From de0294240e7f8a6ede64b0ca3b3b00c9bfd88c2a Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Wed, 8 Apr 2020 16:06:30 +0900
Subject: [PATCH 1/5] Suppress -Wshorten-64-to-32 warnings

[ Cherry-picked from ruby.git commit d8720eb7de9c. ]
---
 ext/openssl/ossl_ssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 34bb636ea..337ce5d64 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -2324,7 +2324,7 @@ ossl_ssl_get_verify_result(VALUE self)
 
     GetSSL(self, ssl);
 
-    return INT2NUM(SSL_get_verify_result(ssl));
+    return LONG2NUM(SSL_get_verify_result(ssl));
 }
 
 /*

From 306b26ae68824e89c33f69fe2bf6bb170bed8343 Mon Sep 17 00:00:00 2001
From: Yusuke Endoh <mame@ruby-lang.org>
Date: Wed, 13 May 2020 13:45:31 +0900
Subject: [PATCH 2/5] ext/openssl/ossl.h: Remove a variable that is used only
 in assert

It produces "unused variable" warnings in NDEBUG mode

[ Cherry-picked from ruby.git commit 3bca1b6aadff. ]
---
 ext/openssl/ossl.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
index 8074afcd7..c20f506bd 100644
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@@ -88,9 +88,8 @@ VALUE ossl_buf2str(char *buf, int len);
 VALUE ossl_str_new(const char *, long, int *);
 #define ossl_str_adjust(str, p) \
 do{\
-    long len = RSTRING_LEN(str);\
     long newlen = (long)((p) - (unsigned char*)RSTRING_PTR(str));\
-    assert(newlen <= len);\
+    assert(newlen <= RSTRING_LEN(str));\
     rb_str_set_len((str), newlen);\
 }while(0)
 /*

From ea925619a99cc706556214a807260b0e5d30cd45 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 13 May 2020 14:33:06 +0900
Subject: [PATCH 3/5] ssl: temporarily remove
 SSLContext#add_certificate_chain_file

Let's revert the changes for now, as it cannot be included in the 2.2.0
release.

My comment on #257:

> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.

This effectively reverts the following commits:

 - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
 - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
---
 ext/openssl/ossl_ssl.c   | 16 ----------------
 test/openssl/test_ssl.rb | 28 ----------------------------
 2 files changed, 44 deletions(-)

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 337ce5d64..fe2e85b86 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -1329,21 +1329,6 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
-static VALUE
-ossl_sslctx_add_certificate_chain_file(VALUE self, VALUE path)
-{
-    SSL_CTX *ctx;
-    int ret;
-
-    GetSSLCTX(self, ctx);
-    StringValueCStr(path);
-    ret = SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path));
-    if (ret != 1)
-        ossl_raise(eSSLError, "SSL_CTX_use_certificate_chain_file");
-
-    return Qtrue;
-}
-
 /*
  *  call-seq:
  *     ctx.session_add(session) -> true | false
@@ -2795,7 +2780,6 @@ Init_ossl_ssl(void)
     rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0);
 #endif
     rb_define_method(cSSLContext, "add_certificate", ossl_sslctx_add_certificate, -1);
-    rb_define_method(cSSLContext, "add_certificate_chain_file", ossl_sslctx_add_certificate_chain_file, 1);
 
     rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
     rb_define_alias(cSSLContext, "freeze", "setup");
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 4598927a1..6095d545b 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -189,34 +189,6 @@ def test_add_certificate_multiple_certs
     end
   end
 
-  def test_add_certificate_chain_file
-    # Create chain certificates file
-    certs = Tempfile.open { |f| f << @svr_cert.to_pem << @ca_cert.to_pem; f }
-    pkey = Tempfile.open { |f| f << @svr_key.to_pem; f }
-
-    ctx_proc = -> ctx {
-      # FIXME: This is a temporary test case written just to match the current
-      # state. ctx.add_certificate_chain_file should take two arguments.
-      ctx.add_certificate_chain_file(certs.path)
-      # # Unset values set by start_server
-      # ctx.cert = ctx.key = ctx.extra_chain_cert = nil
-      # assert_nothing_raised { ctx.add_certificate_chain_file(certs.path, pkey.path) }
-    }
-
-    start_server(ctx_proc: ctx_proc) { |port|
-      server_connect(port) { |ssl|
-        assert_equal @svr_cert.subject, ssl.peer_cert.subject
-        assert_equal [@svr_cert.subject, @ca_cert.subject],
-          ssl.peer_cert_chain.map(&:subject)
-
-        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
-      }
-    }
-  ensure
-    certs&.unlink
-    pkey&.unlink
-  end
-
   def test_sysread_and_syswrite
     start_server { |port|
       server_connect(port) { |ssl|

From 0a2e8c67f25225022f9a2d07f5db2fe7d82c4007 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 13 May 2020 14:48:27 +0900
Subject: [PATCH 4/5] .github/workflows: update OpenSSL and LibreSSL versions
 to test with

---
 .github/workflows/test.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0c6053158..985a626b3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -73,15 +73,16 @@ jobs:
           - openssl-1.0.1u # EOL
           - openssl-1.0.2u # EOL
           - openssl-1.1.0l # EOL
-          - openssl-1.1.1d
+          - openssl-1.1.1g
           # - libressl-2.3.7 # EOL
           # - libressl-2.4.5 # EOL
           # - libressl-2.5.5 # EOL
           # - libressl-2.6.5 # EOL
-          - libressl-2.7.5 # EOL
-          - libressl-2.8.3 # EOL
-          - libressl-2.9.2
+          # - libressl-2.7.5 # EOL
+          # - libressl-2.8.3 # EOL
+          - libressl-2.9.2 # EOL
           - libressl-3.0.2
+          - libressl-3.1.1
     steps:
       - name: repo checkout
         uses: actions/checkout@v2

From 41587f69e17b9f0983c1f2a37b8661599119fc0e Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 13 May 2020 14:55:35 +0900
Subject: [PATCH 5/5] Ruby/OpenSSL 2.2.0

---
 History.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 9e4294491..a4a82a146 100644
--- a/History.md
+++ b/History.md
@@ -1,4 +1,4 @@
-Version 2.2.0 (not yet released)
+Version 2.2.0
 =============
 
 Compatibility notes