From 3edf7a9fe76d519c1993043147c8aef5afcdee0b Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Fri, 1 Apr 2022 11:16:44 +0300
Subject: [PATCH] Implement shim for SSL_CTX_set1_cert_store() (affects Debian
 9)

This commit implements a shim for SSL_CTX_set1_cert_store() for
OpenSSL/LibreSSL versions where it is not available.
---
 configure.ac           |  1 +
 lib/isc/openssl_shim.c | 20 ++++++++++++++++++++
 lib/isc/openssl_shim.h | 10 ++++++++++
 lib/isc/tls.c          | 12 ------------
 4 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8ea89295d5..14f176bf3a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -650,6 +650,7 @@ AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
 AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
 AC_CHECK_FUNCS([SSL_CTX_up_ref])
 AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
+AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
 
 #
 # Check for algorithm support in OpenSSL
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index 759ceb408b..1dcc921f01 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -169,3 +169,23 @@ OPENSSL_cleanup(void) {
 	return;
 }
 #endif
+
+#if !HAVE_X509_STORE_UP_REF
+
+int
+X509_STORE_up_ref(X509_STORE *store) {
+	return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE));
+}
+
+#endif /* !HAVE_OPENSSL_CLEANUP */
+
+#if !HAVE_SSL_CTX_SET1_CERT_STORE
+
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+	(void)X509_STORE_up_ref(store);
+
+	SSL_CTX_set_cert_store(ctx, store);
+}
+
+#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index b4877f8509..0755fbb49d 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -120,3 +120,13 @@ OPENSSL_cleanup(void);
 #if !HAVE_TLS_CLIENT_METHOD
 #define TLS_client_method SSLv23_client_method
 #endif
+
+#if !HAVE_X509_STORE_UP_REF
+int
+X509_STORE_up_ref(X509_STORE *v);
+#endif /* !HAVE_OPENSSL_CLEANUP */
+
+#if !HAVE_SSL_CTX_SET1_CERT_STORE
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
+#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 543fda7b2d..19bed66efb 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -980,19 +980,7 @@ isc_tlsctx_enable_peer_verification(isc_tlsctx_t *tlsctx, const bool is_server,
 	}
 
 	/* "Attach" the cert store to the context */
-#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x3050000fL)
-	(void)X509_STORE_up_ref(store);
-	SSL_CTX_set_cert_store(tlsctx, store);
-#elif defined(CRYPTO_LOCK_X509_STORE)
-	/*
-	 * That is the case for OpenSSL < 1.1.X and LibreSSL < 3.5.0.
-	 * No SSL_CTX_set1_cert_store(), no X509_STORE_up_ref(). Sigh...
-	 */
-	(void)CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
-	SSL_CTX_set_cert_store(tlsctx, store);
-#else
 	SSL_CTX_set1_cert_store(tlsctx, store);
-#endif
 
 	/* enable verification */
 	if (is_server) {