Cipher#update` with an empty string. This was
+  prohibited to workaround an ancient bug in OpenSSL.
+  [[GitHub #568]](https://github.com/ruby/openssl/pull/568)
+* Fix build on platforms without socket support, such as WASI. `OpenSSL::SSL`
+  will not be defined if OpenSSL is compiled with `OPENSSL_NO_SOCK`.
+  [[GitHub #558]](https://github.com/ruby/openssl/pull/558)
+* Improve support for recent LibreSSL versions. This includes HKDF support in
+  LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
 
 
 Version 3.0.2

data/ext/openssl/extconf.rb

@@ -25,8 +25,9 @@ Logging::message "=== OpenSSL for Ruby configurator ===\n"
 if with_config("debug") or enable_config("debug")
   $defs.push("-DOSSL_DEBUG")
 end
+$defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
 
-have_func("rb_io_maybe_wait") # Ruby 3.1
+have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
 
 Logging::message "=== Checking for system dependent stuff... ===\n"
 have_library("nsl", "t_open")
@@ -120,8 +121,13 @@ if is_libressl && ($mswin || $mingw)
 end
 
 Logging::message "=== Checking for OpenSSL features... ===\n"
+evp_h = "openssl/evp.h".freeze
+x509_h = "openssl/x509.h".freeze
+ts_h = "openssl/ts.h".freeze
+ssl_h = "openssl/ssl.h".freeze
+
 # compile options
-have_func("RAND_egd")
+have_func("RAND_egd()", "openssl/rand.h")
 engines = %w{dynamic 4758cca aep atalla chil
              cswift nuron sureware ubsec padlock capi gmp gost cryptodev}
 engines.each { |name|
@@ -132,55 +138,56 @@ engines.each { |name|
 if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
   $defs.push("-DHAVE_OPAQUE_OPENSSL")
 end
-have_func("EVP_MD_CTX_new")
-have_func("EVP_MD_CTX_free")
-have_func("EVP_MD_CTX_pkey_ctx")
-have_func("X509_STORE_get_ex_data")
-have_func("X509_STORE_set_ex_data")
-have_func("X509_STORE_get_ex_new_index")
-have_func("X509_CRL_get0_signature")
-have_func("X509_REQ_get0_signature")
-have_func("X509_REVOKED_get0_serialNumber")
-have_func("X509_REVOKED_get0_revocationDate")
-have_func("X509_get0_tbs_sigalg")
-have_func("X509_STORE_CTX_get0_untrusted")
-have_func("X509_STORE_CTX_get0_cert")
-have_func("X509_STORE_CTX_get0_chain")
-have_func("OCSP_SINGLERESP_get0_id")
-have_func("SSL_CTX_get_ciphers")
-have_func("X509_up_ref")
-have_func("X509_CRL_up_ref")
-have_func("X509_STORE_up_ref")
-have_func("SSL_SESSION_up_ref")
-have_func("EVP_PKEY_up_ref")
-have_func("SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h")
-have_func("SSL_CTX_get_security_level")
-have_func("X509_get0_notBefore")
-have_func("SSL_SESSION_get_protocol_version")
-have_func("TS_STATUS_INFO_get0_status")
-have_func("TS_STATUS_INFO_get0_text")
-have_func("TS_STATUS_INFO_get0_failure_info")
-have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")
-have_func("TS_VERIFY_CTX_set_store")
-have_func("TS_VERIFY_CTX_add_flags")
-have_func("TS_RESP_CTX_set_time_cb")
-have_func("EVP_PBE_scrypt")
-have_func("SSL_CTX_set_post_handshake_auth")
+have_func("EVP_MD_CTX_new()", evp_h)
+have_func("EVP_MD_CTX_free(NULL)", evp_h)
+have_func("EVP_MD_CTX_pkey_ctx(NULL)", evp_h)
+have_func("X509_STORE_get_ex_data(NULL, 0)", x509_h)
+have_func("X509_STORE_set_ex_data(NULL, 0, NULL)", x509_h)
+have_func("X509_STORE_get_ex_new_index(0, NULL, NULL, NULL, NULL)", x509_h)
+have_func("X509_CRL_get0_signature(NULL, NULL, NULL)", x509_h)
+have_func("X509_REQ_get0_signature(NULL, NULL, NULL)", x509_h)
+have_func("X509_REVOKED_get0_serialNumber(NULL)", x509_h)
+have_func("X509_REVOKED_get0_revocationDate(NULL)", x509_h)
+have_func("X509_get0_tbs_sigalg(NULL)", x509_h)
+have_func("X509_STORE_CTX_get0_untrusted(NULL)", x509_h)
+have_func("X509_STORE_CTX_get0_cert(NULL)", x509_h)
+have_func("X509_STORE_CTX_get0_chain(NULL)", x509_h)
+have_func("OCSP_SINGLERESP_get0_id(NULL)", "openssl/ocsp.h")
+have_func("SSL_CTX_get_ciphers(NULL)", ssl_h)
+have_func("X509_up_ref(NULL)", x509_h)
+have_func("X509_CRL_up_ref(NULL)", x509_h)
+have_func("X509_STORE_up_ref(NULL)", x509_h)
+have_func("SSL_SESSION_up_ref(NULL)", ssl_h)
+have_func("EVP_PKEY_up_ref(NULL)", evp_h)
+have_func("SSL_CTX_set_min_proto_version(NULL, 0)", ssl_h)
+have_func("SSL_CTX_get_security_level(NULL)", ssl_h)
+have_func("X509_get0_notBefore(NULL)", x509_h)
+have_func("SSL_SESSION_get_protocol_version(NULL)", ssl_h)
+have_func("TS_STATUS_INFO_get0_status(NULL)", ts_h)
+have_func("TS_STATUS_INFO_get0_text(NULL)", ts_h)
+have_func("TS_STATUS_INFO_get0_failure_info(NULL)", ts_h)
+have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", ts_h)
+have_func("TS_VERIFY_CTX_set_store(NULL, NULL)", ts_h)
+have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
+have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
+have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
+have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
 
