wiiiiiip

author: Kazuki Yamaguchi <k@rhe.jp> 2016-04-10 15:49:29 +0900
committer: Kazuki Yamaguchi <k@rhe.jp> 2016-04-21 00:46:34 +0900
commit: 2283a4774304f528fd56b7be32c37a8f8b6e463e (patch)
tree: f3a27f81a7a639ff1e9bdc82559bd88e294286ef
parent: a475d88bbb23fe15acc7154c39b10b735569b14c (diff)
download: ruby-2283a4774304f528fd56b7be32c37a8f8b6e463e.tar.gz
15 files changed, 235 insertions, 125 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 4c9ba35169..cb12bf04bb 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -95,6 +95,8 @@ have_func("HMAC_CTX_new")
 have_func("HMAC_CTX_init") # for 0.9.6
 have_func("HMAC_CTX_free")
 have_func("HMAC_CTX_cleanup") # for 0.9.6
+have_func("HMAC_CTX_reset")
+have_func("HMAC_Init_ex")
 have_func("HMAC_CTX_copy")
 have_func("PEM_def_callback")
 have_func("PKCS5_PBKDF2_HMAC")
@@ -132,6 +134,7 @@ have_func("TLSv1_2_server_method")
 have_func("TLSv1_2_client_method")
 have_func("SSL_CTX_set_alpn_select_cb")
 have_func("SSL_CTX_set_next_proto_select_cb")
+have_func("SSL_CTX_set_tmp_ecdh_callback") # workaround: 1.1.0 removed this
 have_macro("SSL_get_server_tmp_key", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_GET_SERVER_TMP_KEY")
 unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
   have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index ac7202ee4a..2c953dd53b 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -81,7 +81,18 @@ EVP_MD_CTX_free(EVP_MD_CTX *ctx)
 }
 #endif
 
-#if !defined(HAVE_HMAC_CTX_NEW)
+#if defined(HAVE_HMAC_INIT_EX)
+int
+HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
+	     const EVP_MD *md, void *impl)
+{
+    if (impl)
+	rb_bug("impl not supported");
+    return HMAC_Init(ctx, key, key_len, md);
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_RESET)
 #if !defined(HAVE_EVP_MD_CTX_INIT)
 static void
 EVP_MD_CTX_init(EVP_MD_CTX *ctx)
@@ -90,13 +101,9 @@ EVP_MD_CTX_init(EVP_MD_CTX *ctx)
 }
 #endif
 
-/* new in 1.1.0 */
-HMAC_CTX *
-HMAC_CTX_new(void)
+int
+HMAC_CTX_reset(HMAC_CTX *ctx)
 {
-    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
-    if (!ctx)
-	return NULL;
 #if defined(HAVE_HMAC_CTX_INIT)
     HMAC_CTX_init(ctx);
 #else /* 0.9.6 */
@@ -104,6 +111,18 @@ HMAC_CTX_new(void)
     EVP_MD_CTX_init(&ctx->o_ctx);
     EVP_MD_CTX_init(&ctx->md_ctx);
 #endif
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_NEW)
+/* new in 1.1.0 */
+HMAC_CTX *
+HMAC_CTX_new(void)
+{
+    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+    HMAC_CTX_reset(ctx);
+    if (!ctx)
+	return NULL;
     return ctx;
 }
 #endif
@@ -453,12 +472,64 @@ OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
 }
 #endif
 
-#if !defined(HAVE_EVP_PKEY_id)
+#if !defined(HAVE_OCSP_SINGLERESP_DELETE_EXT)
+X509_EXTENSION *
+OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *s, int loc)
+{
+    return sk_X509_EXTENSION_delete(s->singleExtensions, loc);
+}
+#endif
+
+#if !defined(HAVE_OCSP_SINGLEREST_GET0_ID)
+OCSP_CERTID *
+OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP *single)
+{
+    return single->certId;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_id) /* 1.1.0 */
 int
 EVP_PKEY_id(const EVP_PKEY *pkey)
 {
     return pkey->type;
 }
+
+RSA *
+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+    if (pkey->type != EVP_PKEY_RSA)
+        return NULL;
+    return pkey->pkey.rsa;
+}
+
+DSA *
+EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+{
+    if (pkey->type != EVP_PKEY_DSA)
+        return NULL;
+    return pkey->pkey.dsa;
+}
+
+#if !defined(OPENSSL_NO_EC)
+EC_KEY *
+EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
+{
+    if (pkey->type != EVP_PKEY_EC)
+        return NULL;
+    return pkey->pkey.ec;
+}
+#endif
+
+#if !defined(OPENSSL_NO_DH)
+DH *
+EVP_PKEY_get0_DH(EVP_PKEY *pkey)
+{
+    if (pkey->type != EVP_PKEY_DH)
+        return NULL;
+    return pkey->pkey.dh;
+}
+#endif
 #endif
 
 #if !defined(HAVE_SSL_SESSION_GET_ID)
@@ -502,6 +573,18 @@ X509_CRL_up_ref(X509_CRL *crl)
 {
     CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
 }
+
+void
+SSL_SESSION_up_ref(SSL_SESSION *sess)
+{
+    CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
+}
+
+void
+EVP_PKEY_up_ref(EVP_PKEY *pkey)
+{
+    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+}
 #endif
 
