openssl 3.2.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5040b959a35f5692d6d19e2bf520e1123da8133fff2f878cfc21c2ff0f145d6e
-  data.tar.gz: dfee6ebd76e423511aa0fc4630f8120edce8fe79d4f40ee7105ccad12c2d3340
+  metadata.gz: a8432d7080faee7ddacde9ce67046b585bed0364f1f63f3e34ca68e28b94c939
+  data.tar.gz: 2e55e3ed68ce1bfa26d38e95481510d126282e4fb44b6f2379efe060cbc6a9d9
 SHA512:
-  metadata.gz: f542ec360be844382829f4bcc46b5cffdfcaf675b02ecdc1cd15a6e80c061476ee4582fdb201ef2dd0f430806d74036233eef3a5c23e5b4028560ad075ed706b
-  data.tar.gz: 0173033ebe6efb76b747cc80835cc9530dd664d038256bbdf963d4940b5f3bfad90be313554f548a911ac0977d4bdc33c088dfd3b6fb8e46db7bcd5d2ec34a8c
+  metadata.gz: 8b47e7a7d5e2eb91a2beb38a3054f51bbec651823e4644ac16778d5a9d60545b8e53f8065ad8aa059d880d19aa01d7d5e171f8aea4d7262a62717221a4c47d1f
+  data.tar.gz: b3fd16b1cbe564abcafcf849c9666644f6a74672bd65c4019ba008e7f377b1ed4b121d89d9bc6f8b38306ee0c76ed60e1df798b6fe3533d633389393263438f7

data/CONTRIBUTING.md

@@ -10,7 +10,7 @@ Bugs and feature requests are tracked on [GitHub].
 
 If you think you found a bug, file a ticket on GitHub. Please DO NOT report
 security issues here, there is a separate procedure which is described on
-["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
+["Security at ruby-lang.org"][Ruby Security].
 
 When reporting a bug, please make sure you include:
 
@@ -22,26 +22,25 @@ When reporting a bug, please make sure you include:
 
 There are a number of unresolved issues and feature requests for openssl that
 need review. Before submitting a new ticket, it is recommended to check
-[known issues].
+[known issues][Issues].
 
 ## Submitting patches
 
 Patches are also very welcome!
 
-Please submit a [pull request] with your changes.
+Please submit a [pull request][Compare changes] with your changes.
 
 Make sure that your branch does:
 
 * Have good commit messages
-* Follow Ruby's coding style ([DeveloperHowTo])
+* Follow Ruby's coding style ([Developer-How-To][Ruby Developer-How-To])
 * Pass the test suite successfully (see "Testing")
 
 ## Testing
 
 We have a test suite!
 
-Test cases are located under the
-[`test/openssl`](https://github.com/ruby/openssl/tree/master/test/openssl)
+Test cases are located under the [`test/openssl`][GitHub test/openssl]
 directory.
 
 You can run it with the following three commands:
@@ -54,31 +53,176 @@ $ bundle exec rake test
 
 ### With different versions of OpenSSL
 
-Ruby OpenSSL supports various versions of OpenSSL library. The test suite needs
-to pass on all supported combinations.
+Ruby OpenSSL supports various versions of the OpenSSL library. The test suite
+needs to pass on all supported combinations.
 