 # added in 1.1.1
-have_func("EVP_PKEY_check")
-have_func("EVP_PKEY_new_raw_private_key")
+have_func("EVP_PKEY_check(NULL)", evp_h)
+have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
+have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
 
 # added in 3.0.0
-have_func("SSL_set0_tmp_dh_pkey")
-have_func("ERR_get_error_all")
-have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
-have_func("SSL_CTX_load_verify_file")
-have_func("BN_check_prime")
-have_func("EVP_MD_CTX_get0_md")
-have_func("EVP_MD_CTX_get_pkey_ctx")
-have_func("EVP_PKEY_eq")
-have_func("EVP_PKEY_dup")
+have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
+have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
+have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
+have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
+have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
+have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
+have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
+have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
+have_func("EVP_PKEY_dup(NULL)", evp_h)
 
 Logging::message "=== Checking done. ===\n"
 

data/ext/openssl/ossl.h

@@ -52,6 +52,12 @@
       (LIBRESSL_VERSION_NUMBER >= ((maj << 28) | (min << 20) | (pat << 12)))
 #endif
 
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
+# define OSSL_3_const const
+#else
+# define OSSL_3_const /* const */
+#endif
+
 #if !defined(OPENSSL_NO_ENGINE) && !OSSL_OPENSSL_PREREQ(3, 0, 0)
 # define OSSL_USE_ENGINE
 #endif

data/ext/openssl/ossl_asn1.c

@@ -509,7 +509,8 @@ ossl_asn1_get_asn1type(VALUE obj)
     ASN1_TYPE *ret;
     VALUE value, rflag;
     void *ptr;
-    void (*free_func)();
+    typedef void free_func_type(void *);
+    free_func_type *free_func;
     int tag;
 
