rubysl-openssl 1.0.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d338183332a8cda316fec73620fa2da8893f5bc6
-  data.tar.gz: 4dae53f5f838d6af04a706d1797969c271f53495
+  metadata.gz: 9c238a316eb62bef98b87c16d1d8ab5941315c63
+  data.tar.gz: 931107b12c0c7047c860edbde9e90b43dda7f2a8
 SHA512:
-  metadata.gz: d41c80ea649fbd47426bebdecb62555cf8530ce89deed55ac04e57d20eb470a538387954ae04405c0dff0b102236551704f10625d565c069cb1fb2d6f466b231
-  data.tar.gz: 5ac293f0e36ddd2723cce2c039ede286a34a3380f5272a1f5cf20e8e21744b26c24b217e73f8e12bc98ea4c09d062cee536f31b0142cca314e098da0a53bd6db
+  metadata.gz: 9bdc04ead59cae9b0cb0ccf4e5b59665e05adf53c9b3a4d2677e22f05c201918521db924152b6050549f15d2adb519ced8ac937ac70455750d2e87700363d1bc
+  data.tar.gz: 33fde93ed4381c5a0269ce877fdac55a24466128d674201b50d9b9303345876ca5aa59e097c9bf22867b842dc2b961db7ad079bf283234854a9bfee82c21bf31

data/.travis.yml

@@ -1,8 +1,7 @@
 language: ruby
-before_install:
-  - gem update --system
-  - gem --version
-  - gem install rubysl-bundler
-script: bundle exec mspec spec
+env:
+  - RUBYLIB=lib
+script: bundle exec mspec
 rvm:
-  - rbx-nightly-18mode
+  - 1.9.3
+  - rbx-nightly-19mode

data/ext/rubysl/openssl/.gitignore

@@ -0,0 +1,3 @@
+extconf.h
+mkmf.log
+Makefile

data/ext/rubysl/openssl/deprecation.rb

@@ -0,0 +1,21 @@
+module OpenSSL
+  def self.deprecated_warning_flag
+    unless flag = (@deprecated_warning_flag ||= nil)
+      if try_compile("", flag = "-Werror=deprecated-declarations")
+        if with_config("broken-apple-openssl")
+          flag = "-Wno-deprecated-declarations"
+        end
+        $warnflags << " #{flag}"
+      else
+        flag = ""
+      end
+      @deprecated_warning_flag = flag
+    end
+    flag
+  end
+
+  def self.check_func(func, header)
+    have_func(func, header, deprecated_warning_flag) and
+      have_header(header, nil, deprecated_warning_flag)
+  end
+end

data/ext/rubysl/openssl/extconf.rb

@@ -1,3 +1,4 @@
+# -*- coding: us-ascii -*-
 =begin
 = $RCSfile$ -- Generator for Makefile
 
@@ -11,61 +12,59 @@
   (See the file 'LICENCE'.)
 
 = Version
-  $Id: extconf.rb 32234 2011-06-26 08:58:06Z shyouhei $
+  $Id$
 =end
 
 require "mkmf"
+require File.expand_path('../deprecation', __FILE__)
 
 dir_config("openssl")
 dir_config("kerberos")
 
-message "=== OpenSSL for Ruby configurator ===\n"
+Logging::message "=== OpenSSL for Ruby configurator ===\n"
 
 ##
-# Adds -Wall -DOSSL_DEBUG for compilation and some more targets when GCC is used
+# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
 # To turn it on, use: --with-debug or --enable-debug
 #
 if with_config("debug") or enable_config("debug")
   $defs.push("-DOSSL_DEBUG") unless $defs.include? "-DOSSL_DEBUG"
-
-  if /gcc/ =~ CONFIG["CC"]
-    $CPPFLAGS += " -Wall" unless $CPPFLAGS.split.include? "-Wall"
-  end
 end
 
 # Nothing we can do about these problems.
 $CPPFLAGS += " -Wno-deprecated-declarations -Wno-pointer-sign"
 
-message "=== Checking for system dependent stuff... ===\n"
+Logging::message "=== Checking for system dependent stuff... ===\n"
 have_library("nsl", "t_open")
 have_library("socket", "socket")
 have_header("assert.h")
 
-message "=== Checking for required stuff... ===\n"
+Logging::message "=== Checking for required stuff... ===\n"
 if $mingw
   have_library("wsock32")
   have_library("gdi32")
 end
-result = have_header("openssl/ssl.h")
-result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "OpenSSL_add_all_digests")}
-result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_library_init")}
-if !result
-  unless pkg_config("openssl") and have_header("openssl/ssl.h")
-    message "=== Checking for required stuff failed. ===\n"
-    message "Makefile wasn't created. Fix the errors above.\n"
+
+result = pkg_config("openssl") && have_header("openssl/ssl.h")
+
+unless result
+  result = have_header("openssl/ssl.h")
+  result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "OpenSSL_add_all_digests")}
+  result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_library_init")}
+  unless result
+    Logging::message "=== Checking for required stuff failed. ===\n"
+    Logging::message "Makefile wasn't created. Fix the errors above.\n"
     exit 1
   end
 end
 
 unless have_header("openssl/conf_api.h")
-  message "OpenSSL 0.9.6 or later required.\n"
-  exit 1
+  raise "OpenSSL 0.9.6 or later required."
 end
 
