rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/openssl_missing.h

@@ -10,187 +10,256 @@
 #if !defined(_OSSL_OPENSSL_MISSING_H_)
 #define _OSSL_OPENSSL_MISSING_H_
 
-#if defined(__cplusplus)
-extern "C" {
+#include "ruby/config.h"
+
+/* added in 0.9.8X */
+#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
+EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void);
+#  define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new
 #endif
 
-#ifndef TYPEDEF_D2I_OF
-typedef char *d2i_of_void();
+#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
+void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *);
+#  define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free
 #endif
-#ifndef TYPEDEF_I2D_OF
-typedef int i2d_of_void();
+
+#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS)
+#  define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op))
 #endif
 
-/*
- * These functions are not included in headers of OPENSSL <= 0.9.6b
- */
+/* added in 1.0.0 */
+#if !defined(HAVE_EVP_PKEY_BASE_ID)
+#  define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type)
+#endif
 
-#if !defined(PEM_read_bio_DSAPublicKey)
-# define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
-        (d2i_of_void *)d2i_DSAPublicKey,PEM_STRING_DSA_PUBLIC,(bp),(void **)(x),(cb),(u))
+#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
+int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *);
+#  define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy
 #endif
 
-#if !defined(PEM_write_bio_DSAPublicKey)
-# define PEM_write_bio_DSAPublicKey(bp,x) \
-	PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPublicKey,\
-		PEM_STRING_DSA_PUBLIC,\
-		(bp),(char *)(x), NULL, NULL, 0, NULL, NULL)
+#if !defined(HAVE_HMAC_CTX_COPY)
+int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
+#  define HMAC_CTX_copy ossl_HMAC_CTX_copy
 #endif
 
-#if !defined(DSAPrivateKey_dup)
-# define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, \
-	(d2i_of_void *)d2i_DSAPrivateKey,(char *)(dsa))
+#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
+#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
 #endif
 
-#if !defined(DSAPublicKey_dup)
-# define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPublicKey, \
-	(d2i_of_void *)d2i_DSAPublicKey,(char *)(dsa))
+#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
+#  define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
 #endif
 
-#if !defined(X509_REVOKED_dup)
-# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
-	(d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
+#if !defined(HAVE_I2D_ASN1_SET_ANY)
+#  define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \
+		i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0)
 #endif
 
-#if !defined(PKCS7_SIGNER_INFO_dup)
-#  define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_SIGNER_INFO, \
-	(d2i_of_void *)d2i_PKCS7_SIGNER_INFO, (char *)(si))
+#if !defined(HAVE_EVP_PKEY_GET0)
+#  define EVP_PKEY_get0(pk) (pk->pkey.ptr)
 #endif
 
-#if !defined(PKCS7_RECIP_INFO_dup)
-#  define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_RECIP_INFO, \
-	(d2i_of_void *)d2i_PKCS7_RECIP_INFO, (char *)(ri))
+/* added in 1.0.2 */
+#if !defined(OPENSSL_NO_EC)
+#if !defined(HAVE_EC_CURVE_NIST2NID)
+int ossl_EC_curve_nist2nid(const char *);
+#  define EC_curve_nist2nid ossl_EC_curve_nist2nid
+#endif
 #endif
 
-#if !defined(HAVE_HMAC_CTX_INIT)
-void HMAC_CTX_init(HMAC_CTX *ctx);
+#if !defined(HAVE_X509_REVOKED_DUP)
+# define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
+	(d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
 #endif
 
-#if !defined(HAVE_HMAC_CTX_COPY)
-void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
+#if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
+#  define X509_STORE_CTX_get0_store(x) ((x)->ctx)
 #endif
 
-#if !defined(HAVE_HMAC_CTX_CLEANUP)
-void HMAC_CTX_cleanup(HMAC_CTX *ctx);
+#if !defined(HAVE_SSL_IS_SERVER)
+#  define SSL_is_server(s) ((s)->server)
 #endif
 
-#if !defined(HAVE_EVP_MD_CTX_CREATE)
-EVP_MD_CTX *EVP_MD_CTX_create(void);
+/* added in 1.1.0 */
+#if !defined(HAVE_BN_GENCB_NEW)
+#  define BN_GENCB_new() ((BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB)))
 #endif
 
-#if !defined(HAVE_EVP_MD_CTX_INIT)
-void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
+#if !defined(HAVE_BN_GENCB_FREE)
+#  define BN_GENCB_free(cb) OPENSSL_free(cb)
 #endif
 
-#if !defined(HAVE_EVP_MD_CTX_CLEANUP)
-int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
+#if !defined(HAVE_BN_GENCB_GET_ARG)
+#  define BN_GENCB_get_arg(cb) (cb)->arg
 #endif
 