-Similarly to when installing `openssl` gem via the `gem` command,
-you can pass a `--with-openssl-dir` argument to `rake compile`
-to specify the OpenSSL library to build against.
+If you want to test, debug, report an issue, or contribute to the Ruby OpenSSL
+or [the OpenSSL project][OpenSSL] in the non-FIPS or the
+[FIPS][OpenSSL README-FIPS] case, compiling OpenSSL from the source by yourself
+is a good practice.
+
+The following steps are tested in Linux and GCC environment. You can adjust the
+commands in the steps for a different environment.
+
+To download the OpenSSL source from the Git repository, you can run the following
+commands:
+
+```
+$ git clone https://github.com/openssl/openssl.git
+$ cd openssl
+```
+
+You see the `master` branch used as a development branch. Testing against the
+latest OpenSSL master branch is a good practice to report an issue to the
+OpenSSL project.
+
+```
+$ git branch | grep '^*'
+* master
+```
+
+If you test against the latest stable branch, you can run the following command.
+In this example, the `openssl-3.1` branch is the stable branch of OpenSSL 3.1
+series.
+
+```
+$ git checkout openssl-3.1
+```
+
+To configure OpenSSL, you can run the following commands.
+
+In this example, we use the `OPENSSL_DIR` environment variable to specify the
+OpenSSL installed directory for convenience. Including the commit hash in the
+directory name is a good practice.
+
+```
+$ git rev-parse --short HEAD
+0bf18140f4
+
+$ OPENSSL_DIR=$HOME/.openssl/openssl-fips-debug-0bf18140f4
+```
+
+The following configuration options are useful in this case.
+You can check [OpenSSL installation document][OpenSSL INSTALL] for details.
+
+* `enable-fips`: Add an option to run with the OpenSSL FIPS module.
+* `enable-trace`: Add an option to enabling tracing log. You can trace logs by
+  implementing a code. See the man page [OSSL_TRACE(3)][OpenSSL OSSL_TRACE] for
+  details.
+* compiler flags
+  * `-Wl,-rpath,$(LIBRPATH)`: Set the runtime shared library path to run the
+    `openssl` command without the `LD_LIBRARY_PATH`. You can check
+    [this document][OpenSSL NOTES-UNIX] for details.
+  * `-O0 -g3 -ggdb3 -gdwarf-5`: You can set debugging compiler flags.
 
 ```
-$ ( curl -OL https://ftp.openssl.org/source/openssl-3.0.1.tar.gz &&
-    tar xf openssl-3.0.1.tar.gz &&
-    cd openssl-3.0.1 &&
-    ./config --prefix=$HOME/.openssl/openssl-3.0.1 --libdir=lib &&
-    make -j4 &&
-    make install )
+$ ./Configure \
+  --prefix=$OPENSSL_DIR \
+  --libdir=lib \
+  enable-fips \
+  enable-trace \
+  '-Wl,-rpath,$(LIBRPATH)' \
+  -O0 -g3 -ggdb3 -gdwarf-5
+$ make -j4
+$ make install
+```
+
+To print installed OpenSSL version, you can run the following command:
+
+```
+$ $OPENSSL_DIR/bin/openssl version
+OpenSSL 3.2.0-alpha3-dev  (Library: OpenSSL 3.2.0-alpha3-dev )
+```
+
+Change the current working directory into Ruby OpenSSL's source directory.
+
+To compile Ruby OpenSSL, you can run the following commands:
 
-$ # in Ruby/OpenSSL's source directory
+Similarly to when installing `openssl` gem via the `gem` command, you can pass a
+`--with-openssl-dir` argument to `rake compile` to specify the OpenSSL library
+ to build against.
+
+* `MAKEFLAGS="V=1"`: Enable the compiler command lines to print in
+  the log.
+* `RUBY_OPENSSL_EXTCFLAGS`: Set extra compiler flags to compile Ruby OpenSSL.
+
+```
 $ bundle exec rake clean
-$ bundle exec rake compile -- --with-openssl-dir=$HOME/.openssl/openssl-3.0.1
+$ MAKEFLAGS="V=1" \
+  RUBY_OPENSSL_EXTCFLAGS="-O0 -g3 -ggdb3 -gdwarf-5" \
+  bundle exec rake compile -- --with-openssl-dir=$OPENSSL_DIR
+```
+
+#### Testing normally in non-FIPS case
+
+To test Ruby OpenSSL, you can run the following command:
+
+```
 $ bundle exec rake test
 ```
 
