merge revision(s) 26836:26859,26861,27921:

	* ext/openssl/ossl_ssl_session.c
	  (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
	  backporting. (see [ruby-dev:40573])  use long in according to
	  OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
	* ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
	  for X509_NAME_hash_old in OpenSSL 1.0.0.
	* test/openssl/test_x509name.rb (test_hash): make test pass with
	  OpenSSL 1.0.0.
	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
	  * PKey::PKey#verify raises an exception when a given PKey does not
	    match with signature.
	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
	* backport the commit from trunk:
	  Sun Feb 28 11:49:35 2010  NARUSE, Yui  <naruse@ruby-lang.org>
	* openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
	  patched by Jeroen van Meeuwen at [ruby-core:25210]
	  fixed by Nobuyoshi Nakada [ruby-core:25238],
	  Hongli Lai [ruby-core:27417],
	  and Motohiro KOSAKI [ruby-core:28063]
	* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
	  (ossl_ssl_cipher_to_ary): constified.
	* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
	  split pkcs7_get_certs_or_crls.
	* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
	  truncated with ec_key.group.order.size after openssl 0.9.8m for
	  FIPS 186-3 compliance.
	  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
	  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
	  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
	  false when you pass dgst longer than expected (no truncation
	  performed).
	* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
	* ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
	  macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
	  OpenSSL 1.0.0beta5 has a slightly different definiton so it could
	  be a temporal workaround for 0.9.8 and 1.0.0 dual support.
	* ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
	  definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
	  (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
	* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
	  SSL_SESSION_cmp and implement equality func by ousrself.  See the
	  comment.
	* ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
	* ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
	  exists.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@28367 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

19 files changed, 278 insertions, 67 deletions

diff --git a/ChangeLog b/ChangeLog
index 2ee35d45b9..83b7176bea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,78 @@
+Mon Jun 21 18:12:15 2010  NAKAMURA Usaku  <usa@ruby-lang.org>
+
+	* ext/openssl/extconf.rb: check some functions added at OpenSSL 1.0.0.
+
+	* ext/openssl/ossl_engine.c (ossl_engine_s_load): use engines which
+	  exists.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_config.c: defined own IMPLEMENT_LHASH_DOALL_ARG_FN_098
+	  macro according to IMPLEMENT_LHASH_DOALL_ARG_FN in OpenSSL 0.9.8m.
+	  OpenSSL 1.0.0beta5 has a slightly different definiton so it could
+	  be a temporal workaround for 0.9.8 and 1.0.0 dual support.
+
+	* ext/openssl/ossl_pkcs5.c (ossl_pkcs5_pbkdf2_hmac): follows function
+	  definition in OpenSSL 1.0.0beta5. PKCS5_PBKDF2_HMAC is from 1.0.0
+	  (0.9.8 only has PKCS5_PBKDF2_HMAC_SHA1)
+
+	* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_eq): do not use
+	  SSL_SESSION_cmp and implement equality func by ousrself.  See the
+	  comment.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_ssl_session.c
+	  (ossl_ssl_session_{get,set}_time{,out}): fixed a bug introduced by
+	  backporting. (see [ruby-dev:40573])  use long in according to
+	  OpenSSL API. (SSL_SESSION_{get,set}_time{,out})
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* ext/openssl/ossl_x509name.c: added X509::Name#hash_old as a wrapper
+	  for X509_NAME_hash_old in OpenSSL 1.0.0.
+
+	* test/openssl/test_x509name.rb (test_hash): make test pass with
+	  OpenSSL 1.0.0.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_x509*: make tests pass with OpenSSL 1.0.0b5.
+	  * PKey::PKey#verify raises an exception when a given PKey does not
+	    match with signature.
+	  * PKey::DSA#sign accepts SHA1, SHA256 other than DSS1.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* backport the commit from trunk:
+	  Sun Feb 28 11:49:35 2010  NARUSE, Yui  <naruse@ruby-lang.org>
+
+	* openssl/ossl.c (OSSL_IMPL_SK2ARY): for OpenSSL 1.0.
+	  patched by Jeroen van Meeuwen at [ruby-core:25210]
+	  fixed by Nobuyoshi Nakada [ruby-core:25238],
+	  Hongli Lai [ruby-core:27417],
+	  and Motohiro KOSAKI [ruby-core:28063]
+
+	* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab),
+	  (ossl_ssl_cipher_to_ary): constified.
+
+	* ext/openssl/ossl_pkcs7.c (pkcs7_get_certs, pkcs7_get_crls):
+	  split pkcs7_get_certs_or_crls.
+
+Mon Jun 21 18:12:15 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
+	  truncated with ec_key.group.order.size after openssl 0.9.8m for
+	  FIPS 186-3 compliance.
+
+	  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
+	  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
+	  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
+	  false when you pass dgst longer than expected (no truncation
+	  performed).
+
+	* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
+
 Wed Jun 16 16:01:42 2010  Tanaka Akira  <akr@fsij.org>
 