 #if !defined(X509_CRL_GET0_SIGNATURE)
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index 2337f2b756..770a08cfd3 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -7,7 +7,6 @@
  * This program is licensed under the same licence as Ruby.
  * (See the file 'LICENCE'.)
  */
-#define OPENSSL_MIN_API 0x20000000L
 #include "ossl.h"
 #include <stdarg.h> /* for ossl_raise */
 /*
diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c
index 682870b0c1..92d7bf6f5c 100644
--- a/ext/openssl/ossl_bn.c
+++ b/ext/openssl/ossl_bn.c
@@ -761,7 +761,7 @@ ossl_bn_s_generate_prime(int argc, VALUE *argv, VALUE klass)
     if (!(result = BN_new())) {
 	ossl_raise(eBNError, NULL);
     }
-    if (!BN_generate_prime_ex(result, num, safe, add, rem, NULL, NULL)) {
+    if (!BN_generate_prime_ex(result, num, safe, add, rem, NULL)) {
 	BN_free(result);
 	ossl_raise(eBNError, NULL);
     }
diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index e9808fb996..e4b9a022d2 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -143,7 +143,10 @@ ossl_cipher_copy(VALUE self, VALUE other)
 
     GetCipherInit(self, ctx1);
     if (!ctx1) {
-	AllocCipher(self, ctx1);
+	ctx1 = EVP_CIPHER_CTX_new();
+	if (!ctx1)
+	    ossl_raise(rb_eRuntimeError, "EVP_CIPHER_CTX_new() failed");
+	RTYPEDDATA_DATA(self) = ctx1;
     }
     SafeGetCipher(other, ctx2);
     if (EVP_CIPHER_CTX_copy(ctx1, ctx2) != 1)
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
index db911bb9cd..c2aa50bbdc 100644
--- a/ext/openssl/ossl_hmac.c
+++ b/ext/openssl/ossl_hmac.c
@@ -104,8 +104,9 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 
     StringValue(key);
     GetHMAC(self, ctx);
-    HMAC_Init(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
-		 GetDigestPtr(digest));
+    HMAC_CTX_reset(ctx);
+    HMAC_Init_ex(ctx, RSTRING_PTR(key), RSTRING_LENINT(key),
+		 GetDigestPtr(digest), NULL);
 
     return self;
 }
@@ -253,7 +254,7 @@ ossl_hmac_reset(VALUE self)
     HMAC_CTX *ctx;
 
     GetHMAC(self, ctx);
-    HMAC_Init(ctx, NULL, 0, NULL);
+    HMAC_CTX_reset(ctx);
 
     return self;
 }
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index d92d708724..9c8e59e2a8 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -708,8 +708,9 @@ ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
 
     if(!NIL_P(ext)){
 	X509_EXTENSION *x509ext;
-	sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free);
-	single->singleExtensions = NULL;
+	while ((x509ext = OCSP_SINGLERESP_delete_ext(single, 0))) {
+	    X509_EXTENSION_free(x509ext);
+	}
 	for(i = 0; i < RARRAY_LEN(ext); i++){
 	    x509ext = DupX509ExtPtr(RARRAY_AREF(ext, i));
 	    if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)){
@@ -764,7 +765,7 @@ ossl_ocspbres_get_status(VALUE self)
 	status = OCSP_single_get0_status(single, &reason, &revtime,
 					 &thisupd, &nextupd);
 	if(status < 0) continue;
-	if(!(cid = OCSP_CERTID_dup(single->certId)))
+	if(!(cid = OCSP_CERTID_dup(OCSP_SINGLERESP_get0_id(single))))
 	    ossl_raise(eOCSPError, NULL);
 	ary = rb_ary_new();
 	rb_ary_push(ary, ossl_ocspcertid_new(cid));
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index 8ead9cc472..d428673b39 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -212,7 +212,7 @@ DupPKeyPtr(VALUE obj)
     EVP_PKEY *pkey;
 
     SafeGetPKey(obj, pkey);
-    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(pkey);
 
     return pkey;
 }
@@ -226,7 +226,7 @@ DupPrivPKeyPtr(VALUE obj)
 	ossl_raise(rb_eArgError, "Private key is needed.");
     }
     SafeGetPKey(obj, pkey);
-    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(pkey);
 
     return pkey;
 }
diff --git a/ext/openssl/ossl_pkey.h b/ext/openssl/ossl_pkey.h
index 7288d5af7f..e682de900f 100644
--- a/ext/openssl/ossl_pkey.h
+++ b/ext/openssl/ossl_pkey.h
@@ -100,7 +100,7 @@ VALUE ossl_ec_new(EVP_PKEY *);
 void Init_ossl_ec(void);
 
