rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/ossl_config.c

@@ -41,7 +41,7 @@ DupConfigPtr(VALUE obj)
 
     OSSL_Check_Kind(obj, cConfig);
     str = rb_funcall(obj, rb_intern("to_s"), 0);
-    bio = ossl_obj2bio(str);
+    bio = ossl_obj2bio(&str);
     conf = NCONF_new(NULL);
     if(!conf){
 	BIO_free(bio);
@@ -72,6 +72,12 @@ void
 Init_ossl_config(void)
 {
     char *default_config_file;
+
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
     eConfigError = rb_define_class_under(mOSSL, "ConfigError", eOSSLError);
     cConfig = rb_define_class_under(mOSSL, "Config", rb_cObject);
 

data/ext/rubysl/openssl/ossl_config.h

@@ -13,7 +13,6 @@
 extern VALUE cConfig;
 extern VALUE eConfigError;
 
-CONF* GetConfigPtr(VALUE obj);
 CONF* DupConfigPtr(VALUE obj);
 void Init_ossl_config(void);
 

data/ext/rubysl/openssl/ossl_digest.c

@@ -61,7 +61,7 @@ GetDigestPtr(VALUE obj)
 	    ASN1_OBJECT_free(oid);
 	}
 	if(!md)
-            ossl_raise(rb_eRuntimeError, "Unsupported digest algorithm (%s).", name);
+            ossl_raise(rb_eRuntimeError, "Unsupported digest algorithm (%"PRIsVALUE").", obj);
     } else {
         EVP_MD_CTX *ctx;
 
@@ -80,10 +80,13 @@ ossl_digest_new(const EVP_MD *md)
     EVP_MD_CTX *ctx;
 
     ret = ossl_digest_alloc(cDigest);
-    GetDigest(ret, ctx);
-    if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
-	ossl_raise(eDigestError, "Digest initialization failed.");
-    }
+    ctx = EVP_MD_CTX_new();
+    if (!ctx)
+	ossl_raise(eDigestError, "EVP_MD_CTX_new");
+    RTYPEDDATA_DATA(ret) = ctx;
+
+    if (!EVP_DigestInit_ex(ctx, md, NULL))
+	ossl_raise(eDigestError, "Digest initialization failed");
 
     return ret;
 }
@@ -94,13 +97,7 @@ ossl_digest_new(const EVP_MD *md)
 static VALUE
 ossl_digest_alloc(VALUE klass)
 {
-    VALUE obj = TypedData_Wrap_Struct(klass, &ossl_digest_type, 0);
-    EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-    if (ctx == NULL)
-	ossl_raise(rb_eRuntimeError, "EVP_MD_CTX_create() failed");
-    RTYPEDDATA_DATA(obj) = ctx;
-
-    return obj;
+    return TypedData_Wrap_Struct(klass, &ossl_digest_type, 0);
 }
 
 VALUE ossl_digest_update(VALUE, VALUE);
@@ -111,17 +108,16 @@ VALUE ossl_digest_update(VALUE, VALUE);
  *
  * Creates a Digest instance based on +string+, which is either the ln
  * (long name) or sn (short name) of a supported digest algorithm.
+ *
  * If +data+ (a +String+) is given, it is used as the initial input to the
  * Digest instance, i.e.
+ *
  *   digest = OpenSSL::Digest.new('sha256', 'digestdata')
+ *
  * is equal to
+ *
  *   digest = OpenSSL::Digest.new('sha256')
  *   digest.update('digestdata')
- *
- * === Example
- *   digest = OpenSSL::Digest.new('sha1')
- *
- *
  */
 static VALUE
 ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
@@ -134,11 +130,16 @@ ossl_digest_initialize(int argc, VALUE *argv, VALUE self)
     md = GetDigestPtr(type);
     if (!NIL_P(data)) StringValue(data);
 
-    GetDigest(self, ctx);
-    if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
-	ossl_raise(eDigestError, "Digest initialization failed.");
+    TypedData_Get_Struct(self, EVP_MD_CTX, &ossl_digest_type, ctx);
+    if (!ctx) {
+	RTYPEDDATA_DATA(self) = ctx = EVP_MD_CTX_new();
+	if (!ctx)
+	    ossl_raise(eDigestError, "EVP_MD_CTX_new");
     }
 