-#if !defined(HAVE_EVP_MD_CTX_DESTROY)
-void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
+#if !defined(HAVE_EVP_MD_CTX_NEW)
+#  define EVP_MD_CTX_new EVP_MD_CTX_create
 #endif
 
-#if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, EVP_CIPHER_CTX *in);
+#if !defined(HAVE_EVP_MD_CTX_FREE)
+#  define EVP_MD_CTX_free EVP_MD_CTX_destroy
 #endif
 
-#if !defined(HAVE_EVP_DIGESTINIT_EX)
-#  define EVP_DigestInit_ex(ctx, md, engine) EVP_DigestInit((ctx), (md))
+#if !defined(HAVE_HMAC_CTX_NEW)
+HMAC_CTX *ossl_HMAC_CTX_new(void);
+#  define HMAC_CTX_new ossl_HMAC_CTX_new
 #endif
-#if !defined(HAVE_EVP_DIGESTFINAL_EX)
-#  define EVP_DigestFinal_ex(ctx, buf, len) EVP_DigestFinal((ctx), (buf), (len))
+
+#if !defined(HAVE_HMAC_CTX_FREE)
+void ossl_HMAC_CTX_free(HMAC_CTX *);
+#  define HMAC_CTX_free ossl_HMAC_CTX_free
 #endif
 
-#if !defined(HAVE_EVP_CIPHERINIT_EX)
-#  define EVP_CipherInit_ex(ctx, type, impl, key, iv, enc) EVP_CipherInit((ctx), (type), (key), (iv), (enc))
+#if !defined(HAVE_X509_STORE_GET_EX_DATA)
+#  define X509_STORE_get_ex_data(x, idx) \
+	CRYPTO_get_ex_data(&(x)->ex_data, (idx))
 #endif
-#if !defined(HAVE_EVP_CIPHERFINAL_EX)
-#  define EVP_CipherFinal_ex(ctx, outm, outl) EVP_CipherFinal((ctx), (outm), (outl))
+
+#if !defined(HAVE_X509_STORE_SET_EX_DATA)
+#  define X509_STORE_set_ex_data(x, idx, data) \
+	CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
+#  define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
+	CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
+				(newf), (dupf), (freef))
 #endif
 
-#if !defined(EVP_CIPHER_name)
-#  define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e))
+#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
+void ossl_X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
+#  define X509_CRL_get0_signature ossl_X509_CRL_get0_signature
 #endif
 
-#if !defined(EVP_MD_name)
-#  define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_type(e))
+#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
+void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
+#  define X509_REQ_get0_signature ossl_X509_REQ_get0_signature
 #endif
 
-#if !defined(HAVE_EVP_HMAC_INIT_EX)
-#  define HMAC_Init_ex(ctx, key, len, digest, engine) HMAC_Init((ctx), (key), (len), (digest))
+#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
+#  define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
 #endif
 
-#if !defined(PKCS7_is_detached)
-#  define PKCS7_is_detached(p7) (PKCS7_type_is_signed(p7) && PKCS7_get_detached(p7))
+#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
+#  define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate)
 #endif
 
-#if !defined(PKCS7_type_is_encrypted)
-#  define PKCS7_type_is_encrypted(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted)
+#if !defined(HAVE_X509_GET0_TBS_SIGALG)
+#  define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature)
 #endif
 
-#if !defined(HAVE_OPENSSL_CLEANSE)
-#define OPENSSL_cleanse(p, l) memset((p), 0, (l))
+#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED)
+#  define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted)
 #endif
 
-#if !defined(HAVE_X509_STORE_GET_EX_DATA)
-void *X509_STORE_get_ex_data(X509_STORE *str, int idx);
+#if !defined(HAVE_X509_STORE_CTX_GET0_CERT)
+#  define X509_STORE_CTX_get0_cert(x) ((x)->cert)
 #endif
 
-#if !defined(HAVE_X509_STORE_SET_EX_DATA)
-int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data);
+#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN)
+#  define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx)
 #endif
 
-#if !defined(HAVE_X509_CRL_SET_VERSION)
-int X509_CRL_set_version(X509_CRL *x, long version);
+#if !defined(HAVE_OCSP_SINGLERESP_GET0_ID)
+#  define OCSP_SINGLERESP_get0_id(s) ((s)->certId)
 #endif
 
-#if !defined(HAVE_X509_CRL_SET_ISSUER_NAME)
-int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+#if !defined(HAVE_SSL_CTX_GET_CIPHERS)
+#  define SSL_CTX_get_ciphers(ctx) ((ctx)->cipher_list)
 #endif
 