 
-#define OSSL_PKEY_BN(keytype, name)					\
+#define OSSL_PKEY_BN(keytype, type, name)				\
 /*									\
  *  call-seq:								\
  *     key.##name -> aBN						\
@@ -111,7 +111,7 @@ static VALUE ossl_##keytype##_get_##name(VALUE self)			\
 	BIGNUM *bn;							\
 									\
 	GetPKey(self, pkey);						\
-	bn = pkey->pkey.keytype->name;					\
+	bn = EVP_PKEY_get0_##type(pkey)->name;				\
 	if (bn == NULL)							\
 		return Qnil;						\
 	return ossl_bn_new(bn);						\
@@ -124,20 +124,22 @@ static VALUE ossl_##keytype##_set_##name(VALUE self, VALUE bignum)	\
 {									\
 	EVP_PKEY *pkey;							\
 	BIGNUM *bn;							\
+	type *obj;							\
 									\
 	GetPKey(self, pkey);						\
+	obj = EVP_PKEY_get0_##type(pkey);				\
 	if (NIL_P(bignum)) {						\
-		BN_clear_free(pkey->pkey.keytype->name);		\
-		pkey->pkey.keytype->name = NULL;			\
+		BN_clear_free(obj->name);				\
+		obj->name = NULL;					\
 		return Qnil;						\
 	}								\
 									\
 	bn = GetBNPtr(bignum);						\
-	if (pkey->pkey.keytype->name == NULL)				\
-		pkey->pkey.keytype->name = BN_new();			\
-	if (pkey->pkey.keytype->name == NULL)				\
+	if (obj->name == NULL)						\
+		obj->name = BN_new();					\
+	if (obj->name == NULL)						\
 		ossl_raise(eBNError, NULL);				\
-	if (BN_copy(pkey->pkey.keytype->name, bn) == NULL)		\
+	if (BN_copy(obj->name, bn) == NULL)				\
 		ossl_raise(eBNError, NULL);				\
 	return bignum;							\
 }
diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c
index fb9ba36971..96aa80b39e 100644
--- a/ext/openssl/ossl_pkey_dh.c
+++ b/ext/openssl/ossl_pkey_dh.c
@@ -13,7 +13,7 @@
 
 #define GetPKeyDH(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
-    if (EVP_PKEY_type((pkey)->type) != EVP_PKEY_DH) { /* PARANOIA? */ \
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_DH) { /* PARANOIA? */ \
 	ossl_raise(rb_eRuntimeError, "THIS IS NOT A DH!") ; \
     } \
 } while (0)
@@ -110,7 +110,7 @@ dh_generate(int size, int gen)
     BN_GENCB *cb = BN_GENCB_new();
 
     if (!dh || !cb) {
-	if (dh) DH_free(e);
+	if (dh) DH_free(dh);
 	if (cb) BN_GENCB_free(cb);
 	return 0;
     }
@@ -262,7 +262,7 @@ ossl_dh_is_public(VALUE self)
 
     GetPKeyDH(self, pkey);
 
-    return (pkey->pkey.dh->pub_key) ? Qtrue : Qfalse;
+    return EVP_PKEY_get0_DH(pkey)->pub_key ? Qtrue : Qfalse;
 }
 
 /*
@@ -279,7 +279,7 @@ ossl_dh_is_private(VALUE self)
 
     GetPKeyDH(self, pkey);
 
-    return (DH_PRIVATE(pkey->pkey.dh)) ? Qtrue : Qfalse;
+    return DH_PRIVATE(EVP_PKEY_get0_DH(pkey)) ? Qtrue : Qfalse;
 }
 
 /*
@@ -303,7 +303,7 @@ ossl_dh_export(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDHError, NULL);
     }
-    if (!PEM_write_bio_DHparams(out, pkey->pkey.dh)) {
+    if (!PEM_write_bio_DHparams(out, EVP_PKEY_get0_DH(pkey))) {
 	BIO_free(out);
 	ossl_raise(eDHError, NULL);
     }
@@ -330,11 +330,11 @@ ossl_dh_to_der(VALUE self)
     VALUE str;
 
     GetPKeyDH(self, pkey);
-    if((len = i2d_DHparams(pkey->pkey.dh, NULL)) <= 0)
+    if((len = i2d_DHparams(EVP_PKEY_get0_DH(pkey), NULL)) <= 0)
 	ossl_raise(eDHError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
-    if(i2d_DHparams(pkey->pkey.dh, &p) < 0)
+    if(i2d_DHparams(EVP_PKEY_get0_DH(pkey), &p) < 0)
 	ossl_raise(eDHError, NULL);
     ossl_str_adjust(str, p);
 
@@ -354,15 +354,17 @@ ossl_dh_get_params(VALUE self)
 {
     EVP_PKEY *pkey;
     VALUE hash;
+    DH *dh;
 
     GetPKeyDH(self, pkey);
 
     hash = rb_hash_new();
 
-    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(pkey->pkey.dh->p));
-    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(pkey->pkey.dh->g));
-    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(pkey->pkey.dh->pub_key));
-    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(pkey->pkey.dh->priv_key));
+    dh = EVP_PKEY_get0_DH(pkey);
+    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(dh->p));
+    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(dh->g));
+    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(dh->pub_key));
+    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(dh->priv_key));
 
     return hash;
 }
@@ -386,7 +388,7 @@ ossl_dh_to_text(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDHError, NULL);
     }
-    if (!DHparams_print(out, pkey->pkey.dh)) {
+    if (!DHparams_print(out, EVP_PKEY_get0_DH(pkey))) {
 	BIO_free(out);
 	ossl_raise(eDHError, NULL);
     }
@@ -424,7 +426,7 @@ ossl_dh_to_public_key(VALUE self)
     VALUE obj;
 
     GetPKeyDH(self, pkey);
-    dh = DHparams_dup(pkey->pkey.dh); /* err check perfomed by dh_instance */
+    dh = DHparams_dup(EVP_PKEY_get0_DH(pkey)); /* err check perfomed by dh_instance */
     obj = dh_instance(CLASS_OF(self), dh);
     if (obj == Qfalse) {
 	DH_free(dh);
@@ -450,7 +452,7 @@ ossl_dh_check_params(VALUE self)
     int codes;
 
     GetPKeyDH(self, pkey);
-    dh = pkey->pkey.dh;
+    dh = EVP_PKEY_get0_DH(pkey);
 
     if (!DH_check(dh, &codes)) {
 	return Qfalse;
@@ -482,7 +484,7 @@ ossl_dh_generate_key(VALUE self)
     EVP_PKEY *pkey;
 