 	* lib/pathname.rb (Pathname#sub): suppress a warning.
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 63ec7f2054..6554eba653 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -91,6 +91,7 @@ have_func("X509_CRL_add0_revoked")
 have_func("X509_CRL_set_issuer_name")
 have_func("X509_CRL_set_version")
 have_func("X509_CRL_sort")
+have_func("X509_NAME_hash_old")
 have_func("X509_STORE_get_ex_data")
 have_func("X509_STORE_set_ex_data")
 have_func("OBJ_NAME_do_all_sorted")
@@ -106,6 +107,14 @@ if have_header("openssl/engine.h")
   have_func("ENGINE_get_digest")
   have_func("ENGINE_get_cipher")
   have_func("ENGINE_cleanup")
+  have_func("ENGINE_load_4758cca")
+  have_func("ENGINE_load_aep")
+  have_func("ENGINE_load_atalla")
+  have_func("ENGINE_load_chil")
+  have_func("ENGINE_load_cswift")
+  have_func("ENGINE_load_nuron")
+  have_func("ENGINE_load_sureware")
+  have_func("ENGINE_load_ubsec")
 end
 if try_compile(<<SRC)
 #include <openssl/opensslv.h>
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index fd9429b170..7aa2c0d449 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -92,7 +92,7 @@ ossl_x509_ary2sk(VALUE ary)
 
 #define OSSL_IMPL_SK2ARY(name, type)	        \
 VALUE						\
-ossl_##name##_sk2ary(STACK *sk)			\
+ossl_##name##_sk2ary(STACK_OF(type) *sk)	\
 {						\
     type *t;					\
     int i, num;					\
@@ -102,7 +102,7 @@ ossl_##name##_sk2ary(STACK *sk)			\
 	OSSL_Debug("empty sk!");		\
 	return Qnil;				\
     }						\
-    num = sk_num(sk);				\
+    num = sk_##type##_num(sk);			\
     if (num < 0) {				\
 	OSSL_Debug("items in sk < -1???");	\
 	return rb_ary_new();			\
@@ -110,7 +110,7 @@ ossl_##name##_sk2ary(STACK *sk)			\
     ary = rb_ary_new2(num);			\
 						\
     for (i=0; i<num; i++) {			\
-	t = (type *)sk_value(sk, i);		\
+	t = sk_##type##_value(sk, i);		\
 	rb_ary_push(ary, ossl_##name##_new(t));	\
     }						\
     return ary;					\
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
index 31fd7d7c1b..9944a862e4 100644
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@@ -108,6 +108,13 @@ extern VALUE eOSSLError;
 } while (0)
 
 /*
+ * Compatibility
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#define STACK _STACK
+#endif
+
+/*
  * String to HEXString conversion
  */
 int string2hex(char *, int, char **, int *);
diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
index 606edfc3ad..f5e57ba1f2 100644
--- a/ext/openssl/ossl_config.c
+++ b/ext/openssl/ossl_config.c
@@ -313,6 +313,12 @@ ossl_config_get_section_old(VALUE self, VALUE section)
 }
 
