openssl 3.2.4 → 3.3.0

data/ext/openssl/ossl_bn.c

@@ -5,15 +5,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 /* modified by Michal Rokos <m.rokos@sh.cvut.cz> */
 #include "ossl.h"
 
-#ifdef HAVE_RB_EXT_RACTOR_SAFE
-#include <ruby/ractor.h>
-#endif
-
 #define NewBN(klass) \
   TypedData_Wrap_Struct((klass), &ossl_bn_type, 0)
 #define SetBN(obj, bn) do { \
@@ -41,7 +37,7 @@ static const rb_data_type_t ossl_bn_type = {
     {
 	0, ossl_bn_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FROZEN_SHAREABLE,
 };
 
 /*
@@ -53,7 +49,7 @@ VALUE cBN;
  *
  * Generic Error for all of OpenSSL::BN (big num)
  */
-VALUE eBNError;
+static VALUE eBNError;
 
 /*
  * Public
@@ -156,19 +152,19 @@ ossl_bn_value_ptr(volatile VALUE *ptr)
  */
 
 #ifdef HAVE_RB_EXT_RACTOR_SAFE
-void
+static void
 ossl_bn_ctx_free(void *ptr)
 {
     BN_CTX *ctx = (BN_CTX *)ptr;
     BN_CTX_free(ctx);
 }
 
-struct rb_ractor_local_storage_type ossl_bn_ctx_key_type = {
+static struct rb_ractor_local_storage_type ossl_bn_ctx_key_type = {
     NULL, // mark
     ossl_bn_ctx_free,
 };
 
-rb_ractor_local_key_t ossl_bn_ctx_key;
+static rb_ractor_local_key_t ossl_bn_ctx_key;
 
 BN_CTX *
 ossl_bn_ctx_get(void)
@@ -244,7 +240,7 @@ ossl_bn_alloc(VALUE klass)
  *     number.
  *   - +10+ - Decimal number representation, with a leading '-' for a negative
  *     number.
- *   - +16+ - Hexadeciaml number representation, with a leading '-' for a
+ *   - +16+ - Hexadecimal number representation, with a leading '-' for a
  *     negative number.
  */
 static VALUE
@@ -263,6 +259,7 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
         ossl_raise(rb_eArgError, "invalid argument");
     }
 
+    rb_check_frozen(self);
     if (RB_INTEGER_TYPE_P(str)) {
 	GetBN(self, bn);
 	integer_to_bnptr(str, bn);
@@ -326,7 +323,7 @@ ossl_bn_initialize(int argc, VALUE *argv, VALUE self)
  *     the bignum is ignored.
  *   - +10+ - Decimal number representation, with a leading '-' for a negative
  *     bignum.
- *   - +16+ - Hexadeciaml number representation, with a leading '-' for a
+ *   - +16+ - Hexadecimal number representation, with a leading '-' for a
  *     negative bignum.
  */
 static VALUE
@@ -693,6 +690,7 @@ BIGNUM_3c(mod_exp)
     ossl_bn_##func(VALUE self, VALUE bit)		\
     {							\
 	BIGNUM *bn;					\
+	rb_check_frozen(self);				\
 	GetBN(self, bn);				\
 	if (BN_##func(bn, NUM2INT(bit)) <= 0) {		\
 	    ossl_raise(eBNError, NULL);			\
@@ -782,6 +780,7 @@ BIGNUM_SHIFT(rshift)
     {							\
 	BIGNUM *bn;					\
 	int b;						\
+	rb_check_frozen(self);				\
 	b = NUM2INT(bits);				\
 	GetBN(self, bn);				\
 	if (BN_##func(bn, bn, b) <= 0)			\
@@ -1191,6 +1190,7 @@ ossl_bn_set_flags(VALUE self, VALUE arg)
     BIGNUM *bn;
     GetBN(self, bn);
 
+    rb_check_frozen(self);
     BN_set_flags(bn, NUM2INT(arg));
     return Qnil;
 }

data/ext/openssl/ossl_bn.h

@@ -5,13 +5,12 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_BN_H_)
 #define _OSSL_BN_H_
 
 extern VALUE cBN;
-extern VALUE eBNError;
 
