From 2221c5b84347a5b6b430e191719c542557a3d7a5 Mon Sep 17 00:00:00 2001
From: Vít Ondruch <vondruch@redhat.com>
Date: Oct 24 2016 08:48:20 +0000
Subject: Avoid conflict between OpenSSL 1.0.x and 1.1.x.


---

diff --git a/ruby-2.4.0-openssl-register-ex_data-index-for-X509_STORE-_CTX-r.patch b/ruby-2.4.0-openssl-register-ex_data-index-for-X509_STORE-_CTX-r.patch
new file mode 100644
index 0000000..594d5f9
--- /dev/null
+++ b/ruby-2.4.0-openssl-register-ex_data-index-for-X509_STORE-_CTX-r.patch
@@ -0,0 +1,206 @@
+From 2aabfcd4c604891ab043649129bb1404e3c311f0 Mon Sep 17 00:00:00 2001
+From: rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Thu, 19 May 2016 04:53:05 +0000
+Subject: [PATCH] openssl: register ex_data index for X509_STORE{_CTX,}
+ respectively
+
+* ext/openssl/ossl.c (Init_openssl): register an ex_data index for
+  X509_STORE and X509_STORE_CTX respectively. Since they don't share
+  the ex_data index registry, we can't use the same index.
+  (ossl_verify_cb): use the the correct index.
+
+* ext/openssl/ossl_ssl.c (ossl_ssl_verify_callback): ditto.
+
+* ext/openssl/ossl_x509store.c (ossl_x509store_set_vfy_cb): ditto.
+  (ossl_x509stctx_verify): ditto.
+
+* ext/openssl/ossl.h (void ossl_clear_error): add extern declarations
+  of ossl_store_{ctx_,}ex_verify_cb_idx.
+
+* ext/openssl/openssl_missing.c: remove X509_STORE_set_ex_data and
+  X509_STORE_get_ex_data.
+
+* ext/openssl/openssl_missing.h: implement X509_STORE_get_ex_data,
+  X509_STORE_set_ex_data and X509_STORE_get_ex_new_index as macros.
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55074 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ ChangeLog                     | 21 +++++++++++++++++++++
+ ext/openssl/openssl_missing.c | 14 --------------
+ ext/openssl/openssl_missing.h |  9 +++++++--
+ ext/openssl/ossl.c            | 15 +++++++++------
+ ext/openssl/ossl.h            |  3 ++-
+ ext/openssl/ossl_ssl.c        |  2 +-
+ ext/openssl/ossl_x509store.c  |  4 ++--
+ 7 files changed, 42 insertions(+), 26 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index c163123..73ea253 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,24 @@
++Thu May 19 13:22:44 2016  Kazuki Yamaguchi  <k@rhe.jp>
++
++	* ext/openssl/ossl.c (Init_openssl): register an ex_data index for
++	  X509_STORE and X509_STORE_CTX respectively. Since they don't share
++	  the ex_data index registry, we can't use the same index.
++	  (ossl_verify_cb): use the the correct index.
++
++	* ext/openssl/ossl_ssl.c (ossl_ssl_verify_callback): ditto.
++
++	* ext/openssl/ossl_x509store.c (ossl_x509store_set_vfy_cb): ditto.
++	  (ossl_x509stctx_verify): ditto.
++
++	* ext/openssl/ossl.h (void ossl_clear_error): add extern declarations
++	  of ossl_store_{ctx_,}ex_verify_cb_idx.
++
++	* ext/openssl/openssl_missing.c: remove X509_STORE_set_ex_data and
++	  X509_STORE_get_ex_data.
++
++	* ext/openssl/openssl_missing.h: implement X509_STORE_get_ex_data,
++	  X509_STORE_set_ex_data and X509_STORE_get_ex_new_index as macros.
++
+ Tue Apr 26 02:58:51 2016  Marcus Stollsteimer  <sto.mar@web.de>
+ 
+ 	* doc/extension.rdoc: Improvements to english grammers.
+diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c
+index bd8eef5..31f2d0a 100644
+--- a/ext/openssl/openssl_missing.c
++++ b/ext/openssl/openssl_missing.c
+@@ -34,20 +34,6 @@ HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in)
+ #endif /* HAVE_HMAC_CTX_COPY */
+ #endif /* NO_HMAC */
+ 
+-#if !defined(HAVE_X509_STORE_SET_EX_DATA)
+-int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data)
+-{
+-    return CRYPTO_set_ex_data(&str->ex_data, idx, data);
+-}
+-#endif
+-
+-#if !defined(HAVE_X509_STORE_GET_EX_DATA)
+-void *X509_STORE_get_ex_data(X509_STORE *str, int idx)
+-{
+-    return CRYPTO_get_ex_data(&str->ex_data, idx);
+-}
+-#endif
+-
+ #if !defined(HAVE_EVP_MD_CTX_CREATE)
+ EVP_MD_CTX *
+ EVP_MD_CTX_create(void)
+diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
+index 2dc49d3..955579c 100644
+--- a/ext/openssl/openssl_missing.h
++++ b/ext/openssl/openssl_missing.h
+@@ -133,11 +133,16 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, EVP_CIPHER_CTX *in);
+ #endif
+ 
+ #if !defined(HAVE_X509_STORE_GET_EX_DATA)
+-void *X509_STORE_get_ex_data(X509_STORE *str, int idx);
++#  define X509_STORE_get_ex_data(x, idx) \
++	CRYPTO_get_ex_data(&(x)->ex_data, (idx))
+ #endif
+ 
+ #if !defined(HAVE_X509_STORE_SET_EX_DATA)
+-int X509_STORE_set_ex_data(X509_STORE *str, int idx, void *data);
++#  define X509_STORE_set_ex_data(x, idx, data) \
++	CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
++#  define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