 #ifdef IMPLEMENT_LHASH_DOALL_ARG_FN
+#define IMPLEMENT_LHASH_DOALL_ARG_FN_098(f_name,o_type,a_type) \
+            void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
+		                o_type a = (o_type)arg1; \
+		                a_type b = (a_type)arg2; \
+		                f_name(a,b); }
+
 static void
 get_conf_section(CONF_VALUE *cv, VALUE ary)
 {
@@ -320,7 +326,7 @@ get_conf_section(CONF_VALUE *cv, VALUE ary)
     rb_ary_push(ary, rb_str_new2(cv->section));
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(get_conf_section, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(get_conf_section, CONF_VALUE*, VALUE)
 
 static VALUE
 ossl_config_get_sections(VALUE self)
@@ -358,7 +364,7 @@ dump_conf_value(CONF_VALUE *cv, VALUE str)
     rb_str_cat2(str, "\n");
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_conf_value, CONF_VALUE*, VALUE)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(dump_conf_value, CONF_VALUE*, VALUE)
 
 static VALUE
 dump_conf(CONF *conf)
@@ -402,7 +408,7 @@ each_conf_value(CONF_VALUE *cv, void* dummy)
     }
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(each_conf_value, CONF_VALUE*, void*)
+static IMPLEMENT_LHASH_DOALL_ARG_FN_098(each_conf_value, CONF_VALUE*, void*)
 
 static VALUE
 ossl_config_each(VALUE self)
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
index c0eb180019..c6fc603a1e 100644
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@@ -61,16 +61,34 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
     }
     StringValue(name);
 #ifndef OPENSSL_NO_STATIC_ENGINE
+#if HAVE_ENGINE_LOAD_DYNAMIC
     OSSL_ENGINE_LOAD_IF_MATCH(dynamic);
+#endif
+#if HAVE_ENGINE_LOAD_CSWIFT
     OSSL_ENGINE_LOAD_IF_MATCH(cswift);
+#endif
+#if HAVE_ENGINE_LOAD_CHIL
     OSSL_ENGINE_LOAD_IF_MATCH(chil);
+#endif
+#if HAVE_ENGINE_LOAD_ATALLA
     OSSL_ENGINE_LOAD_IF_MATCH(atalla);
+#endif
+#if HAVE_ENGINE_LOAD_NURON
     OSSL_ENGINE_LOAD_IF_MATCH(nuron);
+#endif
+#if HAVE_ENGINE_LOAD_UBSEC
     OSSL_ENGINE_LOAD_IF_MATCH(ubsec);
+#endif
+#if HAVE_ENGINE_LOAD_AEP
     OSSL_ENGINE_LOAD_IF_MATCH(aep);
+#endif
+#if HAVE_ENGINE_LOAD_SUREWARE
     OSSL_ENGINE_LOAD_IF_MATCH(sureware);
+#endif
+#if HAVE_ENGINE_LOAD_4758CCA
     OSSL_ENGINE_LOAD_IF_MATCH(4758cca);
 #endif
+#endif
 #ifdef HAVE_ENGINE_LOAD_OPENBSD_DEV_CRYPTO
     OSSL_ENGINE_LOAD_IF_MATCH(openbsd_dev_crypto);
 #endif
diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c
index 007889fc94..39ba013839 100644
--- a/ext/openssl/ossl_pkcs5.c
+++ b/ext/openssl/ossl_pkcs5.c
@@ -29,14 +29,17 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key
     VALUE str;
     const EVP_MD *md;
     int len = NUM2INT(keylen);
+    unsigned char* salt_p;
+    unsigned char* str_p;
 
     StringValue(pass);
     StringValue(salt);
     md = GetDigestPtr(digest);
-
     str = rb_str_new(0, len);
+    salt_p = (unsigned char*)RSTRING_PTR(salt);
+    str_p = (unsigned char*)RSTRING_PTR(str);
 
-    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
+    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), salt_p, RSTRING_LEN(salt), NUM2INT(iter), md, len, str_p) != 1)
         ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
 
     return str;
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
index 6918844779..5177f5c1e5 100644
--- a/ext/openssl/ossl_pkcs7.c
+++ b/ext/openssl/ossl_pkcs7.c
@@ -570,12 +570,11 @@ ossl_pkcs7_add_certificate(VALUE self, VALUE cert)
     return self;
 }
 
-static STACK *
-pkcs7_get_certs_or_crls(VALUE self, int want_certs)
+static STACK_OF(X509) *
+pkcs7_get_certs(VALUE self)
 {
     PKCS7 *pkcs7;
     STACK_OF(X509) *certs;
-    STACK_OF(X509_CRL) *crls;
     int i;
 