-%w"rb_str_set_len rb_block_call".each {|func| have_func(func, "ruby.h")}
-
-message "=== Checking for OpenSSL features... ===\n"
+Logging::message "=== Checking for OpenSSL features... ===\n"
 have_func("ERR_peek_last_error")
+have_func("ASN1_put_eoc")
 have_func("BN_mod_add")
 have_func("BN_mod_sqr")
 have_func("BN_mod_sub")
@@ -99,13 +98,18 @@ have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
 have_func("OBJ_NAME_do_all_sorted")
 have_func("SSL_SESSION_get_id")
+have_func("SSL_SESSION_cmp")
 have_func("OPENSSL_cleanse")
-if try_compile("#define FOO(...) foo(__VA_ARGS__)\n int x(){FOO(1);FOO(1,2);FOO(1,2,3);}\n")
-  $defs.push("-DHAVE_VA_ARGS_MACRO")
-end
 have_func("SSLv2_method")
 have_func("SSLv2_server_method")
 have_func("SSLv2_client_method")
+have_func("TLSv1_1_method")
+have_func("TLSv1_1_server_method")
+have_func("TLSv1_1_client_method")
+have_func("TLSv1_2_method")
+have_func("TLSv1_2_server_method")
+have_func("TLSv1_2_client_method")
+have_macro("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h']) && $defs.push("-DHAVE_OPENSSL_NPN_NEGOTIATED")
 unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
   have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
 end
@@ -116,6 +120,7 @@ if have_header("openssl/engine.h")
   have_func("ENGINE_get_digest")
   have_func("ENGINE_get_cipher")
   have_func("ENGINE_cleanup")
+  have_func("ENGINE_load_dynamic")
   have_func("ENGINE_load_4758cca")
   have_func("ENGINE_load_aep")
   have_func("ENGINE_load_atalla")
@@ -124,21 +129,29 @@ if have_header("openssl/engine.h")
   have_func("ENGINE_load_nuron")
   have_func("ENGINE_load_sureware")
   have_func("ENGINE_load_ubsec")
+  have_func("ENGINE_load_padlock")
+  have_func("ENGINE_load_capi")
+  have_func("ENGINE_load_gmp")
+  have_func("ENGINE_load_gost")
+  have_func("ENGINE_load_cryptodev")
+  have_func("ENGINE_load_aesni")
 end
-if try_compile(<<SRC)
-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-# error "OpenSSL version is less than 0.9.7."
-#endif
-SRC
+have_func("DH_generate_parameters_ex")
+have_func("DSA_generate_parameters_ex")
+have_func("RSA_generate_key_ex")
+if checking_for('OpenSSL version is 0.9.7 or later') {
+    try_static_assert('OPENSSL_VERSION_NUMBER >= 0x00907000L', 'openssl/opensslv.h')
+  }
   have_header("openssl/ocsp.h")
 end
 have_struct_member("EVP_CIPHER_CTX", "flags", "openssl/evp.h")
 have_struct_member("EVP_CIPHER_CTX", "engine", "openssl/evp.h")
 have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h")
+have_macro("OPENSSL_FIPS", ['openssl/opensslconf.h']) && $defs.push("-DHAVE_OPENSSL_FIPS")
+have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION")
 
-message "=== Checking done. ===\n"
+Logging::message "=== Checking done. ===\n"
 
 create_header
 create_makefile("openssl/openssl")
-message "Done.\n"
+Logging::message "Done.\n"

data/ext/rubysl/openssl/openssl_missing.c

@@ -1,5 +1,5 @@
 /*
- * $Id: openssl_missing.c 16467 2008-05-19 03:00:52Z knu $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -36,12 +36,13 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
 #endif /* NO_HMAC */
 
 #if !defined(HAVE_X509_STORE_SET_EX_DATA)
-
 int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data)
 {
     return CRYPTO_set_ex_data(&str->ex_data, idx, data);
 }
- 
+#endif
+
+#if !defined(HAVE_X509_STORE_GET_EX_DATA)
 void *X509_STORE_get_ex_data(X509_STORE *str, int idx)
 {
     return CRYPTO_get_ex_data(&str->ex_data, idx);
@@ -111,7 +112,7 @@ HMAC_CTX_cleanup(HMAC_CTX *ctx)
 #endif
 
 #if !defined(HAVE_EVP_CIPHER_CTX_COPY)
-/* 
+/*
  * this function does not exist in OpenSSL yet... or ever?.
  * a future version may break this function.
  * tested on 0.9.7d.
@@ -180,12 +181,12 @@ OSSL_X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const
 		(ASN1_STRING *)(*a)->serialNumber,
 		(ASN1_STRING *)(*b)->serialNumber));
 }
-		    
+
 int
 X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
     X509_CRL_INFO *inf;
-    
+
     inf = crl->crl;
     if (!inf->revoked)
 	inf->revoked = sk_X509_REVOKED_new(OSSL_X509_REVOKED_cmp);
@@ -313,7 +314,7 @@ PEM_def_callback(char *buf, int num, int w, void *key)
 {
     int i,j;
     const char *prompt;
-    
+
     if (key) {
 	i = strlen(key);
 	i = (i > num) ? num : i;
@@ -341,3 +342,15 @@ PEM_def_callback(char *buf, int num, int w, void *key)
 }
 #endif
 
+#if !defined(HAVE_ASN1_PUT_EOC)
+int
+ASN1_put_eoc(unsigned char **pp)
+{
+    unsigned char *p = *pp;
+    *p++ = 0;
+    *p++ = 0;
+    *pp = p;
+    return 2;
+}
+#endif
+

data/ext/rubysl/openssl/openssl_missing.h

@@ -28,42 +28,42 @@ typedef int i2d_of_void();
 
