Merge changes from Ruby trunk r55457..r55538

* ruby-trunk r55457..r55538: (4 commits)
  (r55538) openssl: fix for OpenSSL 1.0.0t
  (r55523) * ext/digest/md5/md5ossl.h: Remove excess semicolons.   Sup..
  (r55503) Refine assertion
  (r55502) openssl: ignore test failure caused by LibreSSL bug

Sync-with-trunk: r55538

3 files changed, 50 insertions, 28 deletions

diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index bb5eb5a8..c0f2dfef 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -225,17 +225,20 @@ static VALUE
 ossl_ocspreq_initialize(int argc, VALUE *argv, VALUE self)
 {
     VALUE arg;
+    OCSP_REQUEST *req, *req_new;
     const unsigned char *p;
 
     rb_scan_args(argc, argv, "01", &arg);
     if(!NIL_P(arg)){
-	OCSP_REQUEST *req;
 	GetOCSPReq(self, req);
 	arg = ossl_to_der_if_possible(arg);
 	StringValue(arg);
 	p = (unsigned char *)RSTRING_PTR(arg);
-	if (!d2i_OCSP_REQUEST(&req, &p, RSTRING_LEN(arg)))
-	    ossl_raise(eOCSPError, "cannot load DER encoded request");
+	req_new = d2i_OCSP_REQUEST(NULL, &p, RSTRING_LEN(arg));
+	if (!req_new)
+	    ossl_raise(eOCSPError, "d2i_OCSP_REQUEST");
+	SetOCSPReq(self, req_new);
+	OCSP_REQUEST_free(req);
     }
 
     return self;
@@ -536,17 +539,20 @@ static VALUE
 ossl_ocspres_initialize(int argc, VALUE *argv, VALUE self)
 {
     VALUE arg;
+    OCSP_RESPONSE *res, *res_new;
     const unsigned char *p;
 
     rb_scan_args(argc, argv, "01", &arg);
     if(!NIL_P(arg)){
-	OCSP_RESPONSE *res;
 	GetOCSPRes(self, res);
 	arg = ossl_to_der_if_possible(arg);
 	StringValue(arg);
 	p = (unsigned char *)RSTRING_PTR(arg);
-	if (!d2i_OCSP_RESPONSE(&res, &p, RSTRING_LEN(arg)))
-	    ossl_raise(eOCSPError, "cannot load DER encoded response");
+	res_new = d2i_OCSP_RESPONSE(NULL, &p, RSTRING_LEN(arg));
+	if (!res_new)
+	    ossl_raise(eOCSPError, "d2i_OCSP_RESPONSE");
+	SetOCSPRes(self, res_new);
+	OCSP_RESPONSE_free(res);
     }
 
     return self;
@@ -688,17 +694,20 @@ static VALUE
 ossl_ocspbres_initialize(int argc, VALUE *argv, VALUE self)
 {
     VALUE arg;
+    OCSP_BASICRESP *res, *res_new;
     const unsigned char *p;
 
     rb_scan_args(argc, argv, "01", &arg);
     if (!NIL_P(arg)) {
-	OCSP_BASICRESP *res;
 	GetOCSPBasicRes(self, res);
 	arg = ossl_to_der_if_possible(arg);
 	StringValue(arg);
 	p = (unsigned char *)RSTRING_PTR(arg);
-	if (!d2i_OCSP_BASICRESP(&res, &p, RSTRING_LEN(arg)))
+	res_new = d2i_OCSP_BASICRESP(NULL, &p, RSTRING_LEN(arg));
+	if (!res_new)
 	    ossl_raise(eOCSPError, "d2i_OCSP_BASICRESP");
+	SetOCSPBasicRes(self, res_new);
+	OCSP_BASICRESP_free(res);
     }
 
     return self;
@@ -1127,7 +1136,7 @@ ossl_ocspsres_alloc(VALUE klass)
 static VALUE
 ossl_ocspsres_initialize(VALUE self, VALUE arg)
 {
-    OCSP_SINGLERESP *res;
+    OCSP_SINGLERESP *res, *res_new;
     const unsigned char *p;
 
     arg = ossl_to_der_if_possible(arg);
@@ -1135,8 +1144,11 @@ ossl_ocspsres_initialize(VALUE self, VALUE arg)
     GetOCSPSingleRes(self, res);
 
     p = (unsigned char*)RSTRING_PTR(arg);
-    if (!d2i_OCSP_SINGLERESP(&res, &p, RSTRING_LEN(arg)))
+    res_new = d2i_OCSP_SINGLERESP(NULL, &p, RSTRING_LEN(arg));
+    if (!res_new)
 	ossl_raise(eOCSPError, "d2i_OCSP_SINGLERESP");
+    SetOCSPSingleRes(self, res_new);
+    OCSP_SINGLERESP_free(res);
 
     return self;
 }
@@ -1432,9 +1444,7 @@ static VALUE
 ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
 {
     OCSP_CERTID *id, *newid;
-    X509 *x509s, *x509i;
     VALUE subject, issuer, digest;
-    const EVP_MD *md;
 