     tag = ossl_asn1_default_tag(obj);
@@ -522,16 +523,16 @@ ossl_asn1_get_asn1type(VALUE obj)
     case V_ASN1_INTEGER:         /* FALLTHROUGH */
     case V_ASN1_ENUMERATED:
 	ptr = obj_to_asn1int(value);
-	free_func = ASN1_INTEGER_free;
+	free_func = (free_func_type *)ASN1_INTEGER_free;
 	break;
     case V_ASN1_BIT_STRING:
         rflag = rb_attr_get(obj, sivUNUSED_BITS);
 	ptr = obj_to_asn1bstr(value, NUM2INT(rflag));
-	free_func = ASN1_BIT_STRING_free;
+	free_func = (free_func_type *)ASN1_BIT_STRING_free;
 	break;
     case V_ASN1_NULL:
 	ptr = obj_to_asn1null(value);
-	free_func = ASN1_NULL_free;
+	free_func = (free_func_type *)ASN1_NULL_free;
 	break;
     case V_ASN1_OCTET_STRING:    /* FALLTHROUGH */
     case V_ASN1_UTF8STRING:      /* FALLTHROUGH */
@@ -546,24 +547,24 @@ ossl_asn1_get_asn1type(VALUE obj)
     case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */
     case V_ASN1_BMPSTRING:
 	ptr = obj_to_asn1str(value);
-	free_func = ASN1_STRING_free;
+	free_func = (free_func_type *)ASN1_STRING_free;
 	break;
     case V_ASN1_OBJECT:
 	ptr = obj_to_asn1obj(value);
-	free_func = ASN1_OBJECT_free;
+	free_func = (free_func_type *)ASN1_OBJECT_free;
 	break;
     case V_ASN1_UTCTIME:
 	ptr = obj_to_asn1utime(value);
-	free_func = ASN1_TIME_free;
+	free_func = (free_func_type *)ASN1_TIME_free;
 	break;
     case V_ASN1_GENERALIZEDTIME:
 	ptr = obj_to_asn1gtime(value);
-	free_func = ASN1_TIME_free;
+	free_func = (free_func_type *)ASN1_TIME_free;
 	break;
     case V_ASN1_SET:             /* FALLTHROUGH */
     case V_ASN1_SEQUENCE:
 	ptr = obj_to_asn1derstr(obj);
-	free_func = ASN1_STRING_free;
+	free_func = (free_func_type *)ASN1_STRING_free;
 	break;
     default:
 	ossl_raise(eASN1Error, "unsupported ASN.1 type");
@@ -1297,6 +1298,30 @@ ossl_asn1obj_get_ln(VALUE self)
     return ret;
 }
 
+/*
+ *  call-seq:
+ *     oid == other_oid => true or false
+ *
+ *  Returns +true+ if _other_oid_ is the same as _oid_
+ */
+static VALUE
+ossl_asn1obj_eq(VALUE self, VALUE other)
+{
+    VALUE valSelf, valOther;
+    int nidSelf, nidOther;
+
+    valSelf = ossl_asn1_get_value(self);
+    valOther = ossl_asn1_get_value(other);
+
+    if ((nidSelf = OBJ_txt2nid(StringValueCStr(valSelf))) == NID_undef)
+	ossl_raise(eASN1Error, "OBJ_txt2nid");
+
+    if ((nidOther = OBJ_txt2nid(StringValueCStr(valOther))) == NID_undef)
+	ossl_raise(eASN1Error, "OBJ_txt2nid");
+
+    return nidSelf == nidOther ? Qtrue : Qfalse;
+}
+
 static VALUE
 asn1obj_get_oid_i(VALUE vobj)
 {
@@ -1341,25 +1366,6 @@ ossl_asn1obj_get_oid(VALUE self)
     return str;
 }
 