-#if !defined(HAVE_X509_CRL_SORT)
-int X509_CRL_sort(X509_CRL *c);
+#if !defined(HAVE_X509_UP_REF)
+#  define X509_up_ref(x) \
+	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509)
 #endif
 
-#if !defined(HAVE_X509_CRL_ADD0_REVOKED)
-int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
+#if !defined(HAVE_X509_CRL_UP_REF)
+#  define X509_CRL_up_ref(x) \
+	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_CRL);
 #endif
 
-#if !defined(HAVE_BN_MOD_SQR)
-int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+#if !defined(HAVE_X509_STORE_UP_REF)
+#  define X509_STORE_up_ref(x) \
+	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509_STORE);
 #endif
 
-#if !defined(HAVE_BN_MOD_ADD)
-int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+#if !defined(HAVE_SSL_SESSION_UP_REF)
+#  define SSL_SESSION_up_ref(x) \
+	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_SSL_SESSION);
 #endif
 
-#if !defined(HAVE_BN_MOD_SUB)
-int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+#if !defined(HAVE_EVP_PKEY_UP_REF)
+#  define EVP_PKEY_up_ref(x) \
+	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #endif
 
-#if !defined(HAVE_BN_RAND_RANGE)
-int BN_rand_range(BIGNUM *r, BIGNUM *range);
+#if !defined(HAVE_OPAQUE_OPENSSL)
+#define IMPL_PKEY_GETTER(_type, _name) \
+static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
+	return pkey->pkey._name; }
+#define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \
+static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
+	if (a1) *a1 = obj->a1; \
+	if (a2) *a2 = obj->a2; } \
+static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
+	if (_fail_cond) return 0; \
+	BN_clear_free(obj->a1); obj->a1 = a1; \
+	BN_clear_free(obj->a2); obj->a2 = a2; \
+	return 1; }
+#define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \
+static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
+	if (a1) *a1 = obj->a1; \
+	if (a2) *a2 = obj->a2; \
+	if (a3) *a3 = obj->a3; } \
+static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2, BIGNUM *a3) { \
+	if (_fail_cond) return 0; \
+	BN_clear_free(obj->a1); obj->a1 = a1; \
+	BN_clear_free(obj->a2); obj->a2 = a2; \
+	BN_clear_free(obj->a3); obj->a3 = a3; \
+	return 1; }
+
+#if !defined(OPENSSL_NO_RSA)
+IMPL_PKEY_GETTER(RSA, rsa)
+IMPL_KEY_ACCESSOR3(RSA, key, n, e, d, (n == obj->n || e == obj->e || (obj->d && d == obj->d)))
+IMPL_KEY_ACCESSOR2(RSA, factors, p, q, (p == obj->p || q == obj->q))
+IMPL_KEY_ACCESSOR3(RSA, crt_params, dmp1, dmq1, iqmp, (dmp1 == obj->dmp1 || dmq1 == obj->dmq1 || iqmp == obj->iqmp))
 #endif
 
-#if !defined(HAVE_BN_PSEUDO_RAND_RANGE)
-int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range);
+#if !defined(OPENSSL_NO_DSA)
+IMPL_PKEY_GETTER(DSA, dsa)
+IMPL_KEY_ACCESSOR2(DSA, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
+IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g))
 #endif
 
-#if !defined(HAVE_CONF_GET1_DEFAULT_CONFIG_FILE)
-char *CONF_get1_default_config_file(void);
+#if !defined(OPENSSL_NO_DH)
+IMPL_PKEY_GETTER(DH, dh)
+IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
+IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || obj->q && q == obj->q || g == obj->g))
+static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; }
 #endif
 
-#if !defined(HAVE_PEM_DEF_CALLBACK)
-int PEM_def_callback(char *buf, int num, int w, void *key);
+#if !defined(OPENSSL_NO_EC)
+IMPL_PKEY_GETTER(EC_KEY, ec)
 #endif
 
-#if !defined(HAVE_ASN1_PUT_EOC)
-int ASN1_put_eoc(unsigned char **pp);
+#undef IMPL_PKEY_GETTER
+#undef IMPL_KEY_ACCESSOR2
+#undef IMPL_KEY_ACCESSOR3
+#endif /* HAVE_OPAQUE_OPENSSL */
+
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
+#  define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+#  define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
 #endif
 
-#if defined(__cplusplus)
-}
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#  define X509_get0_notBefore(x) X509_get_notBefore(x)
+#  define X509_get0_notAfter(x) X509_get_notAfter(x)
+#  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
+#  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
 #endif
 
+#if !defined(HAVE_SSL_SESSION_GET_PROTOCOL_VERSION)
+#  define SSL_SESSION_get_protocol_version(s) ((s)->ssl_version)
+#endif
 