 BN_CTX *ossl_bn_ctx_get(void);
 #define ossl_bn_ctx ossl_bn_ctx_get()

data/ext/openssl/ossl_cipher.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -30,8 +30,8 @@
 /*
  * Classes
  */
-VALUE cCipher;
-VALUE eCipherError;
+static VALUE cCipher;
+static VALUE eCipherError;
 static ID id_auth_tag_len, id_key_set;
 
 static VALUE ossl_cipher_alloc(VALUE klass);
@@ -457,8 +457,8 @@ ossl_cipher_final(VALUE self)
  *  call-seq:
  *     cipher.name -> string
  *
- *  Returns the name of the cipher which may differ slightly from the original
- *  name provided.
+ *  Returns the short name of the cipher which may differ slightly from the
+ *  original name provided.
  */
 static VALUE
 ossl_cipher_name(VALUE self)

data/ext/openssl/ossl_cipher.h

@@ -5,14 +5,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_CIPHER_H_)
 #define _OSSL_CIPHER_H_
 
-extern VALUE cCipher;
-extern VALUE eCipherError;
-
 const EVP_CIPHER *ossl_evp_get_cipherbyname(VALUE);
 VALUE ossl_cipher_new(const EVP_CIPHER *);
 void Init_ossl_cipher(void);

data/ext/openssl/ossl_config.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -22,7 +22,7 @@ static const rb_data_type_t ossl_config_type = {
     {
         0, nconf_free,
     },
-    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FROZEN_SHAREABLE,
 };
 
 CONF *
@@ -87,6 +87,7 @@ config_s_parse(VALUE klass, VALUE str)
 
     bio = ossl_obj2bio(&str);
     config_load_bio(conf, bio); /* Consumes BIO */
+    rb_obj_freeze(obj);
     return obj;
 }
 
@@ -144,6 +145,7 @@ config_initialize(int argc, VALUE *argv, VALUE self)
             ossl_raise(eConfigError, "BIO_new_file");
         config_load_bio(conf, bio); /* Consumes BIO */
     }
+    rb_obj_freeze(self);
     return self;
 }
 
@@ -158,6 +160,7 @@ config_initialize_copy(VALUE self, VALUE other)
     rb_check_frozen(self);
     bio = ossl_obj2bio(&str);
     config_load_bio(conf, bio); /* Consumes BIO */
+    rb_obj_freeze(self);
     return self;
 }
 
@@ -305,18 +308,16 @@ static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE, VALUE)
  *
  * Gets the parsable form of the current configuration.
  *
- * Given the following configuration being created:
+ * Given the following configuration file being loaded:
  *
- *   config = OpenSSL::Config.new
- *     #=> #<OpenSSL::Config sections=[]>
- *   config['default'] = {"foo"=>"bar","baz"=>"buz"}
- *     #=> {"foo"=>"bar", "baz"=>"buz"}
+ *   config = OpenSSL::Config.load('baz.cnf')
+ *     #=> #<OpenSSL::Config sections=["default"]>
  *   puts config.to_s
  *     #=> [ default ]
  *     #   foo=bar
  *     #   baz=buz
  *
- * You can parse get the serialized configuration using #to_s and then parse
+ * You can get the serialized configuration using #to_s and then parse
  * it later:
  *
  *   serialized_config = config.to_s
@@ -455,6 +456,6 @@ Init_ossl_config(void)
      * The default system configuration file for OpenSSL.
      */
     path = CONF_get1_default_config_file();
-    path_str = ossl_buf2str(path, rb_long2int(strlen(path)));
+    path_str = rb_obj_freeze(ossl_buf2str(path, rb_long2int(strlen(path))));
     rb_define_const(cConfig, "DEFAULT_CONFIG_FILE", path_str);
 }

data/ext/openssl/ossl_config.h

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #ifndef OSSL_CONFIG_H
 #define OSSL_CONFIG_H

data/ext/openssl/ossl_digest.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -19,8 +19,8 @@
 /*
  * Classes
  */
-VALUE cDigest;
-VALUE eDigestError;
+static VALUE cDigest;
+static VALUE eDigestError;
 
 static VALUE ossl_digest_alloc(VALUE klass);
 
@@ -96,14 +96,15 @@ ossl_digest_alloc(VALUE klass)
     return TypedData_Wrap_Struct(klass, &ossl_digest_type, 0);
 }
 
-VALUE ossl_digest_update(VALUE, VALUE);
+static VALUE ossl_digest_update(VALUE, VALUE);
 
 /*
  *  call-seq:
  *     Digest.new(string [, data]) -> Digest
  *
  * Creates a Digest instance based on _string_, which is either the ln
- * (long name) or sn (short name) of a supported digest algorithm.
+ * (long name) or sn (short name) of a supported digest algorithm. A list of
+ * supported algorithms can be obtained by calling OpenSSL::Digest.digests.
  *
  * If _data_ (a String) is given, it is used as the initial input to the
  * Digest instance, i.e.
@@ -162,6 +163,32 @@ ossl_digest_copy(VALUE self, VALUE other)
     return self;
 }
 