 #if !defined(PEM_read_bio_DSAPublicKey)
 # define PEM_read_bio_DSAPublicKey(bp,x,cb,u) (DSA *)PEM_ASN1_read_bio( \
-        (void *(*)())d2i_DSAPublicKey,PEM_STRING_DSA_PUBLIC,bp,(void **)x,cb,u)
+        (d2i_of_void *)d2i_DSAPublicKey,PEM_STRING_DSA_PUBLIC,(bp),(void **)(x),(cb),(u))
 #endif
 
 #if !defined(PEM_write_bio_DSAPublicKey)
 # define PEM_write_bio_DSAPublicKey(bp,x) \
 	PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPublicKey,\
 		PEM_STRING_DSA_PUBLIC,\
-		bp,(char *)x, NULL, NULL, 0, NULL, NULL)
+		(bp),(char *)(x), NULL, NULL, 0, NULL, NULL)
 #endif
 
 #if !defined(DSAPrivateKey_dup)
 # define DSAPrivateKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPrivateKey, \
-	(void *(*)())d2i_DSAPrivateKey,(void *)dsa)
+	(d2i_of_void *)d2i_DSAPrivateKey,(char *)(dsa))
 #endif
 
 #if !defined(DSAPublicKey_dup)
 # define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup((i2d_of_void *)i2d_DSAPublicKey, \
-	(void *(*)())d2i_DSAPublicKey,(void *)dsa)
+	(d2i_of_void *)d2i_DSAPublicKey,(char *)(dsa))
 #endif
 
 #if !defined(X509_REVOKED_dup)
 # define X509_REVOKED_dup(rev) (X509_REVOKED *)ASN1_dup((i2d_of_void *)i2d_X509_REVOKED, \
-	(void *(*)())d2i_X509_REVOKED, (void *)rev)
+	(d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
 #endif
 
 #if !defined(PKCS7_SIGNER_INFO_dup)
 #  define PKCS7_SIGNER_INFO_dup(si) (PKCS7_SIGNER_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_SIGNER_INFO, \
-	(void *(*)())d2i_PKCS7_SIGNER_INFO, (void *)si)
+	(d2i_of_void *)d2i_PKCS7_SIGNER_INFO, (char *)(si))
 #endif
 
 #if !defined(PKCS7_RECIP_INFO_dup)
 #  define PKCS7_RECIP_INFO_dup(ri) (PKCS7_RECIP_INFO *)ASN1_dup((i2d_of_void *)i2d_PKCS7_RECIP_INFO, \
-	(void *(*)())d2i_PKCS7_RECIP_INFO, (void *)ri)
+	(d2i_of_void *)d2i_PKCS7_RECIP_INFO, (char *)(ri))
 #endif
 
-#if !defined(HAVE_EVP_MD_CTX_INIT)
+#if !defined(HAVE_HMAC_CTX_INIT)
 void HMAC_CTX_init(HMAC_CTX *ctx);
 #endif
 
@@ -96,17 +96,17 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, EVP_CIPHER_CTX *in);
 #endif
 
 #if !defined(HAVE_EVP_DIGESTINIT_EX)
-#  define EVP_DigestInit_ex(ctx, md, engine) EVP_DigestInit(ctx, md)
+#  define EVP_DigestInit_ex(ctx, md, engine) EVP_DigestInit((ctx), (md))
 #endif
 #if !defined(HAVE_EVP_DIGESTFINAL_EX)
-#  define EVP_DigestFinal_ex(ctx, buf, len) EVP_DigestFinal(ctx, buf, len)
+#  define EVP_DigestFinal_ex(ctx, buf, len) EVP_DigestFinal((ctx), (buf), (len))
 #endif
 
 #if !defined(HAVE_EVP_CIPHERINIT_EX)
-#  define EVP_CipherInit_ex(ctx, type, impl, key, iv, enc) EVP_CipherInit(ctx, type, key, iv, enc)
+#  define EVP_CipherInit_ex(ctx, type, impl, key, iv, enc) EVP_CipherInit((ctx), (type), (key), (iv), (enc))
 #endif
 #if !defined(HAVE_EVP_CIPHERFINAL_EX)
-#  define EVP_CipherFinal_ex(ctx, outm, outl) EVP_CipherFinal(ctx, outm, outl)
+#  define EVP_CipherFinal_ex(ctx, outm, outl) EVP_CipherFinal((ctx), (outm), (outl))
 #endif
 
 #if !defined(EVP_CIPHER_name)
@@ -118,7 +118,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, EVP_CIPHER_CTX *in);
 #endif
 
 #if !defined(HAVE_EVP_HMAC_INIT_EX)
-#  define HMAC_Init_ex(ctx, key, len, digest, engine) HMAC_Init(ctx, key, len, digest)
+#  define HMAC_Init_ex(ctx, key, len, digest, engine) HMAC_Init((ctx), (key), (len), (digest))
 #endif
 
 #if !defined(PKCS7_is_detached)
@@ -130,11 +130,14 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, EVP_CIPHER_CTX *in);
 #endif
 
 #if !defined(HAVE_OPENSSL_CLEANSE)
-#define OPENSSL_cleanse(p, l) memset(p, 0, l)
+#define OPENSSL_cleanse(p, l) memset((p), 0, (l))
 #endif
 
