X509_STORE{_CTX,} is made opaque

5 files changed, 72 insertions, 39 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 5f597b13c3..76cf20541a 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -133,6 +133,8 @@ have_func("EVP_PKEY_base_id")
 have_func("HMAC_CTX_copy")
 have_func("PKCS5_PBKDF2_HMAC")
 have_func("X509_NAME_hash_old")
+have_func("X509_STORE_CTX_get0_current_crl")
+have_func("X509_STORE_set_verify_cb")
 have_func_or_macro("SSL_set_tlsext_host_name", 'openssl/ssl.h')
 
 # added in 1.0.1
@@ -141,6 +143,7 @@ have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTH
 
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
+have_func("X509_STORE_CTX_get0_store")
 have_func("SSL_CTX_set_alpn_select_cb")
 have_func_or_macro("SSL_CTX_set1_curves_list", "openssl/ssl.h")
 have_func_or_macro("SSL_CTX_set_ecdh_auto", "openssl/ssl.h") # removed in 1.1.0
@@ -162,6 +165,14 @@ have_func("X509_REQ_get0_signature")
 have_func("X509_get0_tbs_sigalg")
 have_func("X509_REVOKED_get0_serialNumber")
 have_func("X509_REVOKED_get0_revocationDate")
+have_func("X509_STORE_CTX_get0_untrusted")
+have_func("X509_STORE_CTX_get0_cert")
+have_func("X509_STORE_CTX_get0_chain")
+
+# doesn't exist on any version of OpenSSL
+have_func("X509_STORE_get_ex_data")
+have_func("X509_STORE_set_ex_data")
+
 have_func("TLS_method") # renamed from SSLv23_method
 have_func("SSL_CTX_get_ciphers")
 have_func("SSL_CTX_get_security_level")
@@ -178,10 +189,6 @@ have_macro("OPENSSL_FIPS", ['openssl/opensslconf.h']) && $defs.push("-DHAVE_OPEN
 # LibreSSL support
 have_func("RAND_egd") # removed
 
-# doesn't exist on any version of OpenSSL
-have_func("X509_STORE_get_ex_data")
-have_func("X509_STORE_set_ex_data")
-
 Logging::message "=== Checking done. ===\n"
 
 create_header
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index e8c6e87627..05d596f3d2 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -264,6 +264,17 @@ X509_CRL_sort(X509_CRL *c)
 }
 #endif
 
+#if !defined(HAVE_X509_REVOKED_SET_SERIALNUMBER)
+int
+X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
+{
+    ASN1_INTEGER *in = x->serialNumber;
+    if (in != serial)
+        return ASN1_STRING_copy(in, serial);
+    return 1;
+}
+#endif
+
 /*** added in 0.9.8 ***/
 #if !defined(HAVE_BN_IS_PRIME_EX)
 int BN_is_prime_ex(const BIGNUM *bn, int checks, BN_CTX *ctx, void *cb)
@@ -511,14 +522,3 @@ X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req
 	*palg = req->sig_alg;
 }
 #endif
-
-#if !defined(HAVE_X509_REVOKED_SET_SERIALNUMBER)
-int
-X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
-{
-    ASN1_INTEGER *in = x->serialNumber;
-    if (in != serial)
-        return ASN1_STRING_copy(in, serial);
-    return 1;
-}
-#endif
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 3528571c80..ce85c8fd09 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -186,14 +186,8 @@ int X509_CRL_set_version(X509_CRL *x, long version);
 int X509_CRL_sort(X509_CRL *c);
 #endif
 
-#if !defined(HAVE_X509_STORE_GET_EX_DATA)
-#  define X509_STORE_get_ex_data(str, idx) \
-	CRYPTO_get_ex_data(&(str)->ex_data, idx)
-#endif
-
-#if !defined(HAVE_X509_STORE_SET_EX_DATA)
-#  define X509_STORE_set_ex_data(str, idx, data) \
-	CRYPTO_set_ex_data(&(str)->ex_data, idx, data)
+#if !defined(HAVE_X509_REVOKED_SET_SERIALNUMBER)
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
 #endif
 
 #if !defined(HAVE_X509V3_SET_NCONF)
@@ -269,6 +263,14 @@ void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
 #if !defined(HAVE_X509_NAME_HASH_OLD)
 #endif
 
