[ruby/openssl] ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4

In OpenSSL 3.4, TS_VERIFY_CTX_set_certs() and TS_VERIFY_CTX_set_store() are deprecated in favor of the new functions with "set0" in the names. The new functions have a slightly different behavior. They will free the previous value automatically. Increment the reference counter of X509_STORE before setting it to TS_VERIFY_CTX, and do not try to manually unset it. We avoided doing this to work around a bug that was present in older versions of OpenSSL, which has now been fixed in OpenSSL 1.0.2 by commit https://github.com/openssl/openssl/commit/bff9ce4db38b. https://github.com/ruby/openssl/commit/ce37f7d93a
2025-01-22 03:22:22 +09:00 · 2025-01-22 03:22:22 +09:00 · 495b1cad04
commit 495b1cad04
parent 87316d58fa
3 changed files with 19 additions and 11 deletions
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@ -144,7 +144,6 @@ have_func("EVP_PKEY_check(NULL)", evp_h)
 # added in 3.0.0
 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
 have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
-have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
 have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
 have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
 have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
@ -152,6 +151,9 @@ have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
 have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
 have_func("EVP_PKEY_dup(NULL)", evp_h)

+# added in 3.4.0
+have_func("TS_VERIFY_CTX_set0_certs(NULL, NULL)", ts_h)
+
 Logging::message "=== Checking done. ===\n"

 # Append flags from environment variables.
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@ -13,10 +13,6 @@
 #include "ruby/config.h"

 /* added in 3.0.0 */
-#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
-#  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
-#endif
-
 #ifndef HAVE_EVP_MD_CTX_GET0_MD
 #  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
 #endif
--- a/ext/openssl/ossl_ts.c
+++ b/ext/openssl/ossl_ts.c
@ -855,16 +855,26 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
        X509_up_ref(cert);
    }

+    if (!X509_STORE_up_ref(x509st)) {
+        sk_X509_pop_free(x509inter, X509_free);
+        TS_VERIFY_CTX_free(ctx);
+        ossl_raise(eTimestampError, "X509_STORE_up_ref");
+    }
+
+#ifdef HAVE_TS_VERIFY_CTX_SET0_CERTS
+    TS_VERIFY_CTX_set0_certs(ctx, x509inter);
+    TS_VERIFY_CTX_set0_store(ctx, x509st);
+#else
+# if OSSL_OPENSSL_PREREQ(3, 0, 0) || OSSL_IS_LIBRESSL
    TS_VERIFY_CTX_set_certs(ctx, x509inter);
-    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
+# else
+    TS_VERIFY_CTS_set_certs(ctx, x509inter);
+# endif
    TS_VERIFY_CTX_set_store(ctx, x509st);
+#endif
+    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);

    ok = TS_RESP_verify_response(ctx, resp);
-    /*
-     * TS_VERIFY_CTX_set_store() call above does not increment the reference
-     * counter, so it must be unset before TS_VERIFY_CTX_free() is called.
-     */
-    TS_VERIFY_CTX_set_store(ctx, NULL);
    TS_VERIFY_CTX_free(ctx);

    if (!ok)