++	CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
++				(newf), (dupf), (freef))
+ #endif
+ 
+ #if !defined(HAVE_X509_CRL_SET_VERSION)
+diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
+index ac82815..2b5579e 100644
+--- a/ext/openssl/ossl.c
++++ b/ext/openssl/ossl.c
+@@ -198,7 +198,8 @@ ossl_pem_passwd_cb(char *buf, int max_len, int flag, void *pwd)
+ /*
+  * Verify callback
+  */
+-int ossl_verify_cb_idx;
++int ossl_store_ctx_ex_verify_cb_idx;
++int ossl_store_ex_verify_cb_idx;
+ 
+ VALUE
+ ossl_call_verify_cb_proc(struct ossl_verify_cb_args *args)
+@@ -214,10 +215,10 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
+     struct ossl_verify_cb_args args;
+     int state = 0;
+ 
+-    proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_verify_cb_idx);
+-    if ((void*)proc == 0)
+-	proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_verify_cb_idx);
+-    if ((void*)proc == 0)
++    proc = (VALUE)X509_STORE_CTX_get_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx);
++    if (!proc)
++	proc = (VALUE)X509_STORE_get_ex_data(ctx->ctx, ossl_store_ex_verify_cb_idx);
++    if (!proc)
+ 	return ok;
+     if (!NIL_P(proc)) {
+ 	ret = Qfalse;
+@@ -1127,8 +1128,10 @@ Init_openssl(void)
+     /*
+      * Verify callback Proc index for ext-data
+      */
+-    if ((ossl_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_verify_cb_idx", 0, 0, 0)) < 0)
++    if ((ossl_store_ctx_ex_verify_cb_idx = X509_STORE_CTX_get_ex_new_index(0, (void *)"ossl_store_ctx_ex_verify_cb_idx", 0, 0, 0)) < 0)
+         ossl_raise(eOSSLError, "X509_STORE_CTX_get_ex_new_index");
++    if ((ossl_store_ex_verify_cb_idx = X509_STORE_get_ex_new_index(0, (void *)"ossl_store_ex_verify_cb_idx", 0, 0, 0)) < 0)
++        ossl_raise(eOSSLError, "X509_STORE_get_ex_new_index");
+ 
+     /*
+      * Init debug core
+diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
+index a31ca95..5b2f6e1 100644
+--- a/ext/openssl/ossl.h
++++ b/ext/openssl/ossl.h
+@@ -167,7 +167,8 @@ void ossl_clear_error(void);
+ /*
+  * Verify callback
+  */
+-extern int ossl_verify_cb_idx;
++extern int ossl_store_ctx_ex_verify_cb_idx;
++extern int ossl_store_ex_verify_cb_idx;
+ 
+ struct ossl_verify_cb_args {
+     VALUE proc;
+diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
+index 938e36f..87df7f9 100644
+--- a/ext/openssl/ossl_ssl.c
++++ b/ext/openssl/ossl_ssl.c
+@@ -307,7 +307,7 @@ ossl_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ 
+     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+     cb = (VALUE)SSL_get_ex_data(ssl, ossl_ssl_ex_vcb_idx);
+-    X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx, (void*)cb);
++    X509_STORE_CTX_set_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx, (void *)cb);
+     return ossl_verify_cb(preverify_ok, ctx);
+ }
+ 
+diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
+index aca25b1..8d6f9de 100644
+--- a/ext/openssl/ossl_x509store.c
++++ b/ext/openssl/ossl_x509store.c
+@@ -130,7 +130,7 @@ ossl_x509store_set_vfy_cb(VALUE self, VALUE cb)
+     X509_STORE *store;
+ 
+     GetX509Store(self, store);
+-    X509_STORE_set_ex_data(store, ossl_verify_cb_idx, (void*)cb);
++    X509_STORE_set_ex_data(store, ossl_store_ex_verify_cb_idx, (void *)cb);
+     rb_iv_set(self, "@verify_callback", cb);
+ 
+     return cb;
+@@ -467,7 +467,7 @@ ossl_x509stctx_verify(VALUE self)
+     int result;
+ 
+     GetX509StCtx(self, ctx);
+-    X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx,
++    X509_STORE_CTX_set_ex_data(ctx, ossl_store_ctx_ex_verify_cb_idx,
+                                (void*)rb_iv_get(self, "@verify_callback"));
+     result = X509_verify_cert(ctx);
+ 
+-- 
+2.10.0
+
diff --git a/ruby.spec b/ruby.spec
index e0ba0de..2817201 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -129,6 +129,9 @@ Patch8: ruby-2.4.0-increase-timeout-for-ARMv7.patch
 # hardening features of glibc (rhbz#1361037).
 # https://bugs.ruby-lang.org/issues/12666
 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
+# Avoid conflict between OpenSSL 1.0.x and 1.1.x.
+# https://bugs.ruby-lang.org/issues/12868
+Patch10: ruby-2.4.0-openssl-register-ex_data-index-for-X509_STORE-_CTX-r.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@@ -478,6 +481,7 @@ rm -rf ext/fiddle/libffi*
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -968,7 +972,7 @@ make check TESTS="-v $DISABLE_TESTS"
 
 %changelog
 * Fri Oct 21 2016 Vít Ondruch <vondruch@redhat.com> - 2.3.1-59
-- Use continue to use OpenSSL 1.0 for the moment.
+- Continue to use OpenSSL 1.0 for the moment.
 - Add gemspec_add_dep and gemspec_remove_dep macros.
 - Harden package.