-#if !defined(HAVE_X509_STORE_SET_EX_DATA)
+#if !defined(HAVE_X509_STORE_GET_EX_DATA)
 void *X509_STORE_get_ex_data(X509_STORE *str, int idx);
+#endif
+
+#if !defined(HAVE_X509_STORE_SET_EX_DATA)
 int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data);
 #endif
 
@@ -182,6 +185,10 @@ char *CONF_get1_default_config_file(void);
 int PEM_def_callback(char *buf, int num, int w, void *key);
 #endif
 
+#if !defined(HAVE_ASN1_PUT_EOC)
+int ASN1_put_eoc(unsigned char **pp);
+#endif
+
 #if defined(__cplusplus)
 }
 #endif

data/ext/rubysl/openssl/ossl.c

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl.c 28367 2010-06-21 09:18:59Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -15,7 +15,7 @@
  * String to HEXString conversion
  */
 int
-string2hex(char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
+string2hex(const unsigned char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
 {
     static const char hex[]="0123456789abcdef";
     int i, len = 2 * buf_len;
@@ -47,48 +47,53 @@ string2hex(char *buf, int buf_len, char **hexbuf, int *hexbuf_len)
 /*
  * Data Conversion
  */
-STACK_OF(X509) *
-ossl_x509_ary2sk0(VALUE ary)  
-{
-    STACK_OF(X509) *sk;
-    VALUE val;
-    X509 *x509;
-    int i;
-
-    Check_Type(ary, T_ARRAY);
-    sk = sk_X509_new_null();
-    if (!sk) ossl_raise(eOSSLError, NULL); 
-
-    for (i = 0; i < RARRAY_LEN(ary); i++) {
-        val = rb_ary_entry(ary, i);
-        if (!rb_obj_is_kind_of(val, cX509Cert)) {
-            sk_X509_pop_free(sk, X509_free);
-            ossl_raise(eOSSLError, "object not X509 cert in array"); 
-        }
-        x509 = DupX509CertPtr(val); /* NEED TO DUP */
-        sk_X509_push(sk, x509);
-    }
-    return sk;
-}
-
-STACK_OF(X509) *
-ossl_protect_x509_ary2sk(VALUE ary, int *status)
-{
-    return (STACK_OF(X509)*)rb_protect((VALUE(*)_((VALUE)))ossl_x509_ary2sk0,
-				       ary, status);
-}
-
-STACK_OF(X509) *
-ossl_x509_ary2sk(VALUE ary)
-{
-    STACK_OF(X509) *sk;
-    int status = 0;
-
-    sk = ossl_protect_x509_ary2sk(ary, &status);
-    if(status) rb_jump_tag(status);
-
-    return sk;
+#define OSSL_IMPL_ARY2SK(name, type, expected_class, dup)	\
+STACK_OF(type) *						\
+ossl_##name##_ary2sk0(VALUE ary)				\
+{								\
+    STACK_OF(type) *sk;						\
+    VALUE val;							\
+    type *x;							\
+    int i;							\
+    								\
+    Check_Type(ary, T_ARRAY);					\
+    sk = sk_##type##_new_null();				\
+    if (!sk) ossl_raise(eOSSLError, NULL);			\
+    								\
+    for (i = 0; i < RARRAY_LEN(ary); i++) {			\
+	val = rb_ary_entry(ary, i);				\
+	if (!rb_obj_is_kind_of(val, expected_class)) {		\
+	    sk_##type##_pop_free(sk, type##_free);		\
+	    ossl_raise(eOSSLError, "object in array not"	\
+		       " of class ##type##");			\
+	}							\
+	x = dup(val); /* NEED TO DUP */				\
+	sk_##type##_push(sk, x);				\
+    }								\
+    return sk;							\
+}								\
+								\
+STACK_OF(type) *						\
+ossl_protect_##name##_ary2sk(VALUE ary, int *status)		\
+{								\
+    return (STACK_OF(type)*)rb_protect(				\
+	    (VALUE(*)_((VALUE)))ossl_##name##_ary2sk0,		\
+	    ary,						\
+	    status);						\
+}								\
+								\
+STACK_OF(type) *						\
+ossl_##name##_ary2sk(VALUE ary)					\
+{								\
+    STACK_OF(type) *sk;						\
+    int status = 0;						\
+    								\
+    sk = ossl_protect_##name##_ary2sk(ary, &status);		\
+    if (status) rb_jump_tag(status);				\
+								\
+    return sk;							\
 }
+OSSL_IMPL_ARY2SK(x509, X509, cX509Cert, DupX509CertPtr)
 
 #define OSSL_IMPL_SK2ARY(name, type)	        \
 VALUE						\
@@ -117,6 +122,7 @@ ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
 }
 OSSL_IMPL_SK2ARY(x509, X509)
 OSSL_IMPL_SK2ARY(x509crl, X509_CRL)
+OSSL_IMPL_SK2ARY(x509name, X509_NAME)
 
 static VALUE
 ossl_str_new(int size)
@@ -143,7 +149,7 @@ ossl_buf2str(char *buf, int len)
  */
 static VALUE
 ossl_pem_passwd_cb0(VALUE flag)
-{	
+{
     VALUE pass;
 
     pass = rb_yield(flag);
@@ -157,7 +163,7 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd)
 {
     int len, status = 0;
     VALUE rflag, pass;
-    
+
     if (pwd || !rb_block_given_p())
 	return PEM_def_callback(buf, max_len, flag, pwd);
 