+    if (!EVP_DigestInit_ex(ctx, md, NULL))
+	ossl_raise(eDigestError, "Digest initialization failed");
+
     if (!NIL_P(data)) return ossl_digest_update(self, data);
     return self;
 }
@@ -151,7 +152,12 @@ ossl_digest_copy(VALUE self, VALUE other)
     rb_check_frozen(self);
     if (self == other) return self;
 
-    GetDigest(self, ctx1);
+    TypedData_Get_Struct(self, EVP_MD_CTX, &ossl_digest_type, ctx1);
+    if (!ctx1) {
+	RTYPEDDATA_DATA(self) = ctx1 = EVP_MD_CTX_new();
+	if (!ctx1)
+	    ossl_raise(eDigestError, "EVP_MD_CTX_new");
+    }
     SafeGetDigest(other, ctx2);
 
     if (!EVP_MD_CTX_copy(ctx1, ctx2)) {
@@ -203,7 +209,9 @@ ossl_digest_update(VALUE self, VALUE data)
 
     StringValue(data);
     GetDigest(self, ctx);
-    EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data));
+
+    if (!EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)))
+	ossl_raise(eDigestError, "EVP_DigestUpdate");
 
     return self;
 }
@@ -218,19 +226,21 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
 {
     EVP_MD_CTX *ctx;
     VALUE str;
-
-    rb_scan_args(argc, argv, "01", &str);
+    int out_len;
 
     GetDigest(self, ctx);
+    rb_scan_args(argc, argv, "01", &str);
+    out_len = EVP_MD_CTX_size(ctx);
 
     if (NIL_P(str)) {
-        str = rb_str_new(NULL, EVP_MD_CTX_size(ctx));
+        str = rb_str_new(NULL, out_len);
     } else {
         StringValue(str);
-        rb_str_resize(str, EVP_MD_CTX_size(ctx));
+        rb_str_resize(str, out_len);
     }
 
-    EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL);
+    if (!EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL))
+	ossl_raise(eDigestError, "EVP_DigestFinal_ex");
 
     return str;
 }
@@ -239,7 +249,7 @@ ossl_digest_finish(int argc, VALUE *argv, VALUE self)
  *  call-seq:
  *      digest.name -> string
  *
- * Returns the sn of this Digest instance.
+ * Returns the sn of this Digest algorithm.
  *
  * === Example
  *   digest = OpenSSL::Digest::SHA512.new
@@ -310,7 +320,8 @@ Init_ossl_digest(void)
     rb_require("digest");
 
 #if 0
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
 #endif
 
     /* Document-class: OpenSSL::Digest

data/ext/rubysl/openssl/ossl_engine.c

@@ -9,7 +9,7 @@
  */
 #include "ossl.h"
 
-#if defined(OSSL_ENGINE_ENABLED)
+#if !defined(OPENSSL_NO_ENGINE)
 
 #define NewEngine(klass) \
     TypedData_Wrap_Struct((klass), &ossl_engine_type, 0)
@@ -96,7 +96,7 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
         ENGINE_load_builtin_engines();
         return Qtrue;
     }
-    StringValue(name);
+    StringValueCStr(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
 #if HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
@@ -148,7 +148,7 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
     OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
 #endif
     OSSL_ENGINE_LOAD_IF_MATCH(openssl);
-    rb_warning("no such builtin loader for `%s'", RSTRING_PTR(name));
+    rb_warning("no such builtin loader for `%"PRIsVALUE"'", name);
     return Qnil;
 #endif /* HAVE_ENGINE_LOAD_BUILTIN_ENGINES */
 }
@@ -160,14 +160,12 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
  * It is only necessary to run cleanup when engines are loaded via
  * OpenSSL::Engine.load. However, running cleanup before exit is recommended.
  *
- * See also, https://www.openssl.org/docs/crypto/engine.html
+ * Note that this is needed and works only in OpenSSL < 1.1.0.
  */
 static VALUE
 ossl_engine_s_cleanup(VALUE self)
 {
-#if defined(HAVE_ENGINE_CLEANUP)
     ENGINE_cleanup();
-#endif
     return Qnil;
 }
 