 #endif /* _OSSL_OPENSSL_MISSING_H_ */

data/ext/rubysl/openssl/ossl.c

@@ -9,40 +9,7 @@
  */
 #include "ossl.h"
 #include <stdarg.h> /* for ossl_raise */
-
-/*
- * String to HEXString conversion
- */
-int
-string2hex(const unsigned char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
-{
-    static const char hex[]="0123456789abcdef";
-    int i, len;
-
-    if (buf_len < 0 || buf_len > INT_MAX / 2) { /* PARANOIA? */
-	return -1;
-    }
-    len = 2 * buf_len;
-    if (!hexbuf) { /* if no buf, return calculated len */
-	if (hexbuf_len) {
-	    *hexbuf_len = len;
-	}
-	return len;
-    }
-    if (!(*hexbuf = OPENSSL_malloc(len + 1))) {
-	return -1;
-    }
-    for (i = 0; i < buf_len; i++) {
-	(*hexbuf)[2 * i] = hex[((unsigned char)buf[i]) >> 4];
-	(*hexbuf)[2 * i + 1] = hex[buf[i] & 0x0f];
-    }
-    (*hexbuf)[2 * i] = '\0';
-
-    if (hexbuf_len) {
-	*hexbuf_len = len;
-    }
-    return len;
-}
+#include <ruby/thread_native.h> /* for OpenSSL < 1.1.0 locks */
 
 /*
  * Data Conversion
@@ -77,7 +44,7 @@ STACK_OF(type) *						\
 ossl_protect_##name##_ary2sk(VALUE ary, int *status)		\
 {								\
     return (STACK_OF(type)*)rb_protect(				\
-	    (VALUE(*)_((VALUE)))ossl_##name##_ary2sk0,		\
+	    (VALUE (*)(VALUE))ossl_##name##_ary2sk0,		\
 	    ary,						\
 	    status);						\
 }								\
@@ -97,7 +64,7 @@ OSSL_IMPL_ARY2SK(x509, X509, cX509Cert, DupX509CertPtr)
 
 #define OSSL_IMPL_SK2ARY(name, type)	        \
 VALUE						\
-ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
+ossl_##name##_sk2ary(const STACK_OF(type) *sk)	\
 {						\
     type *t;					\
     int i, num;					\
@@ -136,7 +103,7 @@ ossl_buf2str(char *buf, int len)
     VALUE str;
     int status = 0;
 
-    str = rb_protect((VALUE(*)_((VALUE)))ossl_str_new, len, &status);
+    str = rb_protect((VALUE (*)(VALUE))ossl_str_new, len, &status);
     if(!NIL_P(str)) memcpy(RSTRING_PTR(str), buf, len);
     OPENSSL_free(buf);
     if(status) rb_jump_tag(status);
@@ -144,28 +111,75 @@ ossl_buf2str(char *buf, int len)
     return str;
 }
 
+void
+ossl_bin2hex(unsigned char *in, char *out, size_t inlen)
+{
+    const char *hex = "0123456789abcdef";
+    size_t i;
+
+    assert(inlen <= LONG_MAX / 2);
+    for (i = 0; i < inlen; i++) {
+	unsigned char p = in[i];
+
+	out[i * 2 + 0] = hex[p >> 4];
+	out[i * 2 + 1] = hex[p & 0x0f];
+    }
+}
+
 /*
  * our default PEM callback
  */
-static VALUE
-ossl_pem_passwd_cb0(VALUE flag)
+VALUE
+ossl_pem_passwd_value(VALUE pass)
 {
-    VALUE pass;
+    if (NIL_P(pass))
+	return Qnil;
+
+    StringValue(pass);
 
-    pass = rb_yield(flag);
-    SafeStringValue(pass);
+    /* PEM_BUFSIZE is currently used as the second argument of pem_password_cb,
+     * that is +max_len+ of ossl_pem_passwd_cb() */
+    if (RSTRING_LEN(pass) > PEM_BUFSIZE)
+	ossl_raise(eOSSLError, "password must not be longer than %d bytes", PEM_BUFSIZE);
 
     return pass;
 }
 
+static VALUE
+ossl_pem_passwd_cb0(VALUE flag)
+{
+    VALUE pass = rb_yield(flag);
+    if (NIL_P(pass))
+	return Qnil;
+    StringValue(pass);
+    return pass;
+}
+
 int
-ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd)
+ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd_)
 {
-    int len, status = 0;
-    VALUE rflag, pass;
+    long len;
+    int status;
+    VALUE rflag, pass = (VALUE)pwd_;
+
+    if (RTEST(pass)) {
+	/* PEM_def_callback(buf, max_len, flag, StringValueCStr(pass)) does not
+	 * work because it does not allow NUL characters and truncates to 1024
+	 * bytes silently if the input is over 1024 bytes */
+	if (RB_TYPE_P(pass, T_STRING)) {
+	    len = RSTRING_LEN(pass);
+	    if (len <= max_len) {
+		memcpy(buf, RSTRING_PTR(pass), len);
+		return (int)len;
+	    }
+	}
+	OSSL_Debug("passed data is not valid String???");
+	return -1;
+    }
 