@@ -169,8 +175,12 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd)
 	 */
 	rflag = flag ? Qtrue : Qfalse;
 	pass  = rb_protect(ossl_pem_passwd_cb0, rflag, &status);
-	if (status) return -1; /* exception was raised. */
-	len = RSTRING_LEN(pass);
+	if (status) {
+	    /* ignore an exception raised. */
+	    rb_set_errinfo(Qnil);
+	    return -1;
+	}
+	len = RSTRING_LENINT(pass);
 	if (len < 4) { /* 4 is OpenSSL hardcoded limit */
 	    rb_warning("password must be longer than 4 bytes");
 	    continue;
@@ -192,12 +202,12 @@ int ossl_verify_cb_idx;
 
 VALUE
 ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
-{   
+{
     return rb_funcall(args->proc, rb_intern("call"), 2,
                       args->preverify_ok, args->store_ctx);
 }
- 
-int 
+
+int
 ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
 {
     VALUE proc, rctx, ret;
@@ -210,15 +220,23 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
     if ((void*)proc == 0)
 	return ok;
     if (!NIL_P(proc)) {
+	ret = Qfalse;
 	rctx = rb_protect((VALUE(*)(VALUE))ossl_x509stctx_new,
 			  (VALUE)ctx, &state);
-	ret = Qfalse;
-	if (!state) {
+	if (state) {
+	    rb_set_errinfo(Qnil);
+	    rb_warn("StoreContext initialization failure");
+	}
+	else {
 	    args.proc = proc;
 	    args.preverify_ok = ok ? Qtrue : Qfalse;
 	    args.store_ctx = rctx;
-	    ret = rb_ensure(ossl_call_verify_cb_proc, (VALUE)&args,
-			    ossl_x509stctx_clear_ptr, rctx);
+	    ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
+	    if (state) {
+		rb_set_errinfo(Qnil);
+		rb_warn("exception in verify_callback is ignored");
+	    }
+	    ossl_x509stctx_clear_ptr(rctx);
 	}
 	if (ret == Qtrue) {
 	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
@@ -302,7 +320,7 @@ ossl_make_error(VALUE exc, const char *fmt, va_list args)
     }
     ERR_clear_error();
 
-    if(len > BUFSIZ) len = strlen(buf);
+    if(len > BUFSIZ) len = rb_long2int(strlen(buf));
     return rb_exc_new(exc, buf, len);
 }
 
@@ -360,7 +378,7 @@ void
 ossl_debug(const char *fmt, ...)
 {
     va_list args;
-	
+
     if (dOSSL == Qtrue) {
 	fprintf(stderr, "OSSL_DEBUG: ");
 	va_start(args, fmt);
@@ -393,7 +411,7 @@ ossl_debug_set(VALUE self, VALUE val)
 {
     VALUE old = dOSSL;
     dOSSL = val;
-	
+
     if (old != dOSSL) {
 	if (dOSSL == Qtrue) {
 	    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
@@ -406,6 +424,40 @@ ossl_debug_set(VALUE self, VALUE val)
     return val;
 }
 
+/*
+ * call-seq:
+ *   OpenSSL.fips_mode = boolean -> boolean
+ *
+ * Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
+ * effect for FIPS-capable installations of the OpenSSL library. Trying to do
+ * so otherwise will result in an error.
+ *
+ * === Examples
+ *
+ * OpenSSL.fips_mode = true   # turn FIPS mode on
+ * OpenSSL.fips_mode = false  # and off again
+ */
+static VALUE
+ossl_fips_mode_set(VALUE self, VALUE enabled)
+{
+
+#ifdef HAVE_OPENSSL_FIPS
+    if (RTEST(enabled)) {
+	int mode = FIPS_mode();
+	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
+	    ossl_raise(eOSSLError, "Turning on FIPS mode failed");
+    } else {
+	if(!FIPS_mode_set(0)) /* turning off twice is OK */
+	    ossl_raise(eOSSLError, "Turning off FIPS mode failed");
+    }
+    return enabled;
+#else
+    if (RTEST(enabled))
+	ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
+    return enabled;
+#endif
+}
+
 /**
  * Stores locks needed for OpenSSL thread safety
  */
@@ -439,7 +491,485 @@ static void Init_ossl_locks(void)
 }
 