@@ -213,7 +211,7 @@ ossl_engine_s_by_id(VALUE klass, VALUE id)
     ENGINE *e;
     VALUE obj;
 
-    StringValue(id);
+    StringValueCStr(id);
     ossl_engine_s_load(1, &id, klass);
     obj = NewEngine(klass);
     if(!(e = ENGINE_by_id(RSTRING_PTR(id))))
@@ -224,22 +222,7 @@ ossl_engine_s_by_id(VALUE klass, VALUE id)
 	ossl_raise(eEngineError, NULL);
     ENGINE_ctrl(e, ENGINE_CTRL_SET_PASSWORD_CALLBACK,
 		0, NULL, (void(*)(void))ossl_pem_passwd_cb);
-    ERR_clear_error();
-
-    return obj;
-}
-
-static VALUE
-ossl_engine_s_alloc(VALUE klass)
-{
-    ENGINE *e;
-    VALUE obj;
-
-    obj = NewEngine(klass);
-    if (!(e = ENGINE_new())) {
-       ossl_raise(eEngineError, NULL);
-    }
-    SetEngine(obj, e);
+    ossl_clear_error();
 
     return obj;
 }
@@ -296,7 +279,6 @@ ossl_engine_finish(VALUE self)
     return Qnil;
 }
 
-#if defined(HAVE_ENGINE_GET_CIPHER)
 /* Document-method: OpenSSL::Engine#cipher
  *
  * call-seq:
@@ -305,7 +287,7 @@ ossl_engine_finish(VALUE self)
  * This returns an OpenSSL::Cipher by +name+, if it is available in this
  * engine.
  *
- * A EngineError will be raised if the cipher is unavailable.
+ * An EngineError will be raised if the cipher is unavailable.
  *
  *    e = OpenSSL::Engine.by_id("openssl")
  *     => #<OpenSSL::Engine id="openssl" name="Software engine support">
@@ -318,12 +300,10 @@ ossl_engine_get_cipher(VALUE self, VALUE name)
 {
     ENGINE *e;
     const EVP_CIPHER *ciph, *tmp;
-    char *s;
     int nid;
 
-    s = StringValuePtr(name);
-    tmp = EVP_get_cipherbyname(s);
-    if(!tmp) ossl_raise(eEngineError, "no such cipher `%s'", s);
+    tmp = EVP_get_cipherbyname(StringValueCStr(name));
+    if(!tmp) ossl_raise(eEngineError, "no such cipher `%"PRIsVALUE"'", name);
     nid = EVP_CIPHER_nid(tmp);
     GetEngine(self, e);
     ciph = ENGINE_get_cipher(e, nid);
@@ -331,11 +311,7 @@ ossl_engine_get_cipher(VALUE self, VALUE name)
 
     return ossl_cipher_new(ciph);
 }
-#else
-#define ossl_engine_get_cipher rb_f_notimplement
-#endif
 
-#if defined(HAVE_ENGINE_GET_DIGEST)
 /* Document-method: OpenSSL::Engine#digest
  *
  * call-seq:
@@ -357,12 +333,10 @@ ossl_engine_get_digest(VALUE self, VALUE name)
 {
     ENGINE *e;
     const EVP_MD *md, *tmp;
-    char *s;
     int nid;
 
-    s = StringValuePtr(name);
-    tmp = EVP_get_digestbyname(s);
-    if(!tmp) ossl_raise(eEngineError, "no such digest `%s'", s);
+    tmp = EVP_get_digestbyname(StringValueCStr(name));
+    if(!tmp) ossl_raise(eEngineError, "no such digest `%"PRIsVALUE"'", name);
     nid = EVP_MD_nid(tmp);
     GetEngine(self, e);
     md = ENGINE_get_digest(e, nid);
@@ -370,9 +344,6 @@ ossl_engine_get_digest(VALUE self, VALUE name)
 
     return ossl_digest_new(md);
 }
-#else
-#define ossl_engine_get_digest rb_f_notimplement
-#endif
 