     GetPKeyDH(self, pkey);
-    dh = pkey->pkey.dh;
+    dh = EVP_PKEY_get0_DH(pkey);
 
     if (!DH_generate_key(dh))
 	ossl_raise(eDHError, "Failed to generate key");
@@ -510,7 +512,7 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
     int len;
 
     GetPKeyDH(self, pkey);
-    dh = pkey->pkey.dh;
+    dh = EVP_PKEY_get0_DH(pkey);
     pub_key = GetBNPtr(pub);
     len = DH_size(dh);
     str = rb_str_new(0, len);
@@ -522,10 +524,10 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
     return str;
 }
 
-OSSL_PKEY_BN(dh, p)
-OSSL_PKEY_BN(dh, g)
-OSSL_PKEY_BN(dh, pub_key)
-OSSL_PKEY_BN(dh, priv_key)
+OSSL_PKEY_BN(dh, DH, p)
+OSSL_PKEY_BN(dh, DH, g)
+OSSL_PKEY_BN(dh, DH, pub_key)
+OSSL_PKEY_BN(dh, DH, priv_key)
 
 /*
  * INIT
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
index 2e6a734024..160391a2b0 100644
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@@ -13,7 +13,7 @@
 
 #define GetPKeyDSA(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
-    if (EVP_PKEY_type((pkey)->type) != EVP_PKEY_DSA) { /* PARANOIA? */ \
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_DSA) { /* PARANOIA? */ \
 	ossl_raise(rb_eRuntimeError, "THIS IS NOT A DSA!"); \
     } \
 } while (0)
@@ -104,7 +104,7 @@ dsa_generate(int size)
     struct ossl_generate_cb_arg cb_arg;
     struct dsa_blocking_gen_arg gen_arg;
     DSA *dsa = DSA_new();
-    BN_GENCB *cb = BN_GENCB_new();;
+    BN_GENCB *cb = BN_GENCB_new();
     unsigned char seed[20];
     int seed_len = 20, counter;
     unsigned long h;
@@ -275,7 +275,7 @@ ossl_dsa_is_public(VALUE self)
 
     GetPKeyDSA(self, pkey);
 
-    return (pkey->pkey.dsa->pub_key) ? Qtrue : Qfalse;
+    return (EVP_PKEY_get0_DSA(pkey)->pub_key) ? Qtrue : Qfalse;
 }
 
 /*
@@ -292,7 +292,7 @@ ossl_dsa_is_private(VALUE self)
 
     GetPKeyDSA(self, pkey);
 
-    return (DSA_PRIVATE(self, pkey->pkey.dsa)) ? Qtrue : Qfalse;
+    return (DSA_PRIVATE(self, EVP_PKEY_get0_DSA(pkey))) ? Qtrue : Qfalse;
 }
 
 /*
@@ -335,14 +335,14 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDSAError, NULL);
     }
-    if (DSA_HAS_PRIVATE(pkey->pkey.dsa)) {
-	if (!PEM_write_bio_DSAPrivateKey(out, pkey->pkey.dsa, ciph,
+    if (DSA_HAS_PRIVATE(EVP_PKEY_get0_DSA(pkey))) {
+	if (!PEM_write_bio_DSAPrivateKey(out, EVP_PKEY_get0_DSA(pkey), ciph,
 					 NULL, 0, ossl_pem_passwd_cb, passwd)){
 	    BIO_free(out);
 	    ossl_raise(eDSAError, NULL);
 	}
     } else {
-	if (!PEM_write_bio_DSA_PUBKEY(out, pkey->pkey.dsa)) {
+	if (!PEM_write_bio_DSA_PUBKEY(out, EVP_PKEY_get0_DSA(pkey))) {
 	    BIO_free(out);
 	    ossl_raise(eDSAError, NULL);
 	}
@@ -369,15 +369,15 @@ ossl_dsa_to_der(VALUE self)
     VALUE str;
 
     GetPKeyDSA(self, pkey);
-    if(DSA_HAS_PRIVATE(pkey->pkey.dsa))
+    if(DSA_HAS_PRIVATE(EVP_PKEY_get0_DSA(pkey)))
 	i2d_func = (int(*)_((DSA*,unsigned char**)))i2d_DSAPrivateKey;
     else
 	i2d_func = i2d_DSA_PUBKEY;
-    if((len = i2d_func(pkey->pkey.dsa, NULL)) <= 0)
+    if((len = i2d_func(EVP_PKEY_get0_DSA(pkey), NULL)) <= 0)
 	ossl_raise(eDSAError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
-    if(i2d_func(pkey->pkey.dsa, &p) < 0)
+    if(i2d_func(EVP_PKEY_get0_DSA(pkey), &p) < 0)
 	ossl_raise(eDSAError, NULL);
     ossl_str_adjust(str, p);
 
@@ -402,11 +402,11 @@ ossl_dsa_get_params(VALUE self)
 
     hash = rb_hash_new();
 