 /*
- * OSSL library init
+ * OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
+ * OpenSSL[http://www.openssl.org/] library.
+ *
+ * = Examples
+ *
+ * All examples assume you have loaded OpenSSL with:
+ *
+ *   require 'openssl'
+ *
+ * These examples build atop each other.  For example the key created in the
+ * next is used in throughout these examples.
+ *
+ * == Keys
+ *
+ * === Creating a Key
+ *
+ * This example creates a 2048 bit RSA keypair and writes it to the current
+ * directory.
+ *
+ *   key = OpenSSL::PKey::RSA.new 2048
+ *
+ *   open 'private_key.pem', 'w' do |io| io.write key.to_pem end
+ *   open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
+ *
+ * === Exporting a Key
+ *
+ * Keys saved to disk without encryption are not secure as anyone who gets
+ * ahold of the key may use it unless it is encrypted.  In order to securely
+ * export a key you may export it with a pass phrase.
+ *
+ *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   pass_phrase = 'my secure pass phrase goes here'
+ *
+ *   key_secure = key.export cipher, pass_phrase
+ *
+ *   open 'private.secure.pem', 'w' do |io|
+ *     io.write key_secure
+ *   end
+ *
+ * OpenSSL::Cipher.ciphers returns a list of available ciphers.
+ *
+ * === Loading a Key
+ *
+ * A key can also be loaded from a file.
+ *
+ *   key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
+ *   key2.public? # => true
+ *
+ * or
+ *
+ *   key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
+ *   key3.private? # => false
+ *
+ * === Loading an Encrypted Key
+ *
+ * OpenSSL will prompt you for your pass phrase when loading an encrypted key.
+ * If you will not be able to type in the pass phrase you may provide it when
+ * loading the key:
+ *
+ *   key4_pem = File.read 'private.secure.pem'
+ *   key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
+ *
+ * == RSA Encryption
+ *
+ * RSA provides encryption and decryption using the public and private keys.
+ * You can use a variety of padding methods depending upon the intended use of
+ * encrypted data.
+ *
+ * === Encryption & Decryption
+ *
+ * Asymmetric public/private key encryption is slow and victim to attack in
+ * cases where it is used without padding or directly to encrypt larger chunks
+ * of data. Typical use cases for RSA encryption involve "wrapping" a symmetric
+ * key with the public key of the recipient who would "unwrap" that symmetric
+ * key again using their private key.
+ * The following illustrates a simplified example of such a key transport
+ * scheme. It shouldn't be used in practice, though, standardized protocols
+ * should always be preferred.
+ *
+ *   wrapped_key = key.public_encrypt key
+ *
+ * A symmetric key encrypted with the public key can only be decrypted with
+ * the corresponding private key of the recipient.
+ *
+ *   original_key = key.private_decrypt wrapped_key
+ *
+ * By default PKCS#1 padding will be used, but it is also possible to use
+ * other forms of padding, see PKey::RSA for further details.
+ *
+ * === Signatures
+ *
+ * Using "private_encrypt" to encrypt some data with the private key is
+ * equivalent to applying a digital signature to the data. A verifying
+ * party may validate the signature by comparing the result of decrypting
+ * the signature with "public_decrypt" to the original data. However,
+ * OpenSSL::PKey already has methods "sign" and "verify" that handle
+ * digital signatures in a standardized way - "private_encrypt" and
+ * "public_decrypt" shouldn't be used in practice.
+ *
+ * To sign a document, a cryptographically secure hash of the document is
+ * computed first, which is then signed using the private key.
+ *
+ *   digest = OpenSSL::Digest::SHA256.new
+ *   signature = key.sign digest, document
+ *
+ * To validate the signature, again a hash of the document is computed and
+ * the signature is decrypted using the public key. The result is then
+ * compared to the hash just computed, if they are equal the signature was
+ * valid.
+ *
+ *   digest = OpenSSL::Digest::SHA256.new
+ *   if key.verify digest, signature, document
+ *     puts 'Valid'
+ *   else
+ *     puts 'Invalid'
+ *   end
+ *
+ * == PBKDF2 Password-based Encryption
+ *
+ * If supported by the underlying OpenSSL version used, Password-based
+ * Encryption should use the features of PKCS5. If not supported or if
+ * required by legacy applications, the older, less secure methods specified
+ * in RFC 2898 are also supported (see below).
+ *
+ * PKCS5 supports PBKDF2 as it was specified in PKCS#5
+ * v2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a
+ * password, a salt, and additionally a number of iterations that will
+ * slow the key derivation process down. The slower this is, the more work
+ * it requires being able to brute-force the resulting key.
+ *
+ * === Encryption
+ *
+ * The strategy is to first instantiate a Cipher for encryption, and
+ * then to generate a random IV plus a key derived from the password
+ * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt,
+ * the number of iterations largely depends on the hardware being used.
+ *
+ *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher.encrypt
+ *   iv = cipher.random_iv
+ *
+ *   pwd = 'some hopefully not to easily guessable password'
+ *   salt = OpenSSL::Random.random_bytes 16
+ *   iter = 20000
+ *   key_len = cipher.key_len
+ *   digest = OpenSSL::Digest::SHA256.new
+ *
+ *   key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+ *   cipher.key = key
+ *
+ *   Now encrypt the data:
+ *
+ *   encrypted = cipher.update document
+ *   encrypted << cipher.final
+ *
+ * === Decryption
+ *
+ * Use the same steps as before to derive the symmetric AES key, this time
+ * setting the Cipher up for decryption.
+ *