 /* Document-method: OpenSSL::Engine#load_private_key
  *
@@ -393,14 +364,10 @@ ossl_engine_load_privkey(int argc, VALUE *argv, VALUE self)
     char *sid, *sdata;
 
     rb_scan_args(argc, argv, "02", &id, &data);
-    sid = NIL_P(id) ? NULL : StringValuePtr(id);
-    sdata = NIL_P(data) ? NULL : StringValuePtr(data);
+    sid = NIL_P(id) ? NULL : StringValueCStr(id);
+    sdata = NIL_P(data) ? NULL : StringValueCStr(data);
     GetEngine(self, e);
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-    pkey = ENGINE_load_private_key(e, sid, sdata);
-#else
     pkey = ENGINE_load_private_key(e, sid, NULL, sdata);
-#endif
     if (!pkey) ossl_raise(eEngineError, NULL);
     obj = ossl_pkey_new(pkey);
     OSSL_PKEY_SET_PRIVATE(obj);
@@ -427,14 +394,10 @@ ossl_engine_load_pubkey(int argc, VALUE *argv, VALUE self)
     char *sid, *sdata;
 
     rb_scan_args(argc, argv, "02", &id, &data);
-    sid = NIL_P(id) ? NULL : StringValuePtr(id);
-    sdata = NIL_P(data) ? NULL : StringValuePtr(data);
+    sid = NIL_P(id) ? NULL : StringValueCStr(id);
+    sdata = NIL_P(data) ? NULL : StringValueCStr(data);
     GetEngine(self, e);
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-    pkey = ENGINE_load_public_key(e, sid, sdata);
-#else
     pkey = ENGINE_load_public_key(e, sid, NULL, sdata);
-#endif
     if (!pkey) ossl_raise(eEngineError, NULL);
 
     return ossl_pkey_new(pkey);
@@ -487,10 +450,8 @@ ossl_engine_ctrl_cmd(int argc, VALUE *argv, VALUE self)
 
     GetEngine(self, e);
     rb_scan_args(argc, argv, "11", &cmd, &val);
-    StringValue(cmd);
-    if (!NIL_P(val)) StringValue(val);
-    ret = ENGINE_ctrl_cmd_string(e, RSTRING_PTR(cmd),
-				 NIL_P(val) ? NULL : RSTRING_PTR(val), 0);
+    ret = ENGINE_ctrl_cmd_string(e, StringValueCStr(cmd),
+				 NIL_P(val) ? NULL : StringValueCStr(val), 0);
     if (!ret) ossl_raise(eEngineError, NULL);
 
     return self;
@@ -553,15 +514,19 @@ ossl_engine_inspect(VALUE self)
 void
 Init_ossl_engine(void)
 {
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+#endif
+
     cEngine = rb_define_class_under(mOSSL, "Engine", rb_cObject);
     eEngineError = rb_define_class_under(cEngine, "EngineError", eOSSLError);
 
-    rb_define_alloc_func(cEngine, ossl_engine_s_alloc);
+    rb_undef_alloc_func(cEngine);
     rb_define_singleton_method(cEngine, "load", ossl_engine_s_load, -1);
     rb_define_singleton_method(cEngine, "cleanup", ossl_engine_s_cleanup, 0);
     rb_define_singleton_method(cEngine, "engines", ossl_engine_s_engines, 0);
     rb_define_singleton_method(cEngine, "by_id", ossl_engine_s_by_id, 1);
-    rb_undef_method(CLASS_OF(cEngine), "new");
 
     rb_define_method(cEngine, "id", ossl_engine_get_id, 0);
     rb_define_method(cEngine, "name", ossl_engine_get_name, 0);
@@ -585,12 +550,8 @@ Init_ossl_engine(void)
 #ifdef ENGINE_METHOD_BN_MOD_EXP_CRT
     DefEngineConst(METHOD_BN_MOD_EXP_CRT);
 #endif
-#ifdef ENGINE_METHOD_CIPHERS
     DefEngineConst(METHOD_CIPHERS);
-#endif
-#ifdef ENGINE_METHOD_DIGESTS
     DefEngineConst(METHOD_DIGESTS);
-#endif
     DefEngineConst(METHOD_ALL);
     DefEngineConst(METHOD_NONE);
 }

data/ext/rubysl/openssl/ossl_hmac.c

@@ -11,8 +11,8 @@
 
 #include "ossl.h"
 