-/*
- *  call-seq:
- *     oid == other_oid => true or false
- *
- *  Returns +true+ if _other_oid_ is the same as _oid_.
- */
-static VALUE
-ossl_asn1obj_eq(VALUE self, VALUE other)
-{
-    VALUE oid1, oid2;
-
-    if (!rb_obj_is_kind_of(other, cASN1ObjectId))
-        return Qfalse;
-
-    oid1 = ossl_asn1obj_get_oid(self);
-    oid2 = ossl_asn1obj_get_oid(other);
-    return rb_str_equal(oid1, oid2);
-}
-
 #define OSSL_ASN1_IMPL_FACTORY_METHOD(klass) \
 static VALUE ossl_asn1_##klass(int argc, VALUE *argv, VALUE self)\
 { return rb_funcall3(cASN1##klass, rb_intern("new"), argc, argv); }
@@ -1517,7 +1523,7 @@ Init_ossl_asn1(void)
      *
      * An Array that stores the name of a given tag number. These names are
      * the same as the name of the tag constant that is additionally defined,
-     * e.g. +UNIVERSAL_TAG_NAME[2] = "INTEGER"+ and +OpenSSL::ASN1::INTEGER = 2+.
+     * e.g. <tt>UNIVERSAL_TAG_NAME[2] = "INTEGER"</tt> and <tt>OpenSSL::ASN1::INTEGER = 2</tt>.
      *
      * == Example usage
      *

data/ext/openssl/ossl_bn.c

@@ -577,22 +577,33 @@ BIGNUM_2c(gcd)
  */
 BIGNUM_2c(mod_sqr)
 
+#define BIGNUM_2cr(func)					\
+    static VALUE						\
+    ossl_bn_##func(VALUE self, VALUE other)			\
+    {								\
+	BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;		\
+	VALUE obj;						\
+	GetBN(self, bn1);					\
+	obj = NewBN(rb_obj_class(self));			\
+	if (!(result = BN_##func(NULL, bn1, bn2, ossl_bn_ctx)))	\
+	    ossl_raise(eBNError, NULL);				\
+	SetBN(obj, result);					\
+	return obj;						\
+    }
+
 /*
+ * Document-method: OpenSSL::BN#mod_sqrt
+ * call-seq:
+ *   bn.mod_sqrt(bn2) => aBN
+ */
+BIGNUM_2cr(mod_sqrt)
+
+/*
+ * Document-method: OpenSSL::BN#mod_inverse
  * call-seq:
  *    bn.mod_inverse(bn2) => aBN
  */
-static VALUE
-ossl_bn_mod_inverse(VALUE self, VALUE other)
-{
-    BIGNUM *bn1, *bn2 = GetBNPtr(other), *result;
-    VALUE obj;
-    GetBN(self, bn1);
-    obj = NewBN(rb_obj_class(self));
-    if (!(result = BN_mod_inverse(NULL, bn1, bn2, ossl_bn_ctx)))
-        ossl_raise(eBNError, "BN_mod_inverse");
-    SetBN(obj, result);
-    return obj;
-}
+BIGNUM_2cr(mod_inverse)
 
 /*
  * call-seq:
@@ -1234,6 +1245,7 @@ Init_ossl_bn(void)
     rb_define_method(cBN, "mod_sub", ossl_bn_mod_sub, 2);
     rb_define_method(cBN, "mod_mul", ossl_bn_mod_mul, 2);
     rb_define_method(cBN, "mod_sqr", ossl_bn_mod_sqr, 1);
+    rb_define_method(cBN, "mod_sqrt", ossl_bn_mod_sqrt, 1);
     rb_define_method(cBN, "**", ossl_bn_exp, 1);
     rb_define_method(cBN, "mod_exp", ossl_bn_mod_exp, 2);
     rb_define_method(cBN, "gcd", ossl_bn_gcd, 1);

data/ext/openssl/ossl_cipher.c

@@ -384,40 +384,24 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
 
     StringValue(data);
     in = (unsigned char *)RSTRING_PTR(data);
-    if ((in_len = RSTRING_LEN(data)) == 0)
-        ossl_raise(rb_eArgError, "data must not be empty");
+    in_len = RSTRING_LEN(data);
     GetCipher(self, ctx);
-
-    /*
-     * As of OpenSSL 3.2, there is no reliable way to determine the required
-     * output buffer size for arbitrary cipher modes.
-     * https://github.com/openssl/openssl/issues/22628
-     *
-     * in_len+block_size is usually sufficient, but AES key wrap with padding
-     * ciphers require in_len+15 even though they have a block size of 8 bytes.
-     *
-     * Using EVP_MAX_BLOCK_LENGTH (32) as a safe upper bound for ciphers
-     * currently implemented in OpenSSL, but this can change in the future.
-     */
-    if (in_len > LONG_MAX - EVP_MAX_BLOCK_LENGTH) {
+    out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
+    if (out_len <= 0) {
 	ossl_raise(rb_eRangeError,
 		   "data too big to make output buffer: %ld bytes", in_len);
     }
-    out_len = in_len + EVP_MAX_BLOCK_LENGTH;
 