-    if (pwd || !rb_block_given_p())
-	return PEM_def_callback(buf, max_len, flag, pwd);
+    if (!rb_block_given_p()) {
+	return PEM_def_callback(buf, max_len, flag, NULL);
+    }
 
     while (1) {
 	/*
@@ -180,77 +194,17 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd)
 	    rb_set_errinfo(Qnil);
 	    return -1;
 	}
-	len = RSTRING_LENINT(pass);
-	if (len < 4) { /* 4 is OpenSSL hardcoded limit */
-	    rb_warning("password must be longer than 4 bytes");
-	    continue;
-	}
+	if (NIL_P(pass))
+	    return -1;
+	len = RSTRING_LEN(pass);
 	if (len > max_len) {
-	    rb_warning("password must be shorter then %d bytes", max_len-1);
+	    rb_warning("password must not be longer than %d bytes", max_len);
 	    continue;
 	}
 	memcpy(buf, RSTRING_PTR(pass), len);
 	break;
     }
-    return len;
-}
-
-/*
- * Verify callback
- */
-int ossl_verify_cb_idx;
-
-VALUE
-ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
-{
-    return rb_funcall(args->proc, rb_intern("call"), 2,
-                      args->preverify_ok, args->store_ctx);
-}
-
-int
-ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
-{
-    VALUE proc, rctx, ret;
-    struct ossl_verify_cb_args args;
-    int state = 0;
-
-    proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_verify_cb_idx);
-    if ((void*)proc == 0)
-	proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_verify_cb_idx);
-    if ((void*)proc == 0)
-	return ok;
-    if (!NIL_P(proc)) {
-	ret = Qfalse;
-	rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new,
-			  (VALUE)ctx, &state);
-	if (state) {
-	    rb_set_errinfo(Qnil);
-	    rb_warn("StoreContext initialization failure");
-	}
-	else {
-	    args.proc = proc;
-	    args.preverify_ok = ok ? Qtrue : Qfalse;
-	    args.store_ctx = rctx;
-	    ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
-	    if (state) {
-		rb_set_errinfo(Qnil);
-		rb_warn("exception in verify_callback is ignored");
-	    }
-	    ossl_x509stctx_clear_ptr(rctx);
-	}
-	if (ret == Qtrue) {
-	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
-	    ok = 1;
-	}
-	else{
-	    if (X509_STORE_CTX_get_error(ctx) == X509_V_OK) {
-		X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
-	    }
-	    ok = 0;
-	}
-    }
-
-    return ok;
+    return (int)len;
 }
 
 /*
@@ -297,11 +251,7 @@ ossl_make_error(VALUE exc, const char *fmt, va_list args)
     const char *msg;
     long e;
 
-#ifdef HAVE_ERR_PEEK_LAST_ERROR
     e = ERR_peek_last_error();
-#else
-    e = ERR_peek_error();
-#endif
     if (fmt) {
 	str = rb_vsprintf(fmt, args);
     }
@@ -318,12 +268,7 @@ ossl_make_error(VALUE exc, const char *fmt, va_list args)
 	    rb_str_cat2(str, msg ? msg : "(null)");
 	}
     }
-    if (dOSSL == Qtrue){ /* show all errors on the stack */
-	while ((e = ERR_get_error()) != 0){
-	    rb_warn("error on stack: %s", ERR_error_string(e, NULL));
-	}
-    }
-    ERR_clear_error();
+    ossl_clear_error();
 
     if (NIL_P(str)) str = rb_str_new(0, 0);
     return rb_exc_new3(exc, str);
@@ -340,15 +285,32 @@ ossl_raise(VALUE exc, const char *fmt, ...)
     rb_exc_raise(err);
 }
 
-VALUE
-ossl_exc_new(VALUE exc, const char *fmt, ...)
+void
+ossl_clear_error(void)
 {
-    va_list args;
-    VALUE err;
-    va_start(args, fmt);
-    err = ossl_make_error(exc, fmt, args);
-    va_end(args);
-    return err;
+    if (dOSSL == Qtrue) {
+	unsigned long e;
+	const char *file, *data, *errstr;
+	int line, flags;
+
+	while ((e = ERR_get_error_line_data(&file, &line, &data, &flags))) {
+	    errstr = ERR_error_string(e, NULL);
+	    if (!errstr)
+		errstr = "(null)";
+
+	    if (flags & ERR_TXT_STRING) {
+		if (!data)
+		    data = "(null)";
+		rb_warn("error on stack: %s (%s)", errstr, data);
+	    }
+	    else {
+		rb_warn("error on stack: %s", errstr);
+	    }
+	}
+    }
+    else {
+	ERR_clear_error();
+    }
 }
 
