upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-03 14:00:47 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement shim for SSL_CTX_set1_cert_store() (affects Debian 9)

Browse source 
This commit implements a shim for SSL_CTX_set1_cert_store() for
OpenSSL/LibreSSL versions where it is not available.
This commit is contained in:
Artem Boldariev 2022-04-01 11:16:44 +03:00
parent d8cd4460bf
commit 3edf7a9fe7
4 changed files with 31 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
configure.ac
View file

@ -650,6 +650,7 @@ AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
AC_CHECK_FUNCS([SSL_CTX_up_ref])
AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
#
# Check for algorithm support in OpenSSL

20
lib/isc/openssl_shim.c
View file

@ -169,3 +169,23 @@ OPENSSL_cleanup(void) {
return;
}
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *store) {
return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE));
}
#endif /* !HAVE_OPENSSL_CLEANUP */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
(void)X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store);
}
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */

10
lib/isc/openssl_shim.h
View file

@ -120,3 +120,13 @@ OPENSSL_cleanup(void);
#if !HAVE_TLS_CLIENT_METHOD
#define TLS_client_method SSLv23_client_method
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *v);
#endif /* !HAVE_OPENSSL_CLEANUP */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */

12
lib/isc/tls.c
View file

@ -980,19 +980,7 @@ isc_tlsctx_enable_peer_verification(isc_tlsctx_t *tlsctx, const bool is_server,
}
/* "Attach" the cert store to the context */
#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x3050000fL)
(void)X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(tlsctx, store);
#elif defined(CRYPTO_LOCK_X509_STORE)
/*
* That is the case for OpenSSL < 1.1.X and LibreSSL < 3.5.0.
* No SSL_CTX_set1_cert_store(), no X509_STORE_up_ref(). Sigh...
*/
(void)CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
SSL_CTX_set_cert_store(tlsctx, store);
#else
SSL_CTX_set1_cert_store(tlsctx, store);
#endif
/* enable verification */
if (is_server) {