     if (NIL_P(str)) {
         str = rb_str_new(0, out_len);
     } else {
         StringValue(str);
-        if ((long)rb_str_capacity(str) >= out_len)
-            rb_str_modify(str);
-        else
-            rb_str_modify_expand(str, out_len - RSTRING_LEN(str));
+        rb_str_resize(str, out_len);
     }
 
     if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
 	ossl_raise(eCipherError, NULL);
-    assert(out_len <= RSTRING_LEN(str));
+    assert(out_len < RSTRING_LEN(str));
     rb_str_set_len(str, out_len);
 
     return str;

data/ext/openssl/ossl_digest.c

@@ -232,7 +232,6 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
         str = rb_str_new(NULL, out_len);
     } else {
         StringValue(str);
-        rb_str_modify(str);
         rb_str_resize(str, out_len);
     }
 

data/ext/openssl/ossl_kdf.c

@@ -3,7 +3,7 @@
  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
  */
 #include "ossl.h"
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
 # include <openssl/kdf.h>
 #endif
 
@@ -141,7 +141,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
 /*
  * call-seq:
  *    KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
@@ -305,7 +305,7 @@ Init_ossl_kdf(void)
 #if defined(HAVE_EVP_PBE_SCRYPT)
     rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OSSL_OPENSSL_PREREQ(1, 1, 0) || OSSL_LIBRESSL_PREREQ(3, 6, 0)
     rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
 #endif
 }

data/ext/openssl/ossl_ocsp.c

@@ -382,7 +382,7 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))
@@ -1033,7 +1033,7 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
     if (!NIL_P(flags))
 	flg = NUM2INT(flags);
     if (NIL_P(digest))
-	md = EVP_sha1();
+	md = NULL;
     else
 	md = ossl_evp_get_digestbyname(digest);
     if (NIL_P(certs))

data/ext/openssl/ossl_pkcs7.c

@@ -165,13 +165,7 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
     out = NULL;
     pkcs7 = SMIME_read_PKCS7(in, &out);
     BIO_free(in);
-    if (!pkcs7)
-        ossl_raise(ePKCS7Error, "Could not parse the PKCS7");
-    if (!pkcs7->d.ptr) {
-        PKCS7_free(pkcs7);
-        ossl_raise(ePKCS7Error, "No content in PKCS7");
-    }
-
+    if(!pkcs7) ossl_raise(ePKCS7Error, NULL);
     data = out ? ossl_membio2str(out) : Qnil;
     SetPKCS7(ret, pkcs7);
     ossl_pkcs7_set_data(ret, data);
@@ -352,10 +346,6 @@ ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
     BIO_free(in);
     if (!p7)
         ossl_raise(rb_eArgError, "Could not parse the PKCS7");
-    if (!p7->d.ptr) {
-        PKCS7_free(p7);
-        ossl_raise(rb_eArgError, "No content in PKCS7");
-    }
 
     RTYPEDDATA_DATA(self) = p7;
     PKCS7_free(p7_orig);

data/ext/openssl/ossl_pkey.h

@@ -92,7 +92,7 @@ void Init_ossl_ec(void);
  */									\
 static VALUE ossl_##_keytype##_get_##_name(VALUE self)			\
 {									\
-	_type *obj;							\
+	const _type *obj;						\
 	const BIGNUM *bn;						\
 									\
 	Get##_type(self, obj);						\

data/ext/openssl/ossl_pkey_dh.c

@@ -178,7 +178,7 @@ ossl_dh_initialize_copy(VALUE self, VALUE other)
 static VALUE
 ossl_dh_is_public(VALUE self)
 {
-    DH *dh;
+    OSSL_3_const DH *dh;
     const BIGNUM *bn;
 