     GetPKCS7(self, pkcs7);
@@ -583,17 +582,38 @@ pkcs7_get_certs_or_crls(VALUE self, int want_certs)
     switch(i){
     case NID_pkcs7_signed:
         certs = pkcs7->d.sign->cert;
-        crls = pkcs7->d.sign->crl;
         break;
     case NID_pkcs7_signedAndEnveloped:
         certs = pkcs7->d.signed_and_enveloped->cert;
+        break;
+    default:
+        certs = NULL;
+    }
+
+    return certs;
+}
+
+static STACK_OF(X509_CRL) *
+pkcs7_get_crls(VALUE self)
+{
+    PKCS7 *pkcs7;
+    STACK_OF(X509_CRL) *crls;
+    int i;
+
+    GetPKCS7(self, pkcs7);
+    i = OBJ_obj2nid(pkcs7->type);
+    switch(i){
+    case NID_pkcs7_signed:
+        crls = pkcs7->d.sign->crl;
+        break;
+    case NID_pkcs7_signedAndEnveloped:
         crls = pkcs7->d.signed_and_enveloped->crl;
         break;
     default:
-        certs = crls = NULL;
+        crls = NULL;
     }
 
-    return want_certs ? certs : crls;
+    return crls;
 }
 
 static VALUE
@@ -608,7 +628,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
     STACK_OF(X509) *certs;
     X509 *cert;
 
-    certs = pkcs7_get_certs_or_crls(self, 1);
+    certs = pkcs7_get_certs(self);
     while((cert = sk_X509_pop(certs))) X509_free(cert);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_certs_i, self);
 
@@ -618,7 +638,7 @@ ossl_pkcs7_set_certificates(VALUE self, VALUE ary)
 static VALUE
 ossl_pkcs7_get_certificates(VALUE self)
 {
-    return ossl_x509_sk2ary(pkcs7_get_certs_or_crls(self, 1));
+    return ossl_x509_sk2ary(pkcs7_get_certs(self));
 }
 
 static VALUE
@@ -648,7 +668,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
     STACK_OF(X509_CRL) *crls;
     X509_CRL *crl;
 
-    crls = pkcs7_get_certs_or_crls(self, 0);
+    crls = pkcs7_get_crls(self);
     while((crl = sk_X509_CRL_pop(crls))) X509_CRL_free(crl);
     rb_block_call(ary, rb_intern("each"), 0, 0, ossl_pkcs7_set_crls_i, self);
 
@@ -658,7 +678,7 @@ ossl_pkcs7_set_crls(VALUE self, VALUE ary)
 static VALUE
 ossl_pkcs7_get_crls(VALUE self)
 {
-    return ossl_x509crl_sk2ary(pkcs7_get_certs_or_crls(self, 0));
+    return ossl_x509crl_sk2ary(pkcs7_get_crls(self));
 }
 
 static VALUE
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index f02fcd831d..cbdad3f12b 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -681,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data)
 
 /*
  *  call-seq:
- *     key.dsa_verify(data, sig)   => true or false
+ *     key.dsa_verify_asn1(data, sig)   => true or false
  *
  *  See the OpenSSL documentation for ECDSA_verify()
  */
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index fb3cf5c2ad..1ee391c794 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1196,10 +1196,10 @@ ossl_ssl_get_peer_cert_chain(VALUE self)
     }
     chain = SSL_get_peer_cert_chain(ssl);
     if(!chain) return Qnil;
-    num = sk_num(chain);
+    num = sk_X509_num(chain);
     ary = rb_ary_new2(num);
     for (i = 0; i < num; i++){
-	cert = (X509*)sk_value(chain, i);
+	cert = sk_X509_value(chain, i);
 	rb_ary_push(ary, ossl_x509_new(cert));
     }
 
diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c
index 86f9d80cef..b416e76920 100644
--- a/ext/openssl/ossl_ssl_session.c
+++ b/ext/openssl/ossl_ssl_session.c
@@ -86,9 +86,18 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2)
 	GetSSLSession(val1, ctx1);
 	SafeGetSSLSession(val2, ctx2);
 