-    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(pkey->pkey.dsa->p));
-    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(pkey->pkey.dsa->q));
-    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(pkey->pkey.dsa->g));
-    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(pkey->pkey.dsa->pub_key));
-    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(pkey->pkey.dsa->priv_key));
+    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(EVP_PKEY_get0_DSA(pkey)->p));
+    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(EVP_PKEY_get0_DSA(pkey)->q));
+    rb_hash_aset(hash, rb_str_new2("g"), ossl_bn_new(EVP_PKEY_get0_DSA(pkey)->g));
+    rb_hash_aset(hash, rb_str_new2("pub_key"), ossl_bn_new(EVP_PKEY_get0_DSA(pkey)->pub_key));
+    rb_hash_aset(hash, rb_str_new2("priv_key"), ossl_bn_new(EVP_PKEY_get0_DSA(pkey)->priv_key));
 
     return hash;
 }
@@ -430,7 +430,7 @@ ossl_dsa_to_text(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eDSAError, NULL);
     }
-    if (!DSA_print(out, pkey->pkey.dsa, 0)) { /* offset = 0 */
+    if (!DSA_print(out, EVP_PKEY_get0_DSA(pkey), 0)) { /* offset = 0 */
 	BIO_free(out);
 	ossl_raise(eDSAError, NULL);
     }
@@ -465,7 +465,7 @@ ossl_dsa_to_public_key(VALUE self)
 
     GetPKeyDSA(self, pkey);
     /* err check performed by dsa_instance */
-    dsa = DSAPublicKey_dup(pkey->pkey.dsa);
+    dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));
     obj = dsa_instance(CLASS_OF(self), dsa);
     if (obj == Qfalse) {
 	DSA_free(dsa);
@@ -474,7 +474,7 @@ ossl_dsa_to_public_key(VALUE self)
     return obj;
 }
 
-#define ossl_dsa_buf_size(pkey) (DSA_size((pkey)->pkey.dsa)+16)
+#define ossl_dsa_buf_size(pkey) (DSA_size(EVP_PKEY_get0_DSA(pkey))+16)
 
 /*
  *  call-seq:
@@ -504,13 +504,13 @@ ossl_dsa_sign(VALUE self, VALUE data)
 
     GetPKeyDSA(self, pkey);
     StringValue(data);
-    if (!DSA_PRIVATE(self, pkey->pkey.dsa)) {
+    if (!DSA_PRIVATE(self, EVP_PKEY_get0_DSA(pkey))) {
 	ossl_raise(eDSAError, "Private DSA key needed!");
     }
     str = rb_str_new(0, ossl_dsa_buf_size(pkey));
     if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
 		  (unsigned char *)RSTRING_PTR(str),
-		  &buf_len, pkey->pkey.dsa)) { /* type is ignored (0) */
+		  &buf_len, EVP_PKEY_get0_DSA(pkey))) { /* type is ignored (0) */
 	ossl_raise(eDSAError, NULL);
     }
     rb_str_set_len(str, buf_len);
@@ -548,7 +548,7 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
     StringValue(sig);
     /* type is ignored (0) */
     ret = DSA_verify(0, (unsigned char *)RSTRING_PTR(digest), RSTRING_LENINT(digest),
-		     (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), pkey->pkey.dsa);
+		     (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), EVP_PKEY_get0_DSA(pkey));
     if (ret < 0) {
 	ossl_raise(eDSAError, NULL);
     }
@@ -559,11 +559,11 @@ ossl_dsa_verify(VALUE self, VALUE digest, VALUE sig)
     return Qfalse;
 }
 
-OSSL_PKEY_BN(dsa, p)
-OSSL_PKEY_BN(dsa, q)
-OSSL_PKEY_BN(dsa, g)
-OSSL_PKEY_BN(dsa, pub_key)
-OSSL_PKEY_BN(dsa, priv_key)
+OSSL_PKEY_BN(dsa, DSA, p)
+OSSL_PKEY_BN(dsa, DSA, q)
+OSSL_PKEY_BN(dsa, DSA, g)
+OSSL_PKEY_BN(dsa, DSA, pub_key)
+OSSL_PKEY_BN(dsa, DSA, priv_key)
 
 /*
  * INIT
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index e723a38e06..3cb21d214b 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -25,7 +25,7 @@ static const rb_data_type_t ossl_ec_point_type;
 
 #define GetPKeyEC(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
-    if (EVP_PKEY_type((pkey)->type) != EVP_PKEY_EC) { \
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) { \
 	ossl_raise(rb_eRuntimeError, "THIS IS NOT A EC PKEY!"); \
     } \
 } while (0)
@@ -38,7 +38,7 @@ static const rb_data_type_t ossl_ec_point_type;
 #define Get_EC_KEY(obj, key) do { \
     EVP_PKEY *pkey; \
     GetPKeyEC((obj), pkey); \
-    (key) = pkey->pkey.ec; \
+    (key) = EVP_PKEY_get0_EC_KEY(pkey); \
 } while(0)
 
 #define Require_EC_KEY(obj, key) do { \
@@ -171,7 +171,7 @@ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self)
     char *passwd = NULL;
 
     GetPKey(self, pkey);
-    if (pkey->pkey.ec)
+    if (EVP_PKEY_get0_EC_KEY(pkey))
         ossl_raise(eECError, "EC_KEY already initialized");
 
     rb_scan_args(argc, argv, "02", &arg, &pass);
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
index 50e06535a7..3e54c9ed4a 100644
--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@@ -13,7 +13,7 @@
 
 #define GetPKeyRSA(obj, pkey) do { \
     GetPKey((obj), (pkey)); \
-    if (EVP_PKEY_type((pkey)->type) != EVP_PKEY_RSA) { /* PARANOIA? */ \
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_RSA) { /* PARANOIA? */ \
 	ossl_raise(rb_eRuntimeError, "THIS IS NOT A RSA!") ; \
     } \
 } while (0)
@@ -288,7 +288,7 @@ ossl_rsa_is_private(VALUE self)
 
     GetPKeyRSA(self, pkey);
 