 /*
@@ -408,24 +370,14 @@ ossl_debug_get(VALUE self)
  * call-seq:
  *   OpenSSL.debug = boolean -> boolean
  *
- * Turns on or off CRYPTO_MEM_CHECK.
- * Also shows some debugging message on stderr.
+ * Turns on or off debug mode. With debug mode, all erros added to the OpenSSL
+ * error queue will be printed to stderr.
  */
 static VALUE
 ossl_debug_set(VALUE self, VALUE val)
 {
-    VALUE old = dOSSL;
-    dOSSL = val;
-
-    if (old != dOSSL) {
-	if (dOSSL == Qtrue) {
-	    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-	    fprintf(stderr, "OSSL_DEBUG: IS NOW ON!\n");
-	} else if (old == Qtrue) {
-	    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
-	    fprintf(stderr, "OSSL_DEBUG: IS NOW OFF!\n");
-	}
-    }
+    dOSSL = RTEST(val) ? Qtrue : Qfalse;
+
     return val;
 }
 
@@ -438,15 +390,14 @@ ossl_debug_set(VALUE self, VALUE val)
  * so otherwise will result in an error.
  *
  * === Examples
- *
- * OpenSSL.fips_mode = true   # turn FIPS mode on
- * OpenSSL.fips_mode = false  # and off again
+ *   OpenSSL.fips_mode = true   # turn FIPS mode on
+ *   OpenSSL.fips_mode = false  # and off again
  */
 static VALUE
 ossl_fips_mode_set(VALUE self, VALUE enabled)
 {
 
-#ifdef HAVE_OPENSSL_FIPS
+#ifdef OPENSSL_FIPS
     if (RTEST(enabled)) {
 	int mode = FIPS_mode();
 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@@ -463,44 +414,123 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
 #endif
 }
 
+#if defined(OSSL_DEBUG)
+#if !defined(LIBRESSL_VERSION_NUMBER) && \
+    (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
+     defined(CRYPTO_malloc_debug_init))
+/*
+ * call-seq:
+ *   OpenSSL.mem_check_start -> nil
+ *
+ * Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory
+ * allocations. See also OpenSSL.print_mem_leaks.
+ *
+ * This is available only when built with a capable OpenSSL and --enable-debug
+ * configure option.
+ */
+static VALUE
+mem_check_start(VALUE self)
+{
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+	return Qnil;
+}
+
+/*
+ * call-seq:
+ *   OpenSSL.print_mem_leaks -> true | false
+ *
+ * For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr).
+ * Prints detected memory leaks to standard error. This cleans the global state
+ * up thus you cannot use any methods of the library after calling this.
+ *
+ * Returns true if leaks detected, false otherwise.
+ *
+ * This is available only when built with a capable OpenSSL and --enable-debug
+ * configure option.
+ *
+ * === Example
+ *   OpenSSL.mem_check_start
+ *   NOT_GCED = OpenSSL::PKey::RSA.new(256)
+ *
+ *   END {
+ *     GC.start
+ *     OpenSSL.print_mem_leaks # will print the leakage
+ *   }
+ */
+static VALUE
+print_mem_leaks(VALUE self)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    int ret;
+#endif
+
+    BN_CTX_free(ossl_bn_ctx);
+    ossl_bn_ctx = NULL;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    ret = CRYPTO_mem_leaks_fp(stderr);
+    if (ret < 0)
+	ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp");
+    return ret ? Qfalse : Qtrue;
+#else
+    CRYPTO_mem_leaks_fp(stderr);
+    return Qnil;
+#endif
+}
+#endif
+#endif
+
+#if !defined(HAVE_OPENSSL_110_THREADING_API)
 /**
  * Stores locks needed for OpenSSL thread safety
  */
-#include "ruby/thread_native.h"
-static rb_nativethread_lock_t *ossl_locks;
+struct CRYPTO_dynlock_value {
+    rb_nativethread_lock_t lock;
+    rb_nativethread_id_t owner;
+    size_t count;
+};
 
 static void
-ossl_lock_unlock(int mode, rb_nativethread_lock_t *lock)
+ossl_lock_init(struct CRYPTO_dynlock_value *l)
 {
-    if (mode & CRYPTO_LOCK) {
-	rb_nativethread_lock_lock(lock);
-    } else {
-	rb_nativethread_lock_unlock(lock);
-    }
+    rb_nativethread_lock_initialize(&l->lock);
+    l->count = 0;
 }
 