-	switch (SSL_SESSION_cmp(ctx1, ctx2)) {
-	case 0:		return Qtrue;
-	default:	return Qfalse;
+	/*
+	 * OpenSSL 1.0.0betas do not have non-static SSL_SESSION_cmp.
+	 * ssl_session_cmp (was SSL_SESSION_cmp in 0.9.8) is for lhash
+	 * comparing so we should not depend on it.  Just compare sessions
+	 * by version and id.
+	 */
+	if ((ctx1->ssl_version == ctx2->ssl_version) &&
+	    (ctx1->session_id_length == ctx2->session_id_length) &&
+	    (memcmp(ctx1->session_id, ctx2->session_id, ctx1->session_id_length) == 0)) {
+	    return Qtrue;
+	} else {
+	    return Qfalse;
 	}
 }
 
diff --git a/ext/openssl/ossl_x509attr.c b/ext/openssl/ossl_x509attr.c
index ca1c59aba9..949785a80b 100644
--- a/ext/openssl/ossl_x509attr.c
+++ b/ext/openssl/ossl_x509attr.c
@@ -217,8 +217,9 @@ ossl_x509attr_get_value(VALUE self)
 	ossl_str_adjust(str, p);
     }
     else{
-	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, NULL,
-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
+	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
+			(unsigned char **) NULL, i2d_ASN1_TYPE,
+			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
 	str = rb_str_new(0, length);
 	p = RSTRING_PTR(str);
 	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index be9ddacf48..e6d0c2eb3c 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -262,7 +262,7 @@ ossl_x509crl_get_revoked(VALUE self)
     VALUE ary, revoked;
 
     GetX509CRL(self, crl);
-    num = sk_X509_CRL_num(X509_CRL_get_REVOKED(crl));
+    num = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
     if (num < 0) {
 	OSSL_Debug("num < 0???");
 	return rb_ary_new();
@@ -270,7 +270,7 @@ ossl_x509crl_get_revoked(VALUE self)
     ary = rb_ary_new2(num);
     for(i=0; i<num; i++) {
 	/* NO DUP - don't free! */
-	rev = (X509_REVOKED *)sk_X509_CRL_value(X509_CRL_get_REVOKED(crl), i);
+	rev = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
 	revoked = ossl_x509revoked_new(rev);
 	rb_ary_push(ary, revoked);
     }
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index 220dc069af..55f5b58d64 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -306,6 +306,27 @@ ossl_x509name_hash(VALUE self)
     return ULONG2NUM(hash);
 }
 
+#ifdef HAVE_X509_NAME_HASH_OLD
+/*
+ * call-seq:
+ *    name.hash_old => integer
+ *
+ * hash_old returns MD5 based hash used in OpenSSL 0.9.X.
+ */
+static VALUE
+ossl_x509name_hash_old(VALUE self)
+{
+    X509_NAME *name;
+    unsigned long hash;
+
+    GetX509Name(self, name);
+
+    hash = X509_NAME_hash_old(name);
+
+    return ULONG2NUM(hash);
+}
+#endif
+
 /*
  * call-seq:
  *    name.to_der => string
@@ -351,6 +372,9 @@ Init_ossl_x509name()
     rb_define_alias(cX509Name, "<=>", "cmp");
     rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1);
     rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0);
+#ifdef HAVE_X509_NAME_HASH_OLD
+    rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0);
+#endif
     rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0);
 
     utf8str = INT2NUM(V_ASN1_UTF8STRING);
diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb
index 671901ca36..eb1c61e1a9 100644
--- a/test/openssl/test_ec.rb
+++ b/test/openssl/test_ec.rb
@@ -87,9 +87,7 @@ class OpenSSL::TestEC < Test::Unit::TestCase
   def test_dsa_sign_verify
     for key in @keys
       sig = key.dsa_sign_asn1(@data1)
-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
-        
-      assert_raises(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+      assert(key.dsa_verify_asn1(@data1, sig))
     end
   end
 
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index a5a75ff1b6..cf5e6f7aab 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -129,13 +129,31 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
 
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, cert_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, cert_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CertificateError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new) 
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.serial = 2
     assert_equal(false, cert.verify(@rsa2048))
 
@@ -143,33 +161,22 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::MD5.new) 
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
-    assert_equal(false, cert.verify(@dsa256))
-    assert_equal(false, cert.verify(@dsa512))
     cert.subject = @ee1
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::DSS1.new) 
-    assert_equal(false, cert.verify(@rsa1024))
-    assert_equal(false, cert.verify(@rsa2048))
     assert_equal(false, cert.verify(@dsa256))
     assert_equal(true,  cert.verify(@dsa512))
     cert.not_after = Time.now 
     assert_equal(false, cert.verify(@dsa512))
+  end
 