-    return (RSA_PRIVATE(self, pkey->pkey.rsa)) ? Qtrue : Qfalse;
+    return (RSA_PRIVATE(self, EVP_PKEY_get0_RSA(pkey))) ? Qtrue : Qfalse;
 }
 
 /*
@@ -326,14 +326,14 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eRSAError, NULL);
     }
-    if (RSA_HAS_PRIVATE(pkey->pkey.rsa)) {
-	if (!PEM_write_bio_RSAPrivateKey(out, pkey->pkey.rsa, ciph,
+    if (RSA_HAS_PRIVATE(EVP_PKEY_get0_RSA(pkey))) {
+	if (!PEM_write_bio_RSAPrivateKey(out, EVP_PKEY_get0_RSA(pkey), ciph,
 					 NULL, 0, ossl_pem_passwd_cb, passwd)) {
 	    BIO_free(out);
 	    ossl_raise(eRSAError, NULL);
 	}
     } else {
-	if (!PEM_write_bio_RSA_PUBKEY(out, pkey->pkey.rsa)) {
+	if (!PEM_write_bio_RSA_PUBKEY(out, EVP_PKEY_get0_RSA(pkey))) {
 	    BIO_free(out);
 	    ossl_raise(eRSAError, NULL);
 	}
@@ -359,22 +359,22 @@ ossl_rsa_to_der(VALUE self)
     VALUE str;
 
     GetPKeyRSA(self, pkey);
-    if(RSA_HAS_PRIVATE(pkey->pkey.rsa))
+    if(RSA_HAS_PRIVATE(EVP_PKEY_get0_RSA(pkey)))
 	i2d_func = i2d_RSAPrivateKey;
     else
 	i2d_func = (int (*)(const RSA*, unsigned char**))i2d_RSA_PUBKEY;
-    if((len = i2d_func(pkey->pkey.rsa, NULL)) <= 0)
+    if((len = i2d_func(EVP_PKEY_get0_RSA(pkey), NULL)) <= 0)
 	ossl_raise(eRSAError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
-    if(i2d_func(pkey->pkey.rsa, &p) < 0)
+    if(i2d_func(EVP_PKEY_get0_RSA(pkey), &p) < 0)
 	ossl_raise(eRSAError, NULL);
     ossl_str_adjust(str, p);
 
     return str;
 }
 
-#define ossl_rsa_buf_size(pkey) (RSA_size((pkey)->pkey.rsa)+16)
+#define ossl_rsa_buf_size(pkey) (RSA_size(EVP_PKEY_get0_RSA(pkey))+16)
 
 /*
  * call-seq:
@@ -397,7 +397,7 @@ ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self)
     StringValue(buffer);
     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
     buf_len = RSA_public_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
-				 (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+				 (unsigned char *)RSTRING_PTR(str), EVP_PKEY_get0_RSA(pkey),
 				 pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
     rb_str_set_len(str, buf_len);
@@ -426,7 +426,7 @@ ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self)
     StringValue(buffer);
     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
     buf_len = RSA_public_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
-				 (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+				 (unsigned char *)RSTRING_PTR(str), EVP_PKEY_get0_RSA(pkey),
 				 pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
     rb_str_set_len(str, buf_len);
@@ -450,7 +450,7 @@ ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
-    if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
+    if (!RSA_PRIVATE(self, EVP_PKEY_get0_RSA(pkey))) {
 	ossl_raise(eRSAError, "private key needed.");
     }
     rb_scan_args(argc, argv, "11", &buffer, &padding);
@@ -458,7 +458,7 @@ ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self)
     StringValue(buffer);
     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
     buf_len = RSA_private_encrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
-				  (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+				  (unsigned char *)RSTRING_PTR(str), EVP_PKEY_get0_RSA(pkey),
 				  pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
     rb_str_set_len(str, buf_len);
@@ -482,7 +482,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
     VALUE str, buffer, padding;
 
     GetPKeyRSA(self, pkey);
-    if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
+    if (!RSA_PRIVATE(self, EVP_PKEY_get0_RSA(pkey))) {
 	ossl_raise(eRSAError, "private key needed.");
     }
     rb_scan_args(argc, argv, "11", &buffer, &padding);
@@ -490,7 +490,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
     StringValue(buffer);
     str = rb_str_new(0, ossl_rsa_buf_size(pkey));
     buf_len = RSA_private_decrypt(RSTRING_LENINT(buffer), (unsigned char *)RSTRING_PTR(buffer),
-				  (unsigned char *)RSTRING_PTR(str), pkey->pkey.rsa,
+				  (unsigned char *)RSTRING_PTR(str), EVP_PKEY_get0_RSA(pkey),
 				  pad);
     if (buf_len < 0) ossl_raise(eRSAError, NULL);
     rb_str_set_len(str, buf_len);
@@ -519,14 +519,14 @@ ossl_rsa_get_params(VALUE self)
 
     hash = rb_hash_new();
 