-The GitHub Actions workflow file
-[`test.yml`](https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml)
-contains useful information for building OpenSSL/LibreSSL and testing against
-them.
+#### Testing in FIPS case
+
+To use OpenSSL 3.0 or later versions in a FIPS-approved manner, you must load the
+`fips` and `base` providers, and also use the property query `fips=yes`. The
+property query is used when fetching cryptographic algorithm implementations.
+This must be done at the startup of a process to avoid implicitly loading the
+`default` provider which has the non-FIPS cryptographic algorithm
+implementations. See also the man page [fips_module(7)][OpenSSL fips_module].
+
+You can set this in your OpenSSL configuration file by either appropriately
+modifying the default OpenSSL configuration file located at
+`OpenSSL::Config::DEFAULT_CONFIG_FILE` or temporarily overriding it with the
+`OPENSSL_CONF` environment variable.
+
+In this example, we explain on the latter way.
+
+You can create a OpenSSL FIPS config `openssl_fips.cnf` file based on the
+`openssl_fips.cnf.tmpl` file in this repository, and replacing the placeholder
+`OPENSSL_DIR` with your OpenSSL installed directory.
+
+```
+$ sed -e "s|OPENSSL_DIR|$OPENSSL_DIR|" tool/openssl_fips.cnf.tmpl | \
+  tee $OPENSSL_DIR/ssl/openssl_fips.cnf
+```
+
+You can see the base and fips providers by running the following command if you
+setup the OpenSSL FIPS config file properly.
+
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  $OPENSSL_DIR/bin/openssl list -providers
+Providers:
+  base
+    name: OpenSSL Base Provider
+    version: 3.2.0
+    status: active
+  fips
+    name: OpenSSL FIPS Provider
+    version: 3.2.0
+    status: active
+```
+
+You can run the current tests in the FIPS module case used in the GitHub
+Actions file `test.yml` explained in a later sentence.
+
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  bundle exec rake test_fips
+```
+
+You can also run the all the tests in the FIPS module case. You see many
+failures. We are working in progress to fix the failures. Your contribution is
+welcome.
+
+```
+$ OPENSSL_CONF=$OPENSSL_DIR/ssl/openssl_fips.cnf \
+  TEST_RUBY_OPENSSL_FIPS_ENABLED=true \
+  bundle exec rake test
+```
+
+The GitHub Actions workflow file [`test.yml`][GitHub test.yml] contains useful
+information for building OpenSSL/LibreSSL and testing against them.
 
 
 ## Relation with Ruby source tree
@@ -103,7 +247,7 @@ security issue handling procedure for Ruby core.
 
 You can either use [HackerOne] or send an email to security@ruby-lang.org.
 
-Please see [Security] page on ruby-lang.org website for details.
+Please see [Security][Ruby Security] page on ruby-lang.org website for details.
 
 Reported problems will be published after a fix is released.
 
@@ -112,9 +256,16 @@ _Thanks for your contributions!_
   _\- The Ruby OpenSSL team_
 
 [GitHub]: https://github.com/ruby/openssl
-[known issues]: https://github.com/ruby/openssl/issues
-[DeveloperHowTo]: https://bugs.ruby-lang.org/projects/ruby/wiki/DeveloperHowto
+[Issues]: https://github.com/ruby/openssl/issues
+[Compare changes]: https://github.com/ruby/openssl/compare
+[GitHub test/openssl]: https://github.com/ruby/openssl/tree/master/test/openssl
+[GitHub test.yml]: https://github.com/ruby/openssl/tree/master/.github/workflows/test.yml
+[Ruby Developer-How-To]: https://github.com/ruby/ruby/wiki/Developer-How-To
+[Ruby Security]: https://www.ruby-lang.org/en/security/
 [HackerOne]: https://hackerone.com/ruby
-[Security]: https://www.ruby-lang.org/en/security/
-[pull request]: https://github.com/ruby/openssl/compare
-[History.md]: https://github.com/ruby/openssl/tree/master/History.md
+[OpenSSL]: https://www.openssl.org/
+[OpenSSL INSTALL]: https://github.com/openssl/openssl/blob/master/INSTALL.md
+[OpenSSL README-FIPS]: https://github.com/openssl/openssl/blob/master/README-FIPS.md
+[OpenSSL NOTES-UNIX]: https://github.com/openssl/openssl/blob/master/NOTES-UNIX.md
+[OpenSSL OSSL_TRACE]: https://www.openssl.org/docs/manmaster/man3/OSSL_TRACE.html
+[OpenSSL fips_module]: https://www.openssl.org/docs/manmaster/man7/fips_module.html