     GetOCSPCertId(self, id);
     if (rb_scan_args(argc, argv, "12", &subject, &issuer, &digest) == 1) {
@@ -1444,25 +1454,25 @@ ossl_ocspcid_initialize(int argc, VALUE *argv, VALUE self)
 	arg = ossl_to_der_if_possible(subject);
 	StringValue(arg);
 	p = (unsigned char *)RSTRING_PTR(arg);
-	if (!d2i_OCSP_CERTID(&id, &p, RSTRING_LEN(arg)))
+	newid = d2i_OCSP_CERTID(NULL, &p, RSTRING_LEN(arg));
+	if (!newid)
 	    ossl_raise(eOCSPError, "d2i_OCSP_CERTID");
-
-	return self;
     }
+    else {
+	X509 *x509s, *x509i;
+	const EVP_MD *md;
 
-    x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */
-    x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */
+	x509s = GetX509CertPtr(subject); /* NO NEED TO DUP */
+	x509i = GetX509CertPtr(issuer); /* NO NEED TO DUP */
+	md = !NIL_P(digest) ? GetDigestPtr(digest) : NULL;
 
-    if (!NIL_P(digest)) {
-	md = GetDigestPtr(digest);
 	newid = OCSP_cert_to_id(md, x509s, x509i);
-    } else {
-	newid = OCSP_cert_to_id(NULL, x509s, x509i);
+	if (!newid)
+	    ossl_raise(eOCSPError, "OCSP_cert_to_id");
     }
-    if(!newid)
-	ossl_raise(eOCSPError, NULL);
-    OCSP_CERTID_free(id);
+
     SetOCSPCertId(self, newid);
+    OCSP_CERTID_free(id);
 
     return self;
 }
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
index 2326a70f..f1b4f04c 100644
--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@@ -656,9 +656,9 @@ ossl_rsa_blinding_off(VALUE self)
 }
  */
 
-OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d);
-OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q);
-OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp);
+OSSL_PKEY_BN_DEF3(rsa, RSA, key, n, e, d)
+OSSL_PKEY_BN_DEF2(rsa, RSA, factors, p, q)
+OSSL_PKEY_BN_DEF3(rsa, RSA, crt_params, dmp1, dmq1, iqmp)
 
 /*
  * INIT
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb
index f1e34982..10f7c92d 100644
--- a/test/test_ocsp.rb
+++ b/test/test_ocsp.rb
@@ -140,6 +140,12 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
     assert_equal cid.to_der, asn1.value[0].value.find { |a| a.class == OpenSSL::ASN1::Sequence }.value[0].value[0].to_der
     assert_equal OpenSSL::ASN1.Sequence([@cert2, @ca_cert]).to_der, asn1.value[3].value[0].to_der
     assert_equal der, OpenSSL::OCSP::BasicResponse.new(der).to_der
+  rescue TypeError
+    if /GENERALIZEDTIME/ =~ $!.message
+      pend "OCSP_basic_sign() is broken"
+    else
+      raise
+    end
   end
 
   def test_basic_response_sign_verify
@@ -177,7 +183,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
     assert_equal OpenSSL::OCSP::V_CERTSTATUS_REVOKED, single.cert_status
     assert_equal OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, single.revocation_reason
     assert_equal now - 400, single.revocation_time
-    assert_equal now - 300, single.this_update
+    assert_in_delta (now - 301), single.this_update, 1
     assert_equal nil, single.next_update
     assert_equal [], single.extensions
 
@@ -203,6 +209,12 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
     cid2 = OpenSSL::OCSP::CertificateId.new(@cert2, @ca_cert, OpenSSL::Digest::SHA1.new)
     bres.add_status(cid1, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, -50, [])
     bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_REVOKED, OpenSSL::OCSP::REVOKED_STATUS_UNSPECIFIED, -400, -300, nil, [])
+    bres.add_status(cid2, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, nil, Time.now + 100, nil, nil)
+
+    if bres.responses[2].check_validity # thisUpdate is in future; must fail
+      # LibreSSL bug; skip for now
+      pend "OCSP_check_validity() is broken"
+    end
 
     single1 = bres.responses[0]
     assert_equal false, single1.check_validity