+static void
+add_digest_name_to_ary(const OBJ_NAME *name, void *arg)
+{
+    VALUE ary = (VALUE)arg;
+    rb_ary_push(ary, rb_str_new2(name->name));
+}
+
+/*
+ *  call-seq:
+ *     OpenSSL::Digest.digests -> array[string...]
+ *
+ *  Returns the names of all available digests in an array.
+ */
+static VALUE
+ossl_s_digests(VALUE self)
+{
+    VALUE ary;
+
+    ary = rb_ary_new();
+    OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
+                    add_digest_name_to_ary,
+                    (void*)ary);
+
+    return ary;
+}
+
 /*
  *  call-seq:
  *     digest.reset -> self
@@ -198,7 +225,7 @@ ossl_digest_reset(VALUE self)
  *   result = digest.digest
  *
  */
-VALUE
+static VALUE
 ossl_digest_update(VALUE self, VALUE data)
 {
     EVP_MD_CTX *ctx;
@@ -218,24 +245,13 @@ ossl_digest_update(VALUE self, VALUE data)
  *
  */
 static VALUE
-ossl_digest_finish(int argc, VALUE *argv, VALUE self)
+ossl_digest_finish(VALUE self)
 {
     EVP_MD_CTX *ctx;
     VALUE str;
-    int out_len;
 
     GetDigest(self, ctx);
-    rb_scan_args(argc, argv, "01", &str);
-    out_len = EVP_MD_CTX_size(ctx);
-
-    if (NIL_P(str)) {
-        str = rb_str_new(NULL, out_len);
-    } else {
-        StringValue(str);
-        rb_str_modify(str);
-        rb_str_resize(str, out_len);
-    }
-
+    str = rb_str_new(NULL, EVP_MD_CTX_size(ctx));
     if (!EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL))
 	ossl_raise(eDigestError, "EVP_DigestFinal_ex");
 
@@ -246,7 +262,8 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
  *  call-seq:
  *      digest.name -> string
  *
- * Returns the sn of this Digest algorithm.
+ * Returns the short name of this Digest algorithm which may differ slightly
+ * from the original name provided.
  *
  * === Example
  *   digest = OpenSSL::Digest.new('SHA512')
@@ -413,12 +430,13 @@ Init_ossl_digest(void)
 
     rb_define_alloc_func(cDigest, ossl_digest_alloc);
 
+    rb_define_module_function(cDigest, "digests", ossl_s_digests, 0);
     rb_define_method(cDigest, "initialize", ossl_digest_initialize, -1);
     rb_define_method(cDigest, "initialize_copy", ossl_digest_copy, 1);
     rb_define_method(cDigest, "reset", ossl_digest_reset, 0);
     rb_define_method(cDigest, "update", ossl_digest_update, 1);
     rb_define_alias(cDigest, "<<", "update");
-    rb_define_private_method(cDigest, "finish", ossl_digest_finish, -1);
+    rb_define_private_method(cDigest, "finish", ossl_digest_finish, 0);
     rb_define_method(cDigest, "digest_length", ossl_digest_size, 0);
     rb_define_method(cDigest, "block_length", ossl_digest_block_length, 0);
 

data/ext/openssl/ossl_digest.h

@@ -5,14 +5,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_DIGEST_H_)
 #define _OSSL_DIGEST_H_
 
-extern VALUE cDigest;
-extern VALUE eDigestError;
-
 const EVP_MD *ossl_evp_get_digestbyname(VALUE);
 VALUE ossl_digest_new(const EVP_MD *);
 void Init_ossl_digest(void);

data/ext/openssl/ossl_engine.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -37,12 +37,12 @@
  *
  * See also, https://www.openssl.org/docs/crypto/engine.html
  */
-VALUE cEngine;
+static VALUE cEngine;
 /* Document-class: OpenSSL::Engine::EngineError
  *
  * This is the generic exception for OpenSSL::Engine related errors
  */
-VALUE eEngineError;
+static VALUE eEngineError;
 
 /*
  * Private

data/ext/openssl/ossl_engine.h

@@ -6,14 +6,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(OSSL_ENGINE_H)
 #define OSSL_ENGINE_H
 
-extern VALUE cEngine;
-extern VALUE eEngineError;
-
 void Init_ossl_engine(void);
 