data/History.md

@@ -1,3 +1,85 @@
+Version 3.3.0
+=============
+
+Compatibility
+-------------
+
+* Ruby version: 2.7 or later
+* OpenSSL version: OpenSSL 1.0.2 or later, and LibreSSL 3.1 or later
+
+Notable changes
+---------------
+
+* `OpenSSL::SSL`
+  - `OpenSSL::SSL::SSLSocket#set_params` no longer sets `#min_version=` to TLS
+    1.0 except when OpenSSL 1.0.2 is used. This has been done to disable
+    SSL 3.0, which is not supported by default in OpenSSL 1.1.0 or later, or in
+    LibreSSL. This lets it respect the system default if the system-wide
+    configuration file specifies a higher minimum protocol version.
+    [[GitHub #710]](https://github.com/ruby/openssl/pull/710)
+  - `OpenSSL::SSL::SSLSocket.new` no longer enables the `OpenSSL::SSL::OP_ALL`
+    SSL options by default and follows the system default.
+    [[GitHub #767]](https://github.com/ruby/openssl/pull/767)
+  - Add the following IO methods to `OpenSSL::SSL::SSLSocket`, which will pass
+    along to the underlying socket: `#local_address`, `#remote_address`,
+    `#close_on_exec=`, `#close_on_exec?`, `#wait`, `#wait_readable`, and
+    `#wait_writable`.
+    [[GitHub #708]](https://github.com/ruby/openssl/pull/708)
+  - Update `OpenSSL::SSL::SSLSocket#gets` to take the `chomp` keyword argument.
+    [[GitHub #708]](https://github.com/ruby/openssl/pull/708)
+  - Make `OpenSSL::SSL::SSLSocket` respect the `IO#timeout` value of the
+    underlying socket on Ruby 3.2 or later. `#timeout` and `#timeout=` methods
+    are also added.
+    [[GitHub #714]](https://github.com/ruby/openssl/pull/714)
+  - Add `OpenSSL::SSL::SSLSocket#close_read` and `#close_write`.
+    [[GitHub #743]](https://github.com/ruby/openssl/pull/743)
+  - Add `OpenSSL::Digest.digests` to get a list of all available digest
+    algorithms.
+    [[GitHub #726]](https://github.com/ruby/openssl/pull/726)
+  - Fix `OpenSSL::SSL::SSLSocket#read_nonblock` clearing the passed String
+    buffer when nothing can be read from the connection.
+    [[GitHub #739]](https://github.com/ruby/openssl/pull/739)
+* Add `#to_text` methods to `OpenSSL::Timestamp::Response`,
+  `OpenSSL::Timestamp::Request`, `OpenSSL::Timestamp::TokenInfo`, and
+  `OpenSSL::PKCS7` to get a human-readable representation of the object.
+  [[GitHub #756]](https://github.com/ruby/openssl/pull/756)
+* Add `OpenSSL::X509::Certificate#tbs_bytes` to get the DER encoding of the
+  TBSCertificate.
+  [[GitHub #753]](https://github.com/ruby/openssl/pull/753)
+* Allow passing `nil` as the digest algorithm to `#sign` methods on
+  `OpenSSL::X509::Certificate`, `OpenSSL::X509::Request`, and
+  `OpenSSL::X509::CRL`. This adds supports for signing with EdDSA keys.
+  [[GitHub #761]](https://github.com/ruby/openssl/pull/761)
+  [[GitHub #804]](https://github.com/ruby/openssl/pull/804)
+* Add `OpenSSL::SSL::SSLSocket#readbyte`.
+  [[GitHub #771]](https://github.com/ruby/openssl/pull/771)
+* Change `OpenSSL::X509::Store#time=` to set the time to the `X509_VERIFY_PARAM`
+  in the `X509_STORE`. This allows `OpenSSL::Timestamp::Response#verify` to
+  verify a signature with the specified timestamp.
+  [[GitHub #770]](https://github.com/ruby/openssl/pull/770)
+* Make `OpenSSL::PKCS7.encrypt`'s third parameter `cipher` mandatory. It had
+  an undocumented default value "RC2-40-CBC", which is not only insecure, but
+  also not supported in OpenSSL 3.0 or later.
+  [[GitHub #796]](https://github.com/ruby/openssl/pull/796)
+* Make `OpenSSL::BN` shareable between ractors when frozen.
+  [[GitHub #808]](https://github.com/ruby/openssl/pull/808)
+* Make `OpenSSL::Config` instances frozen by default, and make it shareable
+  between ractors. `OpenSSL::Config::DEFAULT_CONFIG_FILE` is also frozen.
+  [[GitHub #809]](https://github.com/ruby/openssl/pull/809)
+* Add `OpenSSL::PKCS12#set_mac` to configure the MAC parameters and recalculate
+  a MAC for the content.
+  [[GitHub #788]](https://github.com/ruby/openssl/pull/788)
+
+And various non-user-visible changes and bug fixes. Please see the commit
+history for more details.
+
+
+Version 3.2.1
+=============
+
+Merged changes in 3.0.3.
+
+
 Version 3.2.0
 =============
 