-    rb_hash_aset(hash, rb_str_new2("n"), ossl_bn_new(pkey->pkey.rsa->n));
-    rb_hash_aset(hash, rb_str_new2("e"), ossl_bn_new(pkey->pkey.rsa->e));
-    rb_hash_aset(hash, rb_str_new2("d"), ossl_bn_new(pkey->pkey.rsa->d));
-    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(pkey->pkey.rsa->p));
-    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(pkey->pkey.rsa->q));
-    rb_hash_aset(hash, rb_str_new2("dmp1"), ossl_bn_new(pkey->pkey.rsa->dmp1));
-    rb_hash_aset(hash, rb_str_new2("dmq1"), ossl_bn_new(pkey->pkey.rsa->dmq1));
-    rb_hash_aset(hash, rb_str_new2("iqmp"), ossl_bn_new(pkey->pkey.rsa->iqmp));
+    rb_hash_aset(hash, rb_str_new2("n"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->n));
+    rb_hash_aset(hash, rb_str_new2("e"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->e));
+    rb_hash_aset(hash, rb_str_new2("d"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->d));
+    rb_hash_aset(hash, rb_str_new2("p"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->p));
+    rb_hash_aset(hash, rb_str_new2("q"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->q));
+    rb_hash_aset(hash, rb_str_new2("dmp1"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->dmp1));
+    rb_hash_aset(hash, rb_str_new2("dmq1"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->dmq1));
+    rb_hash_aset(hash, rb_str_new2("iqmp"), ossl_bn_new(EVP_PKEY_get0_RSA(pkey)->iqmp));
 
     return hash;
 }
@@ -552,7 +552,7 @@ ossl_rsa_to_text(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eRSAError, NULL);
     }
-    if (!RSA_print(out, pkey->pkey.rsa, 0)) { /* offset = 0 */
+    if (!RSA_print(out, EVP_PKEY_get0_RSA(pkey), 0)) { /* offset = 0 */
 	BIO_free(out);
 	ossl_raise(eRSAError, NULL);
     }
@@ -576,7 +576,7 @@ ossl_rsa_to_public_key(VALUE self)
 
     GetPKeyRSA(self, pkey);
     /* err check performed by rsa_instance */
-    rsa = RSAPublicKey_dup(pkey->pkey.rsa);
+    rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));
     obj = rsa_instance(CLASS_OF(self), rsa);
     if (obj == Qfalse) {
 	RSA_free(rsa);
@@ -595,7 +595,7 @@ ossl_rsa_blinding_on(VALUE self)
 
     GetPKeyRSA(self, pkey);
 
-    if (RSA_blinding_on(pkey->pkey.rsa, ossl_bn_ctx) != 1) {
+    if (RSA_blinding_on(EVP_PKEY_get0_RSA(pkey), ossl_bn_ctx) != 1) {
 	ossl_raise(eRSAError, NULL);
     }
     return self;
@@ -607,20 +607,20 @@ ossl_rsa_blinding_off(VALUE self)
     EVP_PKEY *pkey;
 
     GetPKeyRSA(self, pkey);
-    RSA_blinding_off(pkey->pkey.rsa);
+    RSA_blinding_off(EVP_PKEY_get0_RSA(pkey));
 
     return self;
 }
  */
 
-OSSL_PKEY_BN(rsa, n)
-OSSL_PKEY_BN(rsa, e)
-OSSL_PKEY_BN(rsa, d)
-OSSL_PKEY_BN(rsa, p)
-OSSL_PKEY_BN(rsa, q)
-OSSL_PKEY_BN(rsa, dmp1)
-OSSL_PKEY_BN(rsa, dmq1)
-OSSL_PKEY_BN(rsa, iqmp)
+OSSL_PKEY_BN(rsa, RSA, n)
+OSSL_PKEY_BN(rsa, RSA, e)
+OSSL_PKEY_BN(rsa, RSA, d)
+OSSL_PKEY_BN(rsa, RSA, p)
+OSSL_PKEY_BN(rsa, RSA, q)
+OSSL_PKEY_BN(rsa, RSA, dmp1)
+OSSL_PKEY_BN(rsa, RSA, dmq1)
+OSSL_PKEY_BN(rsa, RSA, iqmp)
 
 /*
  * INIT
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 96c7990046..a1dd863e7f 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -82,6 +82,8 @@ static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
 /*
  * SSLContext class
  */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 static const struct {
     const char *name;
     SSL_METHOD *(*func)(void);
@@ -119,6 +121,7 @@ static const struct {
     OSSL_SSL_METHOD_ENTRY(SSLv23_client),
 #undef OSSL_SSL_METHOD_ENTRY
 };
+#pragma GCC diagnostic pop
 
 static int ossl_ssl_ex_vcb_idx;
 static int ossl_ssl_ex_store_p;
@@ -128,8 +131,10 @@ static void
 ossl_sslctx_free(void *ptr)
 {
     SSL_CTX *ctx = ptr;
+#if !defined(HAVE_X509_UP_REF) /* upto 1.0.2 */
     if(ctx && SSL_CTX_get_ex_data(ctx, ossl_ssl_ex_store_p)== (void*)1)
 	ctx->cert_store = NULL;
+#endif
     SSL_CTX_free(ctx);
 }
 
@@ -244,7 +249,7 @@ ossl_call_tmp_dh_callback(VALUE args)
     if (NIL_P(cb)) return Qfalse;
     dh = rb_apply(cb, rb_intern("call"), args);
     pkey = GetPKeyPtr(dh);
-    if (EVP_PKEY_type(pkey->type) != EVP_PKEY_DH) return Qfalse;
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_DH) return Qfalse;
 
     return dh;
 }
@@ -262,11 +267,11 @@ ossl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
     if (!RTEST(dh)) return NULL;
     ossl_ssl_set_tmp_dh(rb_ssl, dh);
 
-    return GetPKeyPtr(dh)->pkey.dh;
+    return EVP_PKEY_get0_DH(GetPKeyPtr(dh));
 }
 #endif /* OPENSSL_NO_DH */
 