 static void
-ossl_lock_callback(int mode, int type, const char *file, int line)
+ossl_lock_unlock(int mode, struct CRYPTO_dynlock_value *l)
 {
-    ossl_lock_unlock(mode, &ossl_locks[type]);
+    if (mode & CRYPTO_LOCK) {
+	/* TODO: rb_nativethread_id_t is not necessarily compared with ==. */
+	rb_nativethread_id_t tid = rb_nativethread_self();
+	if (l->count && l->owner == tid) {
+	    l->count++;
+	    return;
+	}
+	rb_nativethread_lock_lock(&l->lock);
+	l->owner = tid;
+	l->count = 1;
+    } else {
+	if (!--l->count)
+	    rb_nativethread_lock_unlock(&l->lock);
+    }
 }
 
-struct CRYPTO_dynlock_value {
-    rb_nativethread_lock_t lock;
-};
-
 static struct CRYPTO_dynlock_value *
 ossl_dyn_create_callback(const char *file, int line)
 {
-    struct CRYPTO_dynlock_value *dynlock = (struct CRYPTO_dynlock_value *)OPENSSL_malloc((int)sizeof(struct CRYPTO_dynlock_value));
-    rb_nativethread_lock_initialize(&dynlock->lock);
+    /* Do not use xmalloc() here, since it may raise NoMemoryError */
+    struct CRYPTO_dynlock_value *dynlock =
+	OPENSSL_malloc(sizeof(struct CRYPTO_dynlock_value));
+    if (dynlock)
+	ossl_lock_init(dynlock);
     return dynlock;
 }
 
 static void
 ossl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)
 {
-    ossl_lock_unlock(mode, &l->lock);
+    ossl_lock_unlock(mode, l);
 }
 
 static void
@@ -524,21 +554,22 @@ static unsigned long ossl_thread_id(void)
 }
 #endif
 
+static struct CRYPTO_dynlock_value *ossl_locks;
+
+static void
+ossl_lock_callback(int mode, int type, const char *file, int line)
+{
+    ossl_lock_unlock(mode, &ossl_locks[type]);
+}
+
 static void Init_ossl_locks(void)
 {
     int i;
     int num_locks = CRYPTO_num_locks();
 
-    if ((unsigned)num_locks >= INT_MAX / (int)sizeof(VALUE)) {
-	rb_raise(rb_eRuntimeError, "CRYPTO_num_locks() is too big: %d", num_locks);
-    }
-    ossl_locks = (rb_nativethread_lock_t *) OPENSSL_malloc(num_locks * (int)sizeof(rb_nativethread_lock_t));
-    if (!ossl_locks) {
-	rb_raise(rb_eNoMemError, "CRYPTO_num_locks() is too big: %d", num_locks);
-    }
-    for (i = 0; i < num_locks; i++) {
-	rb_nativethread_lock_initialize(&ossl_locks[i]);
-    }
+    ossl_locks = ALLOC_N(struct CRYPTO_dynlock_value, num_locks);
+    for (i = 0; i < num_locks; i++)
+	ossl_lock_init(&ossl_locks[i]);
 
 #ifdef HAVE_CRYPTO_THREADID_PTR
     CRYPTO_THREADID_set_callback(ossl_threadid_func);
@@ -550,25 +581,12 @@ static void Init_ossl_locks(void)
     CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback);
     CRYPTO_set_dynlock_destroy_callback(ossl_dyn_destroy_callback);
 }
+#endif /* !HAVE_OPENSSL_110_THREADING_API */
 