@@ -38,6 +120,12 @@ Notable changes
   [[GitHub #141]](https://github.com/ruby/openssl/pull/141)
 
 
+Version 3.1.1
+=============
+
+Merged changes in 3.0.3.
+
+
 Version 3.1.0
 =============
 
@@ -74,6 +162,31 @@ Notable changes
   LibreSSL 3.6 and Ed25519 support in LibreSSL 3.7.
 
 
+Version 3.0.3
+=============
+
+Bug fixes
+---------
+
+* Fix a performance regression introduced in v2.1.3 on a buffered write to
+  `SSLSocket`.
+  [[GitHub #706]](https://github.com/ruby/openssl/pull/706)
+* Fix `OpenSSL::PKCS7` to handle PKCS#7 structures without content.
+  [[GitHub #690]](https://github.com/ruby/openssl/pull/690)
+  [[GitHub #752]](https://github.com/ruby/openssl/pull/752)
+* Fix `OpenSSL::ASN1::ObjectId#==` with OIDs without a known name.
+  [[GitHub #791]](https://github.com/ruby/openssl/issues/791)
+  [[GitHub #792]](https://github.com/ruby/openssl/pull/792)
+* Fix `OpenSSL::X509::Certificate#crl_uris` to handle CDP with multiple CRL
+  URIs.
+  [[GitHub #775]](https://github.com/ruby/openssl/issues/775)
+  [[GitHub #776]](https://github.com/ruby/openssl/pull/776)
+* Fix `OpenSSL::Cipher#update` to always make the output buffer `String`
+  independent.
+  [[Bug #20937]](https://bugs.ruby-lang.org/issues/20937)
+  [[GitHub #824]](https://github.com/ruby/openssl/pull/824)
+
+
 Version 3.0.2
 =============
 
@@ -457,7 +570,7 @@ Security fixes
 Bug fixes
 ---------
 
-* Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
+* Fixed OpenSSL::PKey::\*.{new,generate} immediately aborting if the thread is
   interrupted.
   [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
   [[GitHub #205]](https://github.com/ruby/openssl/pull/205)

data/README.md

@@ -18,10 +18,11 @@ included as a default gem in [supported Ruby branches][Ruby Maintenance Branches
 
