Adapt to OpenSSL changes after the 1.1.0-pre6

Fix compiler errors and warnings. The order of parameters of
X509_{CRL,REQ}_get0_signature() has been changed, and certificate and
CRL time accessors have been reorganized: *_get_* functions are
deprecated and replaced by *_get0_* that return a const pointer.

8 files changed, 67 insertions, 39 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index ad92a287..bf784286 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -147,6 +147,7 @@ have_func("EVP_PKEY_up_ref")
 OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed
 OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
 have_func("SSL_CTX_get_security_level")
+have_func("X509_get0_notBefore")
 
 Logging::message "=== Checking done. ===\n"
 
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index cb22647c..cc13b7a3 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -150,7 +150,8 @@ HMAC_CTX_free(HMAC_CTX *ctx)
 
 #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
 void
-X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl)
+X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+			const X509_ALGOR **palg)
 {
     if (psig != NULL)
 	*psig = crl->signature;
@@ -161,7 +162,8 @@ X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl
 
 #if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
 void
-X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req)
+X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
+			const X509_ALGOR **palg)
 {
     if (psig != NULL)
 	*psig = req->signature;
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index d2fdce16..897d6235 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -110,11 +110,11 @@ void HMAC_CTX_free(HMAC_CTX *ctx);
 #endif
 
 #if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
-void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl);
+void X509_CRL_get0_signature(const X509_CRL *, const ASN1_BIT_STRING **, const X509_ALGOR **);
 #endif
 
 #if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
-void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req);
+void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, const X509_ALGOR **);
 #endif
 
 #if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
@@ -234,4 +234,11 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #  define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
 #endif
 
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#  define X509_get0_notBefore(x) X509_get_notBefore(x)
+#  define X509_get0_notAfter(x) X509_get_notAfter(x)
+#  define X509_CRL_get0_lastUpdate(x) X509_CRL_get_lastUpdate(x)
+#  define X509_CRL_get0_nextUpdate(x) X509_CRL_get_nextUpdate(x)
+#endif
+
 #endif /* _OSSL_OPENSSL_MISSING_H_ */
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 6fa71be5..fc6ba503 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -914,7 +914,7 @@ ossl_ocspbres_get_status(VALUE self)
 	status = OCSP_single_get0_status(single, &reason, &revtime,
 					 &thisupd, &nextupd);
 	if(status < 0) continue;
-	if(!(cid = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(single))))
+	if(!(cid = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(single)))) /* FIXME */
 	    ossl_raise(eOCSPError, NULL);
 	ary = rb_ary_new();
 	rb_ary_push(ary, ossl_ocspcertid_new(cid));
@@ -1279,7 +1279,7 @@ ossl_ocspsres_get_certid(VALUE self)
     OCSP_CERTID *id;
 
     GetOCSPSingleRes(self, sres);
-    id = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(sres));
+    id = OCSP_CERTID_dup((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sres)); /* FIXME */
 
     return ossl_ocspcertid_new(id);
 }
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index 6ddb2303..ad1126d4 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -456,10 +456,10 @@ static VALUE
 ossl_x509_get_not_before(VALUE self)
 {
     X509 *x509;
-    ASN1_UTCTIME *asn1time;
+    const ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!(asn1time = X509_get_notBefore(x509))) { /* NO DUP - don't free! */
+    if (!(asn1time = X509_get0_notBefore(x509))) {
 	ossl_raise(eX509CertError, NULL);
     }
 
@@ -474,10 +474,15 @@ static VALUE
 ossl_x509_set_not_before(VALUE self, VALUE time)
 {
     X509 *x509;
+    ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
-	ossl_raise(eX509CertError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_set_notBefore(x509, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CertError, "X509_set_notBefore");
+    }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -490,10 +495,10 @@ static VALUE
 ossl_x509_get_not_after(VALUE self)
 {
     X509 *x509;
-    ASN1_TIME *asn1time;
+    const ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!(asn1time = X509_get_notAfter(x509))) { /* NO DUP - don't free! */
+    if (!(asn1time = X509_get0_notAfter(x509))) {
 	ossl_raise(eX509CertError, NULL);
     }
 