+ *   cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   cipher.decrypt
+ *   cipher.iv = iv # the one generated with #random_iv
+ *
+ *   pwd = 'some hopefully not to easily guessable password'
+ *   salt = ... # the one generated above
+ *   iter = 20000
+ *   key_len = cipher.key_len
+ *   digest = OpenSSL::Digest::SHA256.new
+ *
+ *   key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+ *   cipher.key = key
+ *
+ *   Now decrypt the data:
+ *
+ *   decrypted = cipher.update encrypted
+ *   decrypted << cipher.final
+ *
+ * == PKCS #5 Password-based Encryption
+ *
+ * PKCS #5 is a password-based encryption standard documented at
+ * RFC2898[http://www.ietf.org/rfc/rfc2898.txt].  It allows a short password or
+ * passphrase to be used to create a secure encryption key. If possible, PBKDF2
+ * as described above should be used if the circumstances allow it.
+ *
+ * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption
+ * key.
+ *
+ *   pass_phrase = 'my secure pass phrase goes here'
+ *   salt = '8 octets'
+ *
+ * === Encryption
+ *
+ * First set up the cipher for encryption
+ *
+ *   encrypter = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   encrypter.encrypt
+ *   encrypter.pkcs5_keyivgen pass_phrase, salt
+ *
+ * Then pass the data you want to encrypt through
+ *
+ *   encrypted = encrypter.update 'top secret document'
+ *   encrypted << encrypter.final
+ *
+ * === Decryption
+ *
+ * Use a new Cipher instance set up for decryption
+ *
+ *   decrypter = OpenSSL::Cipher.new 'AES-128-CBC'
+ *   decrypter.decrypt
+ *   decrypter.pkcs5_keyivgen pass_phrase, salt
+ *
+ * Then pass the data you want to decrypt through
+ *
+ *   plain = decrypter.update encrypted
+ *   plain << decrypter.final
+ *
+ * == X509 Certificates
+ *
+ * === Creating a Certificate
+ *
+ * This example creates a self-signed certificate using an RSA key and a SHA1
+ * signature.
+ *
+ *   name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
+ *
+ *   cert = OpenSSL::X509::Certificate.new
+ *   cert.version = 2
+ *   cert.serial = 0
+ *   cert.not_before = Time.now
+ *   cert.not_after = Time.now + 3600
+ *
+ *   cert.public_key = key.public_key
+ *   cert.subject = name
+ *
+ * === Certificate Extensions
+ *
+ * You can add extensions to the certificate with
+ * OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.
+ *
+ *   extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
+ *
+ *   cert.add_extension \
+ *     extension_factory.create_extension('basicConstraints', 'CA:FALSE', true)
+ *
+ *   cert.add_extension \
+ *     extension_factory.create_extension(
+ *       'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
+ *
+ *   cert.add_extension \
+ *     extension_factory.create_extension('subjectKeyIdentifier', 'hash')
+ *
+ * The list of supported extensions (and in some cases their possible values)
+ * can be derived from the "objects.h" file in the OpenSSL source code.
+ *
+ * === Signing a Certificate
+ *
+ * To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
+ * with a digest algorithm.  This creates a self-signed cert because we're using
+ * the same name and key to sign the certificate as was used to create the
+ * certificate.
+ *
+ *   cert.issuer = name
+ *   cert.sign key, OpenSSL::Digest::SHA1.new
+ *
+ *   open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
+ *
+ * === Loading a Certificate
+ *
+ * Like a key, a cert can also be loaded from a file.
+ *
+ *   cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem'
+ *
+ * === Verifying a Certificate
+ *
+ * Certificate#verify will return true when a certificate was signed with the
+ * given public key.
+ *
+ *   raise 'certificate can not be verified' unless cert2.verify key
+ *
+ * == Certificate Authority
+ *
+ * A certificate authority (CA) is a trusted third party that allows you to
+ * verify the ownership of unknown certificates.  The CA issues key signatures
+ * that indicate it trusts the user of that key.  A user encountering the key
+ * can verify the signature by using the CA's public key.
+ *
+ * === CA Key
+ *
+ * CA keys are valuable, so we encrypt and save it to disk and make sure it is
+ * not readable by other users.
+ *
+ *   ca_key = OpenSSL::PKey::RSA.new 2048
+ *
+ *   cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
+ *
+ *   open 'ca_key.pem', 'w', 0400 do |io|
+ *     io.write key.export(cipher, pass_phrase)
+ *   end
+ *
+ * === CA Certificate
+ *
+ * A CA certificate is created the same way we created a certificate above, but
+ * with different extensions.
+ *
+ *   ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
+ *
+ *   ca_cert = OpenSSL::X509::Certificate.new
+ *   ca_cert.serial = 0
+ *   ca_cert.version = 2
+ *   ca_cert.not_before = Time.now
+ *   ca_cert.not_after = Time.now + 86400
+ *
+ *   ca_cert.public_key = ca_key.public_key
+ *   ca_cert.subject = ca_name
+ *   ca_cert.issuer = ca_name
+ *
+ *   extension_factory = OpenSSL::X509::ExtensionFactory.new
+ *   extension_factory.subject_certificate = ca_cert
+ *   extension_factory.issuer_certificate = ca_cert
+ *
+ *   ca_cert.add_extension \
+ *     extension_factory.create_extension('subjectKeyIdentifier', 'hash')
+ *
+ * This extension indicates the CA's key may be used as a CA.
+ *
+ *   ca_cert.add_extension \
+ *     extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)
+ *
+ * This extension indicates the CA's key may be used to verify signatures on
+ * both certificates and certificate revocations.
+ *
+ *   ca_cert.add_extension \
+ *     extension_factory.create_extension(
+ *       'keyUsage', 'cRLSign,keyCertSign', true)
+ *
+ * Root CA certificates are self-signed.
+ *
+ *   ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
+ *
+ * The CA certificate is saved to disk so it may be distributed to all the