 |Version|Maintenance status             |Ruby compatibility|OpenSSL compatibility                       |
 |-------|-------------------------------|------------------|--------------------------------------------|
-|3.2.x  |normal maintenance (Ruby 3.3)  |Ruby 2.7+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|3.1.x  |normal maintenance (Ruby 3.2)  |Ruby 2.6+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|3.0.x  |normal maintenance (Ruby 3.1)  |Ruby 2.6+         |OpenSSL 1.0.2-3.1 (current) or LibreSSL 3.1+|
-|2.2.x  |security maintenance (Ruby 3.0)|Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+        |
+|3.3.x  |normal maintenance (Ruby 3.4)  |Ruby 2.7+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.2.x  |normal maintenance (Ruby 3.3)  |Ruby 2.7+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.1.x  |normal maintenance (Ruby 3.2)  |Ruby 2.6+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|3.0.x  |security maintenance (Ruby 3.1)|Ruby 2.6+         |OpenSSL 1.0.2-3.4 (current) or LibreSSL 3.1+|
+|2.2.x  |end-of-life (Ruby 3.0)         |Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.9+        |
 |2.1.x  |end-of-life (Ruby 2.5-2.7)     |Ruby 2.3+         |OpenSSL 1.0.1-1.1.1 or LibreSSL 2.5+        |
 |2.0.x  |end-of-life (Ruby 2.4)         |Ruby 2.3+         |OpenSSL 0.9.8-1.1.1 or LibreSSL 2.3+        |
 
@@ -32,8 +33,7 @@ included as a default gem in [supported Ruby branches][Ruby Maintenance Branches
 
 > **Note**
 > The openssl gem is included with Ruby by default, but you may wish to upgrade
-> it to a newer version available at
-> [rubygems.org](https://rubygems.org/gems/openssl).
+> it to a newer version available at [rubygems.org][RubyGems.org openssl].
 
 To upgrade it, you can use RubyGems:
 
@@ -59,6 +59,8 @@ gem 'openssl', git: 'https://github.com/ruby/openssl'
 
 After running `bundle install`, you should have the gem installed in your bundle.
 
+[RubyGems.org openssl]: https://rubygems.org/gems/openssl
+
 ## Usage
 
 Once installed, you can require "openssl" in your application.
@@ -80,4 +82,6 @@ Please read our [CONTRIBUTING.md] for instructions.
 ## Security
 
 Security issues should be reported to ruby-core by following the process
-described on ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
+described on ["Security at ruby-lang.org"][Security].
+
+[Security]: https://www.ruby-lang.org/en/security/

data/ext/openssl/extconf.rb

@@ -8,19 +8,12 @@
 
 = Licence
   This program is licensed under the same licence as Ruby.
-  (See the file 'LICENCE'.)
+  (See the file 'COPYING'.)
 =end
 
 require "mkmf"
 
-ssl_dirs = nil
-if defined?(::TruffleRuby)
-  # Always respect the openssl prefix chosen by truffle/openssl-prefix
-  require 'truffle/openssl-prefix'
-  ssl_dirs = dir_config("openssl", ENV["OPENSSL_PREFIX"])
-else
-  ssl_dirs = dir_config("openssl")
-end
+ssl_dirs = dir_config("openssl")
 dir_config_given = ssl_dirs.any?
 
 _, ssl_ldir = ssl_dirs
@@ -49,6 +42,7 @@ $defs.push("-D""OPENSSL_SUPPRESS_DEPRECATED")
 
 have_func("rb_io_descriptor")
 have_func("rb_io_maybe_wait(0, Qnil, Qnil, Qnil)", "ruby/io.h") # Ruby 3.1
+have_func("rb_io_timeout", "ruby/io.h")
 
 Logging::message "=== Checking for system dependent stuff... ===\n"
 have_library("nsl", "t_open")
@@ -155,6 +149,9 @@ engines.each { |name|
   have_func("ENGINE_load_#{name}()", "openssl/engine.h")
 }
 