+  def test_dsig_algorithm_mismatch
     assert_raises(OpenSSL::X509::CertificateError){
       cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                         nil, nil, OpenSSL::Digest::DSS1.new) 
     }
-    assert_raises(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::MD5.new) 
-    }
-    assert_raises(OpenSSL::X509::CertificateError){
-      cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new) 
-    }
+    end
   end
 end
-
-end
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 444a00a586..c59ff52380 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -190,6 +190,30 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
     assert_match((2**100).to_s, crl.extensions[0].value)
   end
 
+  def test_sign_and_verify_wrong_key_type
+    cert_rsa = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::SHA1.new)
+    crl_rsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_rsa, @rsa2048, OpenSSL::Digest::SHA1.new)
+    cert_dsa = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
+                      nil, nil, OpenSSL::Digest::DSS1.new)
+    crl_dsa = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    cert_dsa, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, crl_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, crl_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::CRLError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
                       nil, nil, OpenSSL::Digest::SHA1.new)
@@ -197,8 +221,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
     assert_equal(true,  crl.verify(@rsa2048))
-    assert_equal(false, crl.verify(@dsa256))
-    assert_equal(false, crl.verify(@dsa512))
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
@@ -206,8 +228,6 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
                       nil, nil, OpenSSL::Digest::DSS1.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, crl.verify(@rsa1024))
-    assert_equal(false, crl.verify(@rsa2048))
     assert_equal(false, crl.verify(@dsa256))
     assert_equal(true,  crl.verify(@dsa512))
     crl.version = 0
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index a37ed5c5ef..6186bcea0c 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -103,37 +103,51 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
     assert_equal(exts, get_ext_req(attrs[1].value))
   end
 
+  def test_sign_and_verify_wrong_key_type
+    req_rsa = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
+    req_dsa = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    begin
+      assert_equal(false, req_rsa.verify(@dsa256))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+
+    begin
+      assert_equal(false, req_dsa.verify(@rsa1024))
+    rescue OpenSSL::X509::RequestError => e
+      # OpenSSL 1.0.0 added checks for pkey OID
+      assert_equal('wrong public key type', e.message)
+    end
+  end
+
   def test_sign_and_verify
     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::SHA1.new)
     assert_equal(true,  req.verify(@rsa1024))
     assert_equal(false, req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.version = 1
     assert_equal(false, req.verify(@rsa1024))
 
     req = issue_csr(0, @dn, @rsa2048, OpenSSL::Digest::MD5.new)
     assert_equal(false, req.verify(@rsa1024))
     assert_equal(true,  req.verify(@rsa2048))
-    assert_equal(false, req.verify(@dsa256))
-    assert_equal(false, req.verify(@dsa512))
     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
     assert_equal(false, req.verify(@rsa2048))
 
     req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
-    assert_equal(false, req.verify(@rsa1024))
-    assert_equal(false, req.verify(@rsa2048))
     assert_equal(false, req.verify(@dsa256))
     assert_equal(true,  req.verify(@dsa512))
     req.public_key = @rsa1024.public_key
     assert_equal(false, req.verify(@dsa512))
+  end
 
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) }
-    assert_raise(OpenSSL::X509::RequestError){
-      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) }
+  def test_dsig_algorithm_mismatch
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new)
+    end
+    assert_raise(OpenSSL::X509::RequestError) do
+      issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new)
+    end
   end
 end
 
diff --git a/version.h b/version.h
index e85620a14f..607d9cbbb2 100644
--- a/version.h
+++ b/version.h
@@ -1,15 +1,15 @@
 #define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2010-06-16"
+#define RUBY_RELEASE_DATE "2010-06-21"
 #define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20100616
-#define RUBY_PATCHLEVEL 296
+#define RUBY_RELEASE_CODE 20100621
+#define RUBY_PATCHLEVEL 297
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 7
 #define RUBY_RELEASE_YEAR 2010
 #define RUBY_RELEASE_MONTH 6
-#define RUBY_RELEASE_DAY 16
+#define RUBY_RELEASE_DAY 21
 
 #ifdef RUBY_EXTERN
 RUBY_EXTERN const char ruby_version[];