-#define MakeHMAC(obj, klass, ctx) \
-    (obj) = TypedData_Make_Struct((klass), HMAC_CTX, &ossl_hmac_type, (ctx))
+#define NewHMAC(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_hmac_type, 0)
 #define GetHMAC(obj, ctx) do { \
     TypedData_Get_Struct((obj), HMAC_CTX, &ossl_hmac_type, (ctx)); \
     if (!(ctx)) { \
@@ -40,8 +40,7 @@ VALUE eHMACError;
 static void
 ossl_hmac_free(void *ctx)
 {
-    HMAC_CTX_cleanup(ctx);
-    ruby_xfree(ctx);
+    HMAC_CTX_free(ctx);
 }
 
 static const rb_data_type_t ossl_hmac_type = {
@@ -55,11 +54,14 @@ static const rb_data_type_t ossl_hmac_type = {
 static VALUE
 ossl_hmac_alloc(VALUE klass)
 {
-    HMAC_CTX *ctx;
     VALUE obj;
+    HMAC_CTX *ctx;
 
-    MakeHMAC(obj, klass, ctx);
-    HMAC_CTX_init(ctx);
+    obj = NewHMAC(klass);
+    ctx = HMAC_CTX_new();
+    if (!ctx)
+	ossl_raise(eHMACError, NULL);
+    RTYPEDDATA_DATA(obj) = ctx;
 
     return obj;
 }
@@ -107,8 +109,8 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 
     StringValue(key);
     GetHMAC(self, ctx);
-    HMAC_Init(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
-		 GetDigestPtr(digest));
+    HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
+		 GetDigestPtr(digest), NULL);
 
     return self;
 }
@@ -124,7 +126,8 @@ ossl_hmac_copy(VALUE self, VALUE other)
     GetHMAC(self, ctx1);
     SafeGetHMAC(other, ctx2);
 
-    HMAC_CTX_copy(ctx1, ctx2);
+    if (!HMAC_CTX_copy(ctx1, ctx2))
+	ossl_raise(eHMACError, "HMAC_CTX_copy");
     return self;
 }
 
@@ -159,18 +162,21 @@ ossl_hmac_update(VALUE self, VALUE data)
 }
 
 static void
-hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
+hmac_final(HMAC_CTX *ctx, unsigned char *buf, unsigned int *buf_len)
 {
-    HMAC_CTX final;
+    HMAC_CTX *final;
 
-    HMAC_CTX_copy(&final, ctx);
-    if (!(*buf = OPENSSL_malloc(HMAC_size(&final)))) {
-	HMAC_CTX_cleanup(&final);
-	OSSL_Debug("Allocating %d mem", HMAC_size(&final));
-	ossl_raise(eHMACError, "Cannot allocate memory for hmac");
+    final = HMAC_CTX_new();
+    if (!final)
+	ossl_raise(eHMACError, "HMAC_CTX_new");
+
+    if (!HMAC_CTX_copy(final, ctx)) {
+	HMAC_CTX_free(final);
+	ossl_raise(eHMACError, "HMAC_CTX_copy");
     }
-    HMAC_Final(&final, *buf, buf_len);
-    HMAC_CTX_cleanup(&final);
+
+    HMAC_Final(final, buf, buf_len);
+    HMAC_CTX_free(final);
 }
 
 /*
@@ -180,26 +186,25 @@ hmac_final(HMAC_CTX *ctx, unsigned char **buf, unsigned int *buf_len)
  * Returns the authentication code an instance represents as a binary string.
  *
  * === Example
- *
- *	instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
- * 	#=> f42bb0eeb018ebbd4597ae7213711ec60760843f
- * 	instance.digest
- * 	#=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
- *
+ *  instance = OpenSSL::HMAC.new('key', OpenSSL::Digest.new('sha1'))
+ *  #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
+ *  instance.digest
+ *  #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
  */
 static VALUE
 ossl_hmac_digest(VALUE self)
 {
     HMAC_CTX *ctx;
-    unsigned char *buf;
     unsigned int buf_len;
-    VALUE digest;
+    VALUE ret;
 
     GetHMAC(self, ctx);
-    hmac_final(ctx, &buf, &buf_len);
-    digest = ossl_buf2str((char *)buf, buf_len);
+    ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
+    hmac_final(ctx, (unsigned char *)RSTRING_PTR(ret), &buf_len);
+    assert(buf_len <= EVP_MAX_MD_SIZE);
+    rb_str_set_len(ret, buf_len);
 
