Merge pull request #842 from rhenium/ky/ts-use-TS_VERIFY_CTX_set0_certs

rhenium · web-flow · commit eb7bb6d5f0f3 · 2025-01-23T01:30:17.000+09:00
ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -144,14 +144,16 @@ def find_openssl_library
 # added in 3.0.0
 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
 have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
-have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
 have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
 have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
 have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
 have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
 have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
 have_func("EVP_PKEY_dup(NULL)", evp_h)
 
+# added in 3.4.0
+have_func("TS_VERIFY_CTX_set0_certs(NULL, NULL)", ts_h)
+
 Logging::message "=== Checking done. ===\n"
 
 # Append flags from environment variables.
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
@@ -13,10 +13,6 @@
 #include "ruby/config.h"
 
 /* added in 3.0.0 */
-#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
-#  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
-#endif
-
 #ifndef HAVE_EVP_MD_CTX_GET0_MD
 #  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
 #endif
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
@@ -855,16 +855,26 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
         X509_up_ref(cert);
     }
 
+    if (!X509_STORE_up_ref(x509st)) {
+        sk_X509_pop_free(x509inter, X509_free);
+        TS_VERIFY_CTX_free(ctx);
+        ossl_raise(eTimestampError, "X509_STORE_up_ref");
+    }
+
+#ifdef HAVE_TS_VERIFY_CTX_SET0_CERTS
+    TS_VERIFY_CTX_set0_certs(ctx, x509inter);
+    TS_VERIFY_CTX_set0_store(ctx, x509st);
+#else
+# if OSSL_OPENSSL_PREREQ(3, 0, 0) || OSSL_IS_LIBRESSL
     TS_VERIFY_CTX_set_certs(ctx, x509inter);
-    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
+# else
+    TS_VERIFY_CTS_set_certs(ctx, x509inter);
+# endif
     TS_VERIFY_CTX_set_store(ctx, x509st);
+#endif
+    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
 
     ok = TS_RESP_verify_response(ctx, resp);
-    /*
-     * TS_VERIFY_CTX_set_store() call above does not increment the reference
-     * counter, so it must be unset before TS_VERIFY_CTX_free() is called.
-     */
-    TS_VERIFY_CTX_set_store(ctx, NULL);
     TS_VERIFY_CTX_free(ctx);
 
     if (!ok)