+# missing in libressl < 3.5
+have_func("i2d_re_X509_tbs(NULL, NULL)", x509_h)
+
 # added in 1.1.0
 if !have_struct_member("SSL", "ctx", "openssl/ssl.h") || is_libressl
   $defs.push("-DHAVE_OPAQUE_OPENSSL")
@@ -193,6 +190,7 @@ have_func("TS_VERIFY_CTX_add_flags(NULL, 0)", ts_h)
 have_func("TS_RESP_CTX_set_time_cb(NULL, NULL, NULL)", ts_h)
 have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
 have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
+have_func("X509_STORE_get0_param(NULL)", x509_h)
 
 # added in 1.1.1
 have_func("EVP_PKEY_check(NULL)", evp_h)

data/ext/openssl/openssl_missing.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include RUBY_EXTCONF_H
 

data/ext/openssl/openssl_missing.h

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_OPENSSL_MISSING_H_)
 #define _OSSL_OPENSSL_MISSING_H_

data/ext/openssl/ossl.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 #include <stdarg.h> /* for ossl_raise */
@@ -355,7 +355,7 @@ ossl_clear_error(void)
  * Any errors you see here are probably due to a bug in Ruby's OpenSSL
  * implementation.
  */
-VALUE
+static VALUE
 ossl_get_errors(VALUE _)
 {
     VALUE ary;
@@ -1150,24 +1150,22 @@ Init_openssl(void)
     /*
      * Init components
      */
+    Init_ossl_asn1();
     Init_ossl_bn();
     Init_ossl_cipher();
     Init_ossl_config();
     Init_ossl_digest();
+    Init_ossl_engine();
     Init_ossl_hmac();
+    Init_ossl_kdf();
     Init_ossl_ns_spki();
+    Init_ossl_ocsp();
     Init_ossl_pkcs12();
     Init_ossl_pkcs7();
     Init_ossl_pkey();
+    Init_ossl_provider();
     Init_ossl_rand();
     Init_ossl_ssl();
-#ifndef OPENSSL_NO_TS
     Init_ossl_ts();
-#endif
     Init_ossl_x509();
-    Init_ossl_ocsp();
-    Init_ossl_engine();
-    Init_ossl_provider();
-    Init_ossl_asn1();
-    Init_ossl_kdf();
 }

data/ext/openssl/ossl.h

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_H_)
 #define _OSSL_H_
@@ -17,6 +17,12 @@
 #include <errno.h>
 #include <ruby/io.h>
 #include <ruby/thread.h>
+#ifdef HAVE_RUBY_RACTOR_H
+#include <ruby/ractor.h>
+#else
+#define RUBY_TYPED_FROZEN_SHAREABLE 0
+#endif
+
 #include <openssl/opensslv.h>
 
 #include <openssl/err.h>
@@ -39,6 +45,7 @@
 #include <openssl/dsa.h>
 #include <openssl/evp.h>
 #include <openssl/dh.h>
+#include "openssl_missing.h"
 
 #ifndef LIBRESSL_VERSION_NUMBER
 # define OSSL_IS_LIBRESSL 0
@@ -172,28 +179,25 @@ extern VALUE dOSSL;
 /*
  * Include all parts
  */
-#include "openssl_missing.h"
 #include "ossl_asn1.h"
 #include "ossl_bio.h"
 #include "ossl_bn.h"
 #include "ossl_cipher.h"
 #include "ossl_config.h"
 #include "ossl_digest.h"
+#include "ossl_engine.h"
 #include "ossl_hmac.h"
+#include "ossl_kdf.h"
 #include "ossl_ns_spki.h"
 #include "ossl_ocsp.h"
 #include "ossl_pkcs12.h"
 #include "ossl_pkcs7.h"
 #include "ossl_pkey.h"
+#include "ossl_provider.h"
 #include "ossl_rand.h"
 #include "ossl_ssl.h"
-#ifndef OPENSSL_NO_TS
-  #include "ossl_ts.h"
-#endif
+#include "ossl_ts.h"
 #include "ossl_x509.h"
-#include "ossl_engine.h"
-#include "ossl_provider.h"
-#include "ossl_kdf.h"
 
 void Init_openssl(void);