-    return digest;
+    return ret;
 }
 
 /*
@@ -208,27 +213,21 @@ ossl_hmac_digest(VALUE self)
  *
  * Returns the authentication code an instance represents as a hex-encoded
  * string.
- *
  */
 static VALUE
 ossl_hmac_hexdigest(VALUE self)
 {
     HMAC_CTX *ctx;
-    unsigned char *buf;
-    char *hexbuf;
+    unsigned char buf[EVP_MAX_MD_SIZE];
     unsigned int buf_len;
-    VALUE hexdigest;
+    VALUE ret;
 
     GetHMAC(self, ctx);
-    hmac_final(ctx, &buf, &buf_len);
-    if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
-	OPENSSL_free(buf);
-	ossl_raise(eHMACError, "Memory alloc error");
-    }
-    OPENSSL_free(buf);
-    hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
+    hmac_final(ctx, buf, &buf_len);
+    ret = rb_str_new(NULL, buf_len * 2);
+    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
 
-    return hexdigest;
+    return ret;
 }
 
 /*
@@ -256,7 +255,7 @@ ossl_hmac_reset(VALUE self)
     HMAC_CTX *ctx;
 
     GetHMAC(self, ctx);
-    HMAC_Init(ctx, NULL, 0, NULL);
+    HMAC_Init_ex(ctx, NULL, 0, NULL, NULL);
 
     return self;
 }
@@ -312,22 +311,22 @@ ossl_hmac_s_digest(VALUE klass, VALUE digest, VALUE key, VALUE data)
 static VALUE
 ossl_hmac_s_hexdigest(VALUE klass, VALUE digest, VALUE key, VALUE data)
 {
-    unsigned char *buf;
-    char *hexbuf;
+    unsigned char buf[EVP_MAX_MD_SIZE];
     unsigned int buf_len;
-    VALUE hexdigest;
+    VALUE ret;
 
     StringValue(key);
     StringValue(data);
 
-    buf = HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
-	       (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data), NULL, &buf_len);
-    if (string2hex(buf, buf_len, &hexbuf, NULL) != 2 * (int)buf_len) {
-	ossl_raise(eHMACError, "Cannot convert buf to hexbuf");
-    }
-    hexdigest = ossl_buf2str(hexbuf, 2 * buf_len);
+    if (!HMAC(GetDigestPtr(digest), RSTRING_PTR(key), RSTRING_LENINT(key),
+	      (unsigned char *)RSTRING_PTR(data), RSTRING_LEN(data),
+	      buf, &buf_len))
+	ossl_raise(eHMACError, "HMAC");
+
+    ret = rb_str_new(NULL, buf_len * 2);
+    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);
 
-    return hexdigest;
+    return ret;
 }
 
 /*
@@ -337,10 +336,38 @@ void
 Init_ossl_hmac(void)
 {
 #if 0
-    /* :nodoc: */
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
 #endif
 
+    /*
+     * Document-class: OpenSSL::HMAC
+     *
+     * OpenSSL::HMAC allows computing Hash-based Message Authentication Code
+     * (HMAC). It is a type of message authentication code (MAC) involving a
+     * hash function in combination with a key. HMAC can be used to verify the
+     * integrity of a message as well as the authenticity.
+     *
+     * OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
+     *
+     * === HMAC-SHA256 using one-shot interface
+     *
+     *   key = "key"
+     *   data = "message-to-be-authenticated"
+     *   mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
+     *   #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
+     *
+     * === HMAC-SHA256 using incremental interface
+     *
+     *   data1 = File.read("file1")
+     *   data2 = File.read("file2")
+     *   key = "key"
+     *   digest = OpenSSL::Digest::SHA256.new
+     *   hmac = OpenSSL::HMAC.new(key, digest)
+     *   hmac << data1
+     *   hmac << data2
+     *   mac = hmac.digest
+     */
     eHMACError = rb_define_class_under(mOSSL, "HMACError", eOSSLError);
 
     cHMAC = rb_define_class_under(mOSSL, "HMAC", rb_cObject);