 #endif /* OSSL_ENGINE_H */

data/ext/openssl/ossl_hmac.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -21,8 +21,8 @@
 /*
  * Classes
  */
-VALUE cHMAC;
-VALUE eHMACError;
+static VALUE cHMAC;
+static VALUE eHMACError;
 
 /*
  * Public

data/ext/openssl/ossl_hmac.h

@@ -5,14 +5,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_HMAC_H_)
 #define _OSSL_HMAC_H_
 
-extern VALUE cHMAC;
-extern VALUE eHMACError;
-
 void Init_ossl_hmac(void);
 
 #endif /* _OSSL_HMAC_H_ */

data/ext/openssl/ossl_kdf.c

@@ -18,7 +18,7 @@ static VALUE mKDF, eKDF;
  * of _length_ bytes.
  *
  * For more information about PBKDF2, see RFC 2898 Section 5.2
- * (https://tools.ietf.org/html/rfc2898#section-5.2).
+ * (https://www.rfc-editor.org/rfc/rfc2898#section-5.2).
  *
  * === Parameters
  * pass       :: The password.
@@ -81,10 +81,10 @@ kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
  * bcrypt.
  *
  * The keyword arguments _N_, _r_ and _p_ can be used to tune scrypt. RFC 7914
- * (published on 2016-08, https://tools.ietf.org/html/rfc7914#section-2) states
+ * (published on 2016-08, https://www.rfc-editor.org/rfc/rfc7914#section-2) states
  * that using values r=8 and p=1 appears to yield good results.
  *
- * See RFC 7914 (https://tools.ietf.org/html/rfc7914) for more information.
+ * See RFC 7914 (https://www.rfc-editor.org/rfc/rfc7914) for more information.
  *
  * === Parameters
  * pass   :: Passphrase.
@@ -147,7 +147,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
  *    KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
  *
  * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as specified in
- * {RFC 5869}[https://tools.ietf.org/html/rfc5869].
+ * {RFC 5869}[https://www.rfc-editor.org/rfc/rfc5869].
  *
  * New in OpenSSL 1.1.0.
  *
@@ -165,7 +165,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
  *   The hash function.
  *
  * === Example
- *   # The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1
+ *   # The values from https://www.rfc-editor.org/rfc/rfc5869#appendix-A.1
  *   ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
  *   salt = ["000102030405060708090a0b0c"].pack("H*")
  *   info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*")

data/ext/openssl/ossl_ns_spki.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -27,9 +27,9 @@
 /*
  * Classes
  */
-VALUE mNetscape;
-VALUE cSPKI;
-VALUE eSPKIError;
+static VALUE mNetscape;
+static VALUE cSPKI;
+static VALUE eSPKIError;
 
 /*
  * Public functions
@@ -115,11 +115,11 @@ ossl_spki_to_der(VALUE self)
 
     GetSPKI(self, spki);
     if ((len = i2d_NETSCAPE_SPKI(spki, NULL)) <= 0)
-        ossl_raise(eX509CertError, NULL);
+        ossl_raise(eSPKIError, "i2d_NETSCAPE_SPKI");
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
     if (i2d_NETSCAPE_SPKI(spki, &p) <= 0)
-        ossl_raise(eX509CertError, NULL);
+        ossl_raise(eSPKIError, "i2d_NETSCAPE_SPKI");
     ossl_str_adjust(str, p);
 
     return str;
@@ -230,12 +230,13 @@ ossl_spki_get_challenge(VALUE self)
     NETSCAPE_SPKI *spki;
 
     GetSPKI(self, spki);
-    if (ASN1_STRING_length(spki->spkac->challenge) <= 0) {
-        OSSL_Debug("Challenge.length <= 0?");
-        return rb_str_new(0, 0);
+    if (spki->spkac->challenge->length <= 0) {
+	OSSL_Debug("Challenge.length <= 0?");
+	return rb_str_new(0, 0);
     }
 
-    return asn1str_to_str(spki->spkac->challenge);
+    return rb_str_new((const char *)spki->spkac->challenge->data,
+		      spki->spkac->challenge->length);
 }
 
 /*
@@ -364,8 +365,8 @@ ossl_spki_verify(VALUE self, VALUE key)
  *
  * OpenSSL::Netscape is a namespace for SPKI (Simple Public Key
  * Infrastructure) which implements Signed Public Key and Challenge.
- * See {RFC 2692}[http://tools.ietf.org/html/rfc2692] and {RFC
- * 2693}[http://tools.ietf.org/html/rfc2692] for details.
+ * See {RFC 2692}[https://www.rfc-editor.org/rfc/rfc2692] and {RFC
+ * 2693}[https://www.rfc-editor.org/rfc/rfc2692] for details.
  */
 