+#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
+#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
+#endif
+
+#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
+#  define X509_STORE_set_verify_cb(x, cb) X509_STORE_set_verify_cb_func((x), (cb))
+#endif
+
 #if !defined(HAVE_SSL_SET_TLSEXT_HOST_NAME)
 #endif
 
@@ -281,6 +283,10 @@ void HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
 int EC_curve_nist2nid(const char *str);
 #endif
 
+#if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
+#  define X509_STORE_CTX_get0_store(x) ((x)->ctx)
+#endif
+
 #if !defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
 #endif
 
@@ -356,12 +362,30 @@ void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ
 #  define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
 #endif
 
-#if !defined(HAVE_X509_REVOKED_SET_SERIALNUMBER)
-int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
+#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
+#  define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate)
 #endif
 
-#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
-#  define X509_REVOKED_get0_revocationDate(x) (x->revocationDate)
+#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED)
+#  define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted)
+#endif
+
+#if !defined(HAVE_X509_STORE_CTX_GET0_CERT)
+#  define X509_STORE_CTX_get0_cert(x) ((x)->cert)
+#endif
+
+#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN)
+#  define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx)
+#endif
+
+#if !defined(HAVE_X509_STORE_GET_EX_DATA)
+#  define X509_STORE_get_ex_data(str, idx) \
+	CRYPTO_get_ex_data(&(str)->ex_data, idx)
+#endif
+
+#if !defined(HAVE_X509_STORE_SET_EX_DATA)
+#  define X509_STORE_set_ex_data(str, idx, data) \
+	CRYPTO_set_ex_data(&(str)->ex_data, idx, data)
 #endif
 
 #if !defined(HAVE_TLS_METHOD)
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index 8c15112dcf..63ac8f4fbd 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -214,9 +214,9 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
     int state = 0;
 
     proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_verify_cb_idx);
-    if ((void*)proc == 0)
-	proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_verify_cb_idx);
-    if ((void*)proc == 0)
+    if (!proc)
+	proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_verify_cb_idx);
+    if (!proc)
 	return ok;
     if (!NIL_P(proc)) {
 	ret = Qfalse;
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 900bd81b04..a62e79c184 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -149,8 +149,8 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
 
 /* BUG: This method takes any number of arguments but appears to ignore them. */
     GetX509Store(self, store);
-    store->ex_data.sk = NULL;
-    X509_STORE_set_verify_cb_func(store, ossl_verify_cb);
+    /* TODO: what's this?: store->ex_data.sk = NULL; */
+    X509_STORE_set_verify_cb(store, ossl_verify_cb);
     ossl_x509store_set_vfy_cb(self, Qnil);
 
 #if (OPENSSL_VERSION_NUMBER < 0x00907000L)
@@ -400,10 +400,10 @@ static void
 ossl_x509stctx_free(void *ptr)
 {
     X509_STORE_CTX *ctx = ptr;
-    if(ctx->untrusted)
-	sk_X509_pop_free(ctx->untrusted, X509_free);
-    if(ctx->cert)
-	X509_free(ctx->cert);
+    if (X509_STORE_CTX_get0_untrusted(ctx))
+	sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free);
+    if (X509_STORE_CTX_get0_cert(ctx))
+	X509_free(X509_STORE_CTX_get0_cert(ctx));
     X509_STORE_CTX_free(ctx);
 }
 
@@ -484,7 +484,7 @@ ossl_x509stctx_get_chain(VALUE self)
     VALUE ary;
 
     GetX509StCtx(self, ctx);
-    if((chain = X509_STORE_CTX_get_chain(ctx)) == NULL){
+    if((chain = X509_STORE_CTX_get0_chain(ctx)) == NULL){
         return Qnil;
     }
     if((num = sk_X509_num(chain)) < 0){
@@ -558,11 +558,13 @@ ossl_x509stctx_get_curr_crl(VALUE self)
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
     X509_STORE_CTX *ctx;
+    X509_CRL *crl;
 
     GetX509StCtx(self, ctx);
-    if(!ctx->current_crl) return Qnil;
+    crl = X509_STORE_CTX_get0_current_crl(ctx);
+    if(!crl) return Qnil;
 
-    return ossl_x509crl_new(ctx->current_crl);
+    return ossl_x509crl_new(crl);
 #else
     return Qnil;
 #endif