 /*
  * OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
  * OpenSSL[http://www.openssl.org/] library.
  *
- * = Install
- *
- * OpenSSL comes bundled with the Standard Library of Ruby.
- *
- * This means the OpenSSL extension is compiled with Ruby and packaged on
- * build. During compile time, Ruby will need to link against the OpenSSL
- * library on your system. However, you cannot use openssl provided by Apple to
- * build standard library openssl.
- *
- * If you use OSX, you should install another openssl and run ```./configure
- * --with-openssl-dir=/path/to/another-openssl```. For Homebrew user, run `brew
- * install openssl` and then ```./configure --with-openssl-dir=`brew --prefix
- * openssl` ```.
- *
  * = Examples
  *
  * All examples assume you have loaded OpenSSL with:
@@ -613,10 +631,12 @@ static void Init_ossl_locks(void)
  *
  *   key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
  *   key2.public? # => true
+ *   key2.private? # => true
  *
  * or
  *
  *   key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
+ *   key3.public? # => true
  *   key3.private? # => false
  *
  * === Loading an Encrypted Key
@@ -626,6 +646,7 @@ static void Init_ossl_locks(void)
  * loading the key:
  *
  *   key4_pem = File.read 'private.secure.pem'
+ *   pass_phrase = 'my secure pass phrase goes here'
  *   key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
  *
  * == RSA Encryption
@@ -790,6 +811,7 @@ static void Init_ossl_locks(void)
  * This example creates a self-signed certificate using an RSA key and a SHA1
  * signature.
  *
+ *   key = OpenSSL::PKey::RSA.new 2048
  *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
  *
  *   cert = OpenSSL::X509::Certificate.new
@@ -859,8 +881,9 @@ static void Init_ossl_locks(void)
  * not readable by other users.
  *
  *   ca_key = OpenSSL::PKey::RSA.new 2048
+ *   pass_phrase = 'my secure pass phrase goes here'
  *
- *   cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
+ *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
  *
  *   open 'ca_key.pem', 'w', 0400 do |io|
  *     io.write ca_key.export(cipher, pass_phrase)
@@ -1013,15 +1036,21 @@ static void Init_ossl_locks(void)
  * SSLSocket#connect must be called to initiate the SSL handshake and start
  * encryption.  A key and certificate are not required for the client socket.
  *
+ * Note that SSLSocket#close doesn't close the underlying socket by default. Set
+ * SSLSocket#sync_close to true if you want.
+ *
  *   require 'socket'
  *
- *   tcp_client = TCPSocket.new 'localhost', 5000
- *   ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
+ *   tcp_socket = TCPSocket.new 'localhost', 5000
+ *   ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
+ *   ssl_client.sync_close = true
  *   ssl_client.connect
  *
  *   ssl_client.puts "hello server!"
  *   puts ssl_client.gets
  *
+ *   ssl_client.close # shutdown the TLS connection and close tcp_socket
+ *
  * === Peer Verification
  *
  * An unverified SSL connection does not provide much security.  For enhanced
@@ -1035,8 +1064,8 @@ static void Init_ossl_locks(void)
  *
  *   require 'socket'
  *
- *   tcp_client = TCPSocket.new 'localhost', 5000
- *   ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
+ *   tcp_socket = TCPSocket.new 'localhost', 5000
+ *   ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
  *   ssl_client.connect
  *
  *   ssl_client.puts "hello server!"
@@ -1049,6 +1078,7 @@ static void Init_ossl_locks(void)
 void
 Init_openssl(void)
 {
+#undef rb_intern
     /*
      * Init timezone info
      */
@@ -1110,11 +1140,14 @@ Init_openssl(void)
     /*
      * Boolean indicating whether OpenSSL is FIPS-enabled or not
      */
-#ifdef HAVE_OPENSSL_FIPS
-    rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
+    rb_define_const(mOSSL, "OPENSSL_FIPS",
+#ifdef OPENSSL_FIPS
+		    Qtrue
 #else
-    rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
+		    Qfalse
 #endif
+		   );
+
     rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
 
     /*
@@ -1124,12 +1157,6 @@ Init_openssl(void)
     eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError);
     rb_global_variable(&eOSSLError);
 
-    /*
-     * Verify callback Proc index for ext-data
-     */
-    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0)
-        ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
-
     /*
      * Init debug core
      */
@@ -1145,7 +1172,9 @@ Init_openssl(void)
      */
     ossl_s_to_der = rb_intern("to_der");
 
+#if !defined(HAVE_OPENSSL_110_THREADING_API)
     Init_ossl_locks();
+#endif
 
     /*
      * Init components
@@ -1166,15 +1195,40 @@ Init_openssl(void)
     Init_ossl_ocsp();
     Init_ossl_engine();
     Init_ossl_asn1();
-}
 
 #if defined(OSSL_DEBUG)
-/*
- * Check if all symbols are OK with 'make LDSHARED=gcc all'
- */
-int
-main(int argc, char *argv[])
-{
-    return 0;
+    /*
+     * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug
+     */
+#if !defined(LIBRESSL_VERSION_NUMBER) && \
+    (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \
+     defined(CRYPTO_malloc_debug_init))
+    rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0);
+    rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0);
+
+#if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */
+    CRYPTO_malloc_debug_init();
+#endif
+
+#if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */
+    CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */
+    {
+	int i;
+	/*
+	 * See crypto/ex_data.c; call def_get_class() immediately to avoid
+	 * allocations. 15 is the maximum number that is used as the class index
+	 * in OpenSSL 1.0.2.
+	 */
+	for (i = 0; i <= 15; i++) {
+	    if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0)
+		rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for "
+			 "class index %d failed", i);
+	}
+    }
+#endif
+#endif
+#endif
 }
-#endif /* OSSL_DEBUG */