     GetDH(self, dh);
@@ -197,14 +197,14 @@ ossl_dh_is_public(VALUE self)
 static VALUE
 ossl_dh_is_private(VALUE self)
 {
-    DH *dh;
+    OSSL_3_const DH *dh;
     const BIGNUM *bn;
 
     GetDH(self, dh);
     DH_get0_key(dh, NULL, &bn);
 
 #if !defined(OPENSSL_NO_ENGINE)
-    return (bn || DH_get0_engine(dh)) ? Qtrue : Qfalse;
+    return (bn || DH_get0_engine((DH *)dh)) ? Qtrue : Qfalse;
 #else
     return bn ? Qtrue : Qfalse;
 #endif
@@ -223,7 +223,7 @@ ossl_dh_is_private(VALUE self)
 static VALUE
 ossl_dh_export(VALUE self)
 {
-    DH *dh;
+    OSSL_3_const DH *dh;
     BIO *out;
     VALUE str;
 
@@ -252,7 +252,7 @@ ossl_dh_export(VALUE self)
 static VALUE
 ossl_dh_to_der(VALUE self)
 {
-    DH *dh;
+    OSSL_3_const DH *dh;
     unsigned char *p;
     long len;
     VALUE str;
@@ -280,7 +280,7 @@ ossl_dh_to_der(VALUE self)
 static VALUE
 ossl_dh_get_params(VALUE self)
 {
-    DH *dh;
+    OSSL_3_const DH *dh;
     VALUE hash;
     const BIGNUM *p, *q, *g, *pub_key, *priv_key;
 

data/ext/openssl/ossl_pkey_dsa.c

@@ -24,7 +24,7 @@
 } while (0)
 
 static inline int
-DSA_HAS_PRIVATE(DSA *dsa)
+DSA_HAS_PRIVATE(OSSL_3_const DSA *dsa)
 {
     const BIGNUM *bn;
     DSA_get0_key(dsa, NULL, &bn);
@@ -32,7 +32,7 @@ DSA_HAS_PRIVATE(DSA *dsa)
 }
 
 static inline int
-DSA_PRIVATE(VALUE obj, DSA *dsa)
+DSA_PRIVATE(VALUE obj, OSSL_3_const DSA *dsa)
 {
     return DSA_HAS_PRIVATE(dsa) || OSSL_PKEY_IS_PRIVATE(obj);
 }
@@ -179,7 +179,7 @@ ossl_dsa_initialize_copy(VALUE self, VALUE other)
 static VALUE
 ossl_dsa_is_public(VALUE self)
 {
-    DSA *dsa;
+    const DSA *dsa;
     const BIGNUM *bn;
 
     GetDSA(self, dsa);
@@ -198,7 +198,7 @@ ossl_dsa_is_public(VALUE self)
 static VALUE
 ossl_dsa_is_private(VALUE self)
 {
-    DSA *dsa;
+    OSSL_3_const DSA *dsa;
 
     GetDSA(self, dsa);
 
@@ -225,7 +225,7 @@ ossl_dsa_is_private(VALUE self)
 static VALUE
 ossl_dsa_export(int argc, VALUE *argv, VALUE self)
 {
-    DSA *dsa;
+    OSSL_3_const DSA *dsa;
 
     GetDSA(self, dsa);
     if (DSA_HAS_PRIVATE(dsa))
@@ -244,7 +244,7 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
 static VALUE
 ossl_dsa_to_der(VALUE self)
 {
-    DSA *dsa;
+    OSSL_3_const DSA *dsa;
 
     GetDSA(self, dsa);
     if (DSA_HAS_PRIVATE(dsa))
@@ -265,7 +265,7 @@ ossl_dsa_to_der(VALUE self)
 static VALUE
 ossl_dsa_get_params(VALUE self)
 {
-    DSA *dsa;
+    OSSL_3_const DSA *dsa;
     VALUE hash;
     const BIGNUM *p, *q, *g, *pub_key, *priv_key;