+ * users of the keys this CA will sign.
+ *
+ *   open 'ca_cert.pem', 'w' do |io|
+ *     io.write ca_cert.to_pem
+ *   end
+ *
+ * === Certificate Signing Request
+ *
+ * The CA signs keys through a Certificate Signing Request (CSR).  The CSR
+ * contains the information necessary to identify the key.
+ *
+ *   csr = OpenSSL::X509::Request.new
+ *   csr.version = 0
+ *   csr.subject = name
+ *   csr.public_key = key.public_key
+ *   csr.sign key, OpenSSL::Digest::SHA1.new
+ *
+ * A CSR is saved to disk and sent to the CA for signing.
+ *
+ *   open 'csr.pem', 'w' do |io|
+ *     io.write csr.to_pem
+ *   end
+ *
+ * === Creating a Certificate from a CSR
+ *
+ * Upon receiving a CSR the CA will verify it before signing it.  A minimal
+ * verification would be to check the CSR's signature.
+ *
+ *   csr = OpenSSL::X509::Request.new File.read 'csr.pem'
+ *
+ *   raise 'CSR can not be verified' unless csr.verify csr.public_key
+ *
+ * After verification a certificate is created, marked for various usages,
+ * signed with the CA key and returned to the requester.
+ *
+ *   csr_cert = OpenSSL::X509::Certificate.new
+ *   csr_cert.serial = 0
+ *   csr_cert.version = 2
+ *   csr_cert.not_before = Time.now
+ *   csr_cert.not_after = Time.now + 600
+ *
+ *   csr_cert.subject = csr.subject
+ *   csr_cert.public_key = csr.public_key
+ *   csr_cert.issuer = ca_cert.subject
+ *
+ *   extension_factory = OpenSSL::X509::ExtensionFactory.new
+ *   extension_factory.subject_certificate = csr_cert
+ *   extension_factory.issuer_certificate = ca_cert
+ *
+ *   csr_cert.add_extension \
+ *     extension_factory.create_extension('basicConstraints', 'CA:FALSE')
+ *
+ *   csr_cert.add_extension \
+ *     extension_factory.create_extension(
+ *       'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
+ *
+ *   csr_cert.add_extension \
+ *     extension_factory.create_extension('subjectKeyIdentifier', 'hash')
+ *
+ *   csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
+ *
+ *   open 'csr_cert.pem', 'w' do |io|
+ *     io.write csr_cert.to_pem
+ *   end
+ *
+ * == SSL and TLS Connections
+ *
+ * Using our created key and certificate we can create an SSL or TLS connection.
+ * An SSLContext is used to set up an SSL session.
+ *
+ *   context = OpenSSL::SSL::SSLContext.new
+ *
+ * === SSL Server
+ *
+ * An SSL server requires the certificate and private key to communicate
+ * securely with its clients:
+ *
+ *   context.cert = cert
+ *   context.key = key
+ *
+ * Then create an SSLServer with a TCP server socket and the context.  Use the
+ * SSLServer like an ordinary TCP server.
+ *
+ *   require 'socket'
+ *
+ *   tcp_server = TCPServer.new 5000
+ *   ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context
+ *
+ *   loop do
+ *     ssl_connection = ssl_server.accept
+ *
+ *     data = connection.gets
+ *
+ *     response = "I got #{data.dump}"
+ *     puts response
+ *
+ *     connection.puts "I got #{data.dump}"
+ *     connection.close
+ *   end
+ *
+ * === SSL client
+ *
+ * An SSL client is created with a TCP socket and the context.
+ * SSLSocket#connect must be called to initiate the SSL handshake and start
+ * encryption.  A key and certificate are not required for the client socket.
+ *
+ *   require 'socket'
+ *
+ *   tcp_client = TCPSocket.new 'localhost', 5000
+ *   ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
+ *   ssl_client.connect
+ *
+ *   ssl_client.puts "hello server!"
+ *   puts ssl_client.gets
+ *
+ * === Peer Verification
+ *
+ * An unverified SSL connection does not provide much security.  For enhanced
+ * security the client or server can verify the certificate of its peer.
+ *
+ * The client can be modified to verify the server's certificate against the
+ * certificate authority's certificate:
+ *
+ *   context.ca_file = 'ca_cert.pem'
+ *   context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ *
+ *   require 'socket'
+ *
+ *   tcp_client = TCPSocket.new 'localhost', 5000
+ *   ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
+ *   ssl_client.connect
+ *
+ *   ssl_client.puts "hello server!"
+ *   puts ssl_client.gets
+ *
+ * If the server certificate is invalid or <tt>context.ca_file</tt> is not set
+ * when verifying peers an OpenSSL::SSL::SSLError will be raised.
+ *
  */
 void
 Init_openssl()
@@ -482,12 +1012,31 @@ Init_openssl()
     rb_global_variable(&mOSSL);
 
     /*
-     * Constants
+     * OpenSSL ruby extension version
      */
     rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION));
+
+    /*
+     * Version of OpenSSL the ruby OpenSSL extension was built with
+     */
     rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
+
+    /*
+     * Version number of OpenSSL the ruby OpenSSL extension was built with
+     * (base 16)
+     */
     rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
 
+    /*
+     * Boolean indicating whether OpenSSL is FIPS-enabled or not
+     */
+#ifdef HAVE_OPENSSL_FIPS
+    rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
+#else
+    rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
+#endif
+    rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
+
     /*
      * Generic error,
      * common for all classes under OpenSSL module
@@ -498,7 +1047,7 @@ Init_openssl()
     /*
      * Verify callback Proc index for ext-data
      */
-    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, "ossl_verify_cb_idx", 0, 0, 0)) < 0)
+    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0)
         ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
 
     /*
@@ -544,7 +1093,7 @@ Init_openssl()
  * Check if all symbols are OK with 'make LDSHARED=gcc all'
  */
 int
-main(int argc, char *argv[], char *env[])
+main(int argc, char *argv[])
 {
     return 0;
 }