@@ -508,10 +513,15 @@ static VALUE
 ossl_x509_set_not_after(VALUE self, VALUE time)
 {
     X509 *x509;
+    ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
-	ossl_raise(eX509CertError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_set_notAfter(x509, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CertError, "X509_set_notAfter");
+    }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index 454c0440..0ff5d2f8 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -180,7 +180,7 @@ static VALUE
 ossl_x509crl_get_signature_algorithm(VALUE self)
 {
     X509_CRL *crl;
-    X509_ALGOR *alg;
+    const X509_ALGOR *alg;
     BIO *out;
     BUF_MEM *buf;
     VALUE str;
@@ -189,7 +189,7 @@ ossl_x509crl_get_signature_algorithm(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eX509CRLError, NULL);
     }
-    X509_CRL_get0_signature(NULL, &alg, crl);
+    X509_CRL_get0_signature(crl, NULL, &alg);
     if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
@@ -230,17 +230,22 @@ ossl_x509crl_get_last_update(VALUE self)
 
     GetX509CRL(self, crl);
 
-    return asn1time_to_time(X509_CRL_get_lastUpdate(crl));
+    return asn1time_to_time(X509_CRL_get0_lastUpdate(crl));
 }
 
 static VALUE
 ossl_x509crl_set_last_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
+    ASN1_TIME *asn1time;
 
     GetX509CRL(self, crl);
-    if (!ossl_x509_time_adjust(X509_CRL_get_lastUpdate(crl), time))
-	ossl_raise(eX509CRLError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_CRL_set_lastUpdate(crl, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CRLError, "X509_CRL_set_lastUpdate");
+    }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -252,28 +257,22 @@ ossl_x509crl_get_next_update(VALUE self)
 
     GetX509CRL(self, crl);
 
-    return asn1time_to_time(X509_CRL_get_nextUpdate(crl));
+    return asn1time_to_time(X509_CRL_get0_nextUpdate(crl));
 }
 
 static VALUE
 ossl_x509crl_set_next_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    ASN1_TIME *orig, *new;
+    ASN1_TIME *asn1time;
 
     GetX509CRL(self, crl);
-    /* orig may be NULL at this time; in this case a new ASN1_TIME is created */
-    orig = X509_CRL_get_nextUpdate(crl);
-    new = ossl_x509_time_adjust(orig, time);
-
-    if (!X509_CRL_set_nextUpdate(crl, new)) {
-	if (!orig)
-		ASN1_TIME_free(new);
-	ossl_raise(eX509CRLError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
     }
-    /* X509_CRL_set_nextUpdate() dups when orig != new */
-    if (!orig)
-	ASN1_TIME_free(new);
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c
index 11cff733..d2619971 100644
--- a/ext/openssl/ossl_x509req.c
+++ b/ext/openssl/ossl_x509req.c
@@ -302,7 +302,7 @@ static VALUE
 ossl_x509req_get_signature_algorithm(VALUE self)
 {
     X509_REQ *req;
-    X509_ALGOR *alg;
+    const X509_ALGOR *alg;
     BIO *out;
     BUF_MEM *buf;
     VALUE str;
@@ -312,7 +312,7 @@ ossl_x509req_get_signature_algorithm(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eX509ReqError, NULL);
     }
-    X509_REQ_get0_signature(NULL, &alg, req);
+    X509_REQ_get0_signature(req, NULL, &alg);
     if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509ReqError, NULL);
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
index e5d59db2..7960ea34 100644
--- a/ext/openssl/ossl_x509revoked.c
+++ b/ext/openssl/ossl_x509revoked.c
@@ -142,11 +142,15 @@ static VALUE
 ossl_x509revoked_set_serial(VALUE self, VALUE num)
 {
     X509_REVOKED *rev;
-    ASN1_INTEGER *ai;
+    ASN1_INTEGER *asn1int;
 
     GetX509Rev(self, rev);
-    ai = X509_REVOKED_get0_serialNumber(rev);
-    X509_REVOKED_set_serialNumber(rev, num_to_asn1integer(num, ai));
+    asn1int = num_to_asn1integer(num, NULL);
+    if (!X509_REVOKED_set_serialNumber(rev, asn1int)) {
+	ASN1_INTEGER_free(asn1int);
+	ossl_raise(eX509RevError, "X509_REVOKED_set_serialNumber");
+    }
+    ASN1_INTEGER_free(asn1int);
 
     return num;
 }
@@ -165,10 +169,15 @@ static VALUE
 ossl_x509revoked_set_time(VALUE self, VALUE time)
 {
     X509_REVOKED *rev;
+    ASN1_TIME *asn1time;
 
     GetX509Rev(self, rev);
-    if (!ossl_x509_time_adjust(X509_REVOKED_get0_revocationDate(rev), time))
-	ossl_raise(eX509RevError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_REVOKED_set_revocationDate(rev, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509RevError, "X509_REVOKED_set_revocationDate");
+    }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }