ext/openssl: X509* are made opaque

Replace direct struct access with getter functions.

11 files changed, 177 insertions, 62 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index d831a4a212..c332e50184 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -87,6 +87,8 @@ have_func("EVP_CIPHER_CTX_copy")
 have_func("HMAC_CTX_copy")
 have_func("PKCS5_PBKDF2_HMAC")
 have_func("X509_NAME_hash_old")
+have_func("X509_STORE_CTX_get0_current_crl")
+have_func("X509_STORE_set_verify_cb")
 OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h")
 have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h")
 
@@ -97,6 +99,7 @@ have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTH
 # added in 1.0.2
 have_func("CRYPTO_memcmp")
 have_func("X509_REVOKED_dup")
+have_func("X509_STORE_CTX_get0_store")
 have_func("SSL_is_server");
 have_func("SSL_CTX_set_alpn_select_cb")
 OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
@@ -115,6 +118,14 @@ have_func("HMAC_CTX_reset")
 OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
+have_func("X509_CRL_get0_signature")
+have_func("X509_REQ_get0_signature")
+have_func("X509_REVOKED_get0_serialNumber")
+have_func("X509_REVOKED_get0_revocationDate")
+have_func("X509_get0_tbs_sigalg")
+have_func("X509_STORE_CTX_get0_untrusted")
+have_func("X509_STORE_CTX_get0_cert")
+have_func("X509_STORE_CTX_get0_chain")
 have_func("OCSP_SINGLERESP_get0_id")
 have_func("X509_up_ref")
 have_func("X509_CRL_up_ref")
@@ -123,7 +134,6 @@ have_func("SSL_SESSION_up_ref")
 have_func("EVP_PKEY_up_ref")
 OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
 
-have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h")
 Logging::message "=== Checking done. ===\n"
 
 create_header
diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
index 735ec8cfd5..131f74d75f 100644
--- a/ext/openssl/openssl_missing.c
+++ b/ext/openssl/openssl_missing.c
@@ -130,3 +130,25 @@ HMAC_CTX_reset(HMAC_CTX *ctx)
     return 0;
 }
 #endif
+
+#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
+void
+X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl)
+{
+    if (psig != NULL)
+	*psig = crl->signature;
+    if (palg != NULL)
+	*palg = crl->sig_alg;
+}
+#endif
+
+#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
+void
+X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req)
+{
+    if (psig != NULL)
+	*psig = req->signature;
+    if (palg != NULL)
+	*palg = req->sig_alg;
+}
+#endif
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index f72e832d05..30df663e8d 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -33,6 +33,14 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in);
 int HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in);
 #endif
 
+#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL)
+#  define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl)
+#endif
+
+#if !defined(HAVE_X509_STORE_SET_VERIFY_CB)
+#  define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func
+#endif
+
 /* added in 1.0.2 */
 #if !defined(HAVE_CRYPTO_MEMCMP)
 int CRYPTO_memcmp(const volatile void * volatile in_a, const volatile void * volatile in_b, size_t len);
@@ -43,6 +51,10 @@ int CRYPTO_memcmp(const volatile void * volatile in_a, const volatile void * vol
 	(d2i_of_void *)d2i_X509_REVOKED, (char *)(rev))
 #endif
 
+#if !defined(HAVE_X509_STORE_CTX_GET0_STORE)
+#  define X509_STORE_CTX_get0_store(x) ((x)->ctx)
+#endif
+
 #if !defined(HAVE_SSL_IS_SERVER)
 #  define SSL_is_server(s) ((s)->server)
 #endif
@@ -92,6 +104,38 @@ int HMAC_CTX_reset(HMAC_CTX *ctx);
 	CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef)
 #endif
 
+#if !defined(HAVE_X509_CRL_GET0_SIGNATURE)
+void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl);
+#endif
+
+#if !defined(HAVE_X509_REQ_GET0_SIGNATURE)
+void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_REQ *req);
+#endif
+
+#if !defined(HAVE_X509_REVOKED_GET0_SERIALNUMBER)
+#  define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
+#endif
+
+#if !defined(HAVE_X509_REVOKED_GET0_REVOCATIONDATE)
+#  define X509_REVOKED_get0_revocationDate(x) ((x)->revocationDate)
+#endif
+
+#if !defined(HAVE_X509_GET0_TBS_SIGALG)
+#  define X509_get0_tbs_sigalg(x) ((x)->cert_info->signature)
+#endif
+
+#if !defined(HAVE_X509_STORE_CTX_GET0_UNTRUSTED)
+#  define X509_STORE_CTX_get0_untrusted(x) ((x)->untrusted)
+#endif
+
+#if !defined(HAVE_X509_STORE_CTX_GET0_CERT)
+#  define X509_STORE_CTX_get0_cert(x) ((x)->cert)
+#endif
+
+#if !defined(HAVE_X509_STORE_CTX_GET0_CHAIN)
+#  define X509_STORE_CTX_get0_chain(ctx) X509_STORE_CTX_get_chain(ctx)
+#endif
+
 #if !defined(HAVE_OCSP_SINGLERESP_GET0_ID)
 #  define OCSP_SINGLERESP_get0_id(s) ((s)->certId)
 #endif
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index a115878db3..4a7bbad491 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -217,7 +217,7 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
 
     proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
     if (!proc)
-	proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_store_ex_verify_cb_idx);
+	proc = (VALUE)X509_STORE_get_ex_data(X509_STORE_CTX_get0_store(ctx), ossl_store_ex_verify_cb_idx);
     if (!proc)
 	return ok;
     if (!NIL_P(proc)) {
diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
index d0f41c6bb8..0c0425c455 100644
--- a/ext/openssl/ossl_x509attr.c
+++ b/ext/openssl/ossl_x509attr.c
@@ -178,14 +178,6 @@ ossl_x509attr_get_oid(VALUE self)
     return ret;
 }
 
-#if defined(HAVE_ST_X509_ATTRIBUTE_SINGLE) || defined(HAVE_ST_SINGLE)
-#  define OSSL_X509ATTR_IS_SINGLE(attr)  ((attr)->single)
-#  define OSSL_X509ATTR_SET_SINGLE(attr) ((attr)->single = 1)
-#else
-#  define OSSL_X509ATTR_IS_SINGLE(attr)  (!(attr)->value.set)
-#  define OSSL_X509ATTR_SET_SINGLE(attr) ((attr)->value.set = 0)
-#endif
-
 /*
  * call-seq:
  *    attr.value = asn1 => asn1
@@ -203,12 +195,24 @@ ossl_x509attr_set_value(VALUE self, VALUE value)
 	ossl_raise(eASN1Error, "couldn't set SEQUENCE for attribute value.");
     }
     GetX509Attr(self, attr);
-    if(attr->value.set){
-	if(OSSL_X509ATTR_IS_SINGLE(attr)) ASN1_TYPE_free(attr->value.single);
-	else sk_ASN1_TYPE_free(attr->value.set);
+    if (X509_ATTRIBUTE_count(attr)) {
+	/* populated, reset first */
+	ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+	X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_new();
+	if (!new_attr) {
+	    ASN1_TYPE_free(a1type);
+	    ossl_raise(eX509AttrError, NULL);
+	}
+	SetX509Attr(self, new_attr);
+	X509_ATTRIBUTE_set1_object(new_attr, obj);
+	X509_ATTRIBUTE_free(attr);
+	attr = new_attr;
+    }
+    if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type), a1type->value.ptr, -1)) {
+	ASN1_TYPE_free(a1type);
+	ossl_raise(eX509AttrError, NULL);
     }
-    OSSL_X509ATTR_SET_SINGLE(attr);
-    attr->value.single = a1type;
+    ASN1_TYPE_free(a1type);
 
     return value;
 }
@@ -221,32 +225,48 @@ static VALUE
 ossl_x509attr_get_value(VALUE self)
 {
     X509_ATTRIBUTE *attr;
-    VALUE str, asn1;
+    VALUE str;
     long length;
     unsigned char *p;
+    int count;
 
     GetX509Attr(self, attr);
-    if(attr->value.ptr == NULL) return Qnil;
-    if(OSSL_X509ATTR_IS_SINGLE(attr)){
-	length = i2d_ASN1_TYPE(attr->value.single, NULL);
+    count = X509_ATTRIBUTE_count(attr);
+    if (!count) return Qnil;
+    if (count == 1) {
+	ASN1_TYPE *a1type = X509_ATTRIBUTE_get0_type(attr, 0);
+	length = i2d_ASN1_TYPE(a1type, NULL);
 	str = rb_str_new(0, length);
 	p = (unsigned char *)RSTRING_PTR(str);
-	i2d_ASN1_TYPE(attr->value.single, &p);
-	ossl_str_adjust(str, p);
+	i2d_ASN1_TYPE(a1type, &p);
     }
-    else{
+    else {
+#if defined(i2d_ASN1_SET_OF_ASN1_TYPE)
 	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
-			(unsigned char **) NULL, i2d_ASN1_TYPE,
-			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+		(unsigned char **)NULL, i2d_ASN1_TYPE,
+		V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
 	str = rb_str_new(0, length);
 	p = (unsigned char *)RSTRING_PTR(str);
-	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
-	ossl_str_adjust(str, p);
+	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
+		&p, i2d_ASN1_TYPE,
+		V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+#else
+	STACK_OF(ASN1_TYPE) *sk = sk_ASN1_TYPE_new_null();
+	int i;
+
+	if (!sk) ossl_raise(eX509AttrError, "sk_new() failed");
+	for (i = 0; i < count; i++)
+	    sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+	length = i2d_ASN1_SET_ANY(sk, NULL);
+	str = rb_str_new(0, length);
+	p = (unsigned char *)RSTRING_PTR(str);
+	i2d_ASN1_SET_ANY(sk, &p);
+	sk_ASN1_TYPE_free(sk);
+#endif
     }
-    asn1 = rb_funcall(mASN1, rb_intern("decode"), 1, str);
+    ossl_str_adjust(str, p);
 
-    return asn1;
+    return rb_funcall(mASN1, rb_intern("decode"), 1, str);
 }
 
 /*
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index db8ba02375..4b2f744b9d 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -349,9 +349,7 @@ ossl_x509_set_serial(VALUE self, VALUE num)
     X509 *x509;
 
     GetX509(self, x509);
-
-    x509->cert_info->serialNumber =
-	num_to_asn1integer(num, X509_get_serialNumber(x509));
+    X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509)));
 
     return num;
 }
@@ -371,7 +369,7 @@ ossl_x509_get_signature_algorithm(VALUE self)
     out = BIO_new(BIO_s_mem());
     if (!out) ossl_raise(eX509CertError, NULL);
 
-    if (!i2a_ASN1_OBJECT(out, x509->cert_info->signature->algorithm)) {
+    if (!i2a_ASN1_OBJECT(out, X509_get0_tbs_sigalg(x509)->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509CertError, NULL);
     }
@@ -671,8 +669,8 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509(self, x509);
-    sk_X509_EXTENSION_pop_free(x509->cert_info->extensions, X509_EXTENSION_free);
-    x509->cert_info->extensions = NULL;
+    while ((ext = X509_delete_ext(x509, 0)))
+	X509_EXTENSION_free(ext);
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
 
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index 3aa695a5ea..50d70dbb88 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -180,6 +180,7 @@ static VALUE
 ossl_x509crl_get_signature_algorithm(VALUE self)
 {
     X509_CRL *crl;
+    X509_ALGOR *alg;
     BIO *out;
     BUF_MEM *buf;
     VALUE str;
@@ -188,7 +189,8 @@ ossl_x509crl_get_signature_algorithm(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eX509CRLError, NULL);
     }
-    if (!i2a_ASN1_OBJECT(out, crl->sig_alg->algorithm)) {
+    X509_CRL_get0_signature(NULL, &alg, crl);
+    if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
     }
@@ -239,7 +241,7 @@ ossl_x509crl_set_last_update(VALUE self, VALUE time)
 
     sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
+    if (!X509_time_adj(X509_CRL_get_lastUpdate(crl), 0, &sec)) {
 	ossl_raise(eX509CRLError, NULL);
     }
 
@@ -260,14 +262,18 @@ static VALUE
 ossl_x509crl_set_next_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
+    ASN1_TIME *tm;
     time_t sec;
 
     sec = time_to_time_t(time);
     GetX509CRL(self, crl);
     /* This must be some thinko in OpenSSL */
-    if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
+    tm = X509_time_adj(X509_CRL_get_nextUpdate(crl), 0, &sec);
+    if (!X509_CRL_set_nextUpdate(crl, tm)) {
+	ASN1_TIME_free(tm);
 	ossl_raise(eX509CRLError, NULL);
     }
+    ASN1_TIME_free(tm);
 
     return time;
 }
@@ -302,6 +308,7 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
 {
     X509_CRL *crl;
     X509_REVOKED *rev;
+    STACK_OF(X509_REVOKED) *rev_stack;
     long i;
 
     Check_Type(ary, T_ARRAY);
@@ -310,8 +317,9 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
     }
     GetX509CRL(self, crl);
-    sk_X509_REVOKED_pop_free(crl->crl->revoked, X509_REVOKED_free);
-    crl->crl->revoked = NULL;
+    rev_stack = X509_CRL_get_REVOKED(crl);
+    while ((rev = sk_X509_REVOKED_delete(rev_stack, 0)))
+	X509_REVOKED_free(rev);
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
 	if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
@@ -484,8 +492,8 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509CRL(self, crl);
-    sk_X509_EXTENSION_pop_free(crl->crl->extensions, X509_EXTENSION_free);
-    crl->crl->extensions = NULL;
+    while ((ext = X509_CRL_delete_ext(crl, 0)))
+	X509_EXTENSION_free(ext);
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
 	if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index a0e28e29ec..ff307c0626 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -282,6 +282,7 @@ ossl_x509name_to_a(VALUE self)
     char long_name[512];
     const char *short_name;
     VALUE ary, vname, ret;
+    ASN1_STRING *value;
 
     GetX509Name(self, name);
     entries = X509_NAME_entry_count(name);
@@ -294,7 +295,8 @@ ossl_x509name_to_a(VALUE self)
 	if (!(entry = X509_NAME_get_entry(name, i))) {
 	    ossl_raise(eX509NameError, NULL);
 	}
-	if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name), entry->object)) {
+	if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name),
+			     X509_NAME_ENTRY_get_object(entry))) {
 	    ossl_raise(eX509NameError, NULL);
 	}
 	nid = OBJ_ln2nid(long_name);
@@ -304,10 +306,11 @@ ossl_x509name_to_a(VALUE self)
 	    short_name = OBJ_nid2sn(nid);
 	    vname = rb_str_new2(short_name); /*do not free*/
 	}
+	value = X509_NAME_ENTRY_get_data(entry);
 	ary = rb_ary_new3(3,
 			  vname,
-        		  rb_str_new((const char *)entry->value->data, entry->value->length),
-        		  INT2FIX(entry->value->type));
+			  rb_str_new((const char *)value->data, value->length),
+			  INT2FIX(value->type));
 	rb_ary_push(ret, ary);
     }
     return ret;
diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c
index e5ce088a15..0fe856e312 100644
--- a/ext/openssl/ossl_x509req.c
+++ b/ext/openssl/ossl_x509req.c
@@ -302,6 +302,7 @@ static VALUE
 ossl_x509req_get_signature_algorithm(VALUE self)
 {
     X509_REQ *req;
+    X509_ALGOR *alg;
     BIO *out;
     BUF_MEM *buf;
     VALUE str;
@@ -311,7 +312,8 @@ ossl_x509req_get_signature_algorithm(VALUE self)
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eX509ReqError, NULL);
     }
-    if (!i2a_ASN1_OBJECT(out, req->sig_alg->algorithm)) {
+    X509_REQ_get0_signature(NULL, &alg, req);
+    if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509ReqError, NULL);
     }
@@ -426,8 +428,8 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);
     }
     GetX509Req(self, req);
-    sk_X509_ATTRIBUTE_pop_free(req->req_info->attributes, X509_ATTRIBUTE_free);
-    req->req_info->attributes = NULL;
+    while ((attr = X509_REQ_delete_attr(req, 0)))
+	X509_ATTRIBUTE_free(attr);
     for (i=0;i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
 	attr = DupX509AttrPtr(item);
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
index 46250e1225..6c1834e88d 100644
--- a/ext/openssl/ossl_x509revoked.c
+++ b/ext/openssl/ossl_x509revoked.c
@@ -116,16 +116,18 @@ ossl_x509revoked_get_serial(VALUE self)
 
     GetX509Rev(self, rev);
 
-    return asn1integer_to_num(rev->serialNumber);
+    return asn1integer_to_num(X509_REVOKED_get0_serialNumber(rev));
 }
 
 static VALUE
 ossl_x509revoked_set_serial(VALUE self, VALUE num)
 {
     X509_REVOKED *rev;
+    ASN1_INTEGER *ai;
 
     GetX509Rev(self, rev);
-    rev->serialNumber = num_to_asn1integer(num, rev->serialNumber);
+    ai = X509_REVOKED_get0_serialNumber(rev);
+    X509_REVOKED_set_serialNumber(rev, num_to_asn1integer(num, ai));
 
     return num;
 }
@@ -137,7 +139,7 @@ ossl_x509revoked_get_time(VALUE self)
 
     GetX509Rev(self, rev);
 
-    return asn1time_to_time(rev->revocationDate);
+    return asn1time_to_time(X509_REVOKED_get0_revocationDate(rev));
 }
 
 static VALUE
@@ -148,7 +150,7 @@ ossl_x509revoked_set_time(VALUE self, VALUE time)
 
     sec = time_to_time_t(time);
     GetX509Rev(self, rev);
-    if (!X509_time_adj(rev->revocationDate, 0, &sec)) {
+    if (!X509_time_adj(X509_REVOKED_get0_revocationDate(rev), 0, &sec)) {
 	ossl_raise(eX509RevError, NULL);
     }
 
@@ -196,8 +198,8 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509Rev(self, rev);
-    sk_X509_EXTENSION_pop_free(rev->extensions, X509_EXTENSION_free);
-    rev->extensions = NULL;
+    while ((ext = X509_REVOKED_delete_ext(rev, 0)))
+	X509_EXTENSION_free(ext);
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
 	ext = DupX509ExtPtr(item);
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 7a07207fd2..47eca6e929 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -149,8 +149,11 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
 
 /* BUG: This method takes any number of arguments but appears to ignore them. */
     GetX509Store(self, store);
+#if !defined(HAVE_OPAQUE_OPENSSL)
+    /* TODO: what's this? */
     store->ex_data.sk = NULL;
-    X509_STORE_set_verify_cb_func(store, ossl_verify_cb);
+#endif
+    X509_STORE_set_verify_cb(store, ossl_verify_cb);
     ossl_x509store_set_vfy_cb(self, Qnil);
 
     /* last verification status */
@@ -382,10 +385,10 @@ static void
 ossl_x509stctx_free(void *ptr)
 {
     X509_STORE_CTX *ctx = ptr;
-    if(ctx->untrusted)
-	sk_X509_pop_free(ctx->untrusted, X509_free);
-    if(ctx->cert)
-	X509_free(ctx->cert);
+    if (X509_STORE_CTX_get0_untrusted(ctx))
+	sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free);
+    if (X509_STORE_CTX_get0_cert(ctx))
+	X509_free(X509_STORE_CTX_get0_cert(ctx));
     X509_STORE_CTX_free(ctx);
 }
 
@@ -459,7 +462,7 @@ ossl_x509stctx_get_chain(VALUE self)
     VALUE ary;
 
     GetX509StCtx(self, ctx);
-    if((chain = X509_STORE_CTX_get_chain(ctx)) == NULL){
+    if((chain = X509_STORE_CTX_get0_chain(ctx)) == NULL){
         return Qnil;
     }
     if((num = sk_X509_num(chain)) < 0){
@@ -532,11 +535,14 @@ static VALUE
 ossl_x509stctx_get_curr_crl(VALUE self)
 {
     X509_STORE_CTX *ctx;
+    X509_CRL *crl;
 
     GetX509StCtx(self, ctx);
-    if(!ctx->current_crl) return Qnil;
+    crl = X509_STORE_CTX_get0_current_crl(ctx);
+    if (!crl)
+	return Qnil;
 
-    return ossl_x509crl_new(ctx->current_crl);
+    return ossl_x509crl_new(crl);
 }
 
 static VALUE