 /* Document-class: OpenSSL::Netscape::SPKIError

data/ext/openssl/ossl_ns_spki.h

@@ -5,15 +5,11 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #if !defined(_OSSL_NS_SPKI_H_)
 #define _OSSL_NS_SPKI_H_
 
-extern VALUE mNetscape;
-extern VALUE cSPKI;
-extern VALUE eSPKIError;
-
 void Init_ossl_ns_spki(void);
 
 #endif /* _OSSL_NS_SPKI_H_ */

data/ext/openssl/ossl_ocsp.c

@@ -6,7 +6,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -67,13 +67,13 @@
     if(!(cid)) ossl_raise(rb_eRuntimeError, "Cert ID wasn't initialized!"); \
 } while (0)
 
-VALUE mOCSP;
-VALUE eOCSPError;
-VALUE cOCSPReq;
-VALUE cOCSPRes;
-VALUE cOCSPBasicRes;
-VALUE cOCSPSingleRes;
-VALUE cOCSPCertId;
+static VALUE mOCSP;
+static VALUE eOCSPError;
+static VALUE cOCSPReq;
+static VALUE cOCSPRes;
+static VALUE cOCSPBasicRes;
+static VALUE cOCSPSingleRes;
+static VALUE cOCSPCertId;
 
 static void
 ossl_ocsp_request_free(void *ptr)
@@ -900,6 +900,7 @@ ossl_ocspbres_get_status(VALUE self)
     OCSP_CERTID *cid;
     ASN1_TIME *revtime, *thisupd, *nextupd;
     int status, reason;
+    X509_EXTENSION *x509ext;
     VALUE ret, ary, ext;
     int count, ext_count, i, j;
 
@@ -926,7 +927,7 @@ ossl_ocspbres_get_status(VALUE self)
 	ext = rb_ary_new();
 	ext_count = OCSP_SINGLERESP_get_ext_count(single);
 	for(j = 0; j < ext_count; j++){
-	    const X509_EXTENSION *x509ext = OCSP_SINGLERESP_get_ext(single, j);
+	    x509ext = OCSP_SINGLERESP_get_ext(single, j);
 	    rb_ary_push(ext, ossl_x509ext_new(x509ext));
 	}
 	rb_ary_push(ary, ext);
@@ -1357,6 +1358,7 @@ static VALUE
 ossl_ocspsres_get_extensions(VALUE self)
 {
     OCSP_SINGLERESP *sres;
+    X509_EXTENSION *ext;
     int count, i;
     VALUE ary;
 
@@ -1365,7 +1367,7 @@ ossl_ocspsres_get_extensions(VALUE self)
     count = OCSP_SINGLERESP_get_ext_count(sres);
     ary = rb_ary_new2(count);
     for (i = 0; i < count; i++) {
-	const X509_EXTENSION *ext = OCSP_SINGLERESP_get_ext(sres, i);
+	ext = OCSP_SINGLERESP_get_ext(sres, i);
 	rb_ary_push(ary, ossl_x509ext_new(ext)); /* will dup */
     }
 
@@ -1563,9 +1565,8 @@ ossl_ocspcid_get_issuer_name_hash(VALUE self)
     GetOCSPCertId(self, id);
     OCSP_id_get0_info(&name_hash, NULL, NULL, NULL, id);
 
-    ret = rb_str_new(NULL, ASN1_STRING_length(name_hash) * 2);
-    ossl_bin2hex(ASN1_STRING_get0_data(name_hash), RSTRING_PTR(ret),
-                 ASN1_STRING_length(name_hash));
+    ret = rb_str_new(NULL, name_hash->length * 2);
+    ossl_bin2hex(name_hash->data, RSTRING_PTR(ret), name_hash->length);
 
     return ret;
 }
@@ -1587,9 +1588,8 @@ ossl_ocspcid_get_issuer_key_hash(VALUE self)
     GetOCSPCertId(self, id);
     OCSP_id_get0_info(NULL, NULL, &key_hash, NULL, id);
 
-    ret = rb_str_new(NULL, ASN1_STRING_length(key_hash) * 2);
-    ossl_bin2hex(ASN1_STRING_get0_data(key_hash), RSTRING_PTR(ret),
-                 ASN1_STRING_length(key_hash));
+    ret = rb_str_new(NULL, key_hash->length * 2);
+    ossl_bin2hex(key_hash->data, RSTRING_PTR(ret), key_hash->length);
 
     return ret;
 }