-#if !defined(OPENSSL_NO_EC)
+#if defined(SSL_CTX_SET_TMP_ECDH_CALLBACK)
 static VALUE
 ossl_call_tmp_ecdh_callback(VALUE args)
 {
@@ -278,7 +283,7 @@ ossl_call_tmp_ecdh_callback(VALUE args)
     if (NIL_P(cb)) return Qfalse;
     ecdh = rb_apply(cb, rb_intern("call"), args);
     pkey = GetPKeyPtr(ecdh);
-    if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) return Qfalse;
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) return Qfalse;
 
     return ecdh;
 }
@@ -296,7 +301,7 @@ ossl_tmp_ecdh_callback(SSL *ssl, int is_export, int keylength)
     if (!RTEST(ecdh)) return NULL;
     ossl_ssl_set_tmp_ecdh(rb_ssl, ecdh);
 
-    return GetPKeyPtr(ecdh)->pkey.ec;
+    return EVP_PKEY_get0_EC_KEY(GetPKeyPtr(ecdh));
 }
 #endif
 
@@ -385,7 +390,7 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
     	return 1;
     ssl_obj = (VALUE)ptr;
     sess_obj = rb_obj_alloc(cSSLSession);
-    CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
+    SSL_SESSION_up_ref(sess);
     DATA_PTR(sess_obj) = sess;
 
     ary = rb_ary_new2(2);
@@ -434,7 +439,7 @@ ossl_sslctx_session_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
     	return;
     sslctx_obj = (VALUE)ptr;
     sess_obj = rb_obj_alloc(cSSLSession);
-    CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
+    SSL_SESSION_up_ref(sess);
     DATA_PTR(sess_obj) = sess;
 
     ary = rb_ary_new2(2);
@@ -642,7 +647,7 @@ ssl_alpn_select_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, c
 static void
 ssl_info_cb(const SSL *ssl, int where, int val)
 {
-    int state = SSL_state(ssl);
+    int state = SSL_get_state(ssl);
 
     if ((where & SSL_CB_HANDSHAKE_START) &&
 	(state & SSL_ST_ACCEPT)) {
@@ -711,7 +716,7 @@ ossl_sslctx_setup(VALUE self)
     SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
 #endif
 
-#if !defined(OPENSSL_NO_EC)
+#if defined(SSL_CTX_SET_TMP_ECDH_CALLBACK)
     if (RTEST(ossl_sslctx_get_tmp_ecdh_cb(self))){
 	SSL_CTX_set_tmp_ecdh_callback(ctx, ossl_tmp_ecdh_callback);
     }
@@ -719,15 +724,19 @@ ossl_sslctx_setup(VALUE self)
 
     val = ossl_sslctx_get_cert_store(self);
     if(!NIL_P(val)){
+        store = GetX509StorePtr(val); /* NO NEED TO DUP */
+#if defined(HAVE_X509_UP_REF) /* from 1.1.0 */
+	X509_STORE_up_ref(store);
+#else
 	/*
-         * WORKAROUND:
+         * WORKAROUND (- 1.0.2):
 	 *   X509_STORE can count references, but
 	 *   X509_STORE_free() doesn't care it.
 	 *   So we won't increment it but mark it by ex_data.
 	 */
-        store = GetX509StorePtr(val); /* NO NEED TO DUP */
-        SSL_CTX_set_cert_store(ctx, store);
         SSL_CTX_set_ex_data(ctx, ossl_ssl_ex_store_p, (void*)1);
+#endif
+        SSL_CTX_set_cert_store(ctx, store);
     }
 
     val = ossl_sslctx_get_extra_cert(self);
@@ -882,6 +891,7 @@ static VALUE
 ossl_sslctx_get_ciphers(VALUE self)
 {
     SSL_CTX *ctx;
+    SSL *temp_ssl;
     STACK_OF(SSL_CIPHER) *ciphers;
     SSL_CIPHER *cipher;
     VALUE ary;
@@ -892,7 +902,13 @@ ossl_sslctx_get_ciphers(VALUE self)
         rb_warning("SSL_CTX is not initialized.");
         return Qnil;
     }
-    ciphers = ctx->cipher_list;
+    /* SSL_CTX was made opaque so we can't access ctx->cipher_list directly :( */
+    temp_ssl = SSL_new(ctx);
+    if (!temp_ssl)
+	ossl_raise(eSSLError, "SSL_new() failed");
+
+    ciphers = SSL_get_ciphers(temp_ssl);
+    SSL_free(temp_ssl);
 
     if (!ciphers)
         return rb_ary_new();
diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
index 8f51436fd6..6f4429ecde 100644
--- a/ext/openssl/ossl_x509attr.c
+++ b/ext/openssl/ossl_x509attr.c
@@ -218,7 +218,7 @@ ossl_x509attr_set_value(VALUE self, VALUE value)
 	attr = new_attr;
     }
 
-    if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type), a1type->value)) {
+    if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type), a1type->value.ptr, -1)) {
 	ASN1_TYPE_free(a1type);
 	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_data() failed");
     }
author	Kazuki Yamaguchi <k@rhe.jp>	2016-04-10 15:49:29 +0900
committer	Kazuki Yamaguchi <k@rhe.jp>	2016-04-21 00:46:34 +0900
commit	2283a4774304f528fd56b7be32c37a8f8b6e463e (patch)
tree	f3a27f81a7a639ff1e9bdc82559bd88e294286ef
parent	a475d88bbb23fe15acc7154c39b10b735569b14c (diff)
download	ruby-2283a4774304f528fd56b7be32c37a8f8b6e463e.tar.gz