From: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Subject: [PATCH] Add SSL_CTX_set1_cert_store
To: tech@openbsd.org
Cc: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Date: Tue, 30 Jul 2024 23:12:22 +0900

Thank you so much for your review and advice!
I updated the patch.

---
 src/lib/libssl/Symbols.list                 |  1 +
 src/lib/libssl/hidden/openssl/ssl.h         |  1 +
 src/lib/libssl/man/SSL_CTX_set_cert_store.3 | 12 ++++++++++++
 src/lib/libssl/ssl.h                        |  3 +++
 src/lib/libssl/ssl_lib.c                    |  9 +++++++++
 5 files changed, 26 insertions(+)

diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index f572284..30a8e80 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -81,6 +81,7 @@ SSL_CTX_sess_set_new_cb
 SSL_CTX_sess_set_remove_cb
 SSL_CTX_sessions
 SSL_CTX_set0_chain
+SSL_CTX_set1_cert_store
 SSL_CTX_set1_chain
 SSL_CTX_set1_groups
 SSL_CTX_set1_groups_list
diff --git a/src/lib/libssl/hidden/openssl/ssl.h b/src/lib/libssl/hidden/openssl/ssl.h
index cff250e..8d91c29 100644
--- a/src/lib/libssl/hidden/openssl/ssl.h
+++ b/src/lib/libssl/hidden/openssl/ssl.h
@@ -105,6 +105,7 @@ LSSL_USED(SSL_CTX_set_timeout);
 LSSL_USED(SSL_CTX_get_timeout);
 LSSL_USED(SSL_CTX_get_cert_store);
 LSSL_USED(SSL_CTX_set_cert_store);
+LSSL_USED(SSL_CTX_set1_cert_store);
 LSSL_USED(SSL_CTX_get0_certificate);
 LSSL_USED(SSL_CTX_get0_privatekey);
 LSSL_USED(SSL_want);
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
index b23e3c4..ed4f65c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -53,12 +53,15 @@
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_store ,
+.Nm SSL_CTX_set1_cert_store ,
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
+.Ft void
+.Fn SSL_CTX_set1_cert_store "SSL_CTX *ctx" "X509_STORE *store"
 .Ft X509_STORE *
 .Fn SSL_CTX_get_cert_store "const SSL_CTX *ctx"
 .Sh DESCRIPTION
@@ -73,6 +76,15 @@ object is currently set in
 .Fa ctx ,
 it will be freed.
 .Pp
+.Fn SSL_CTX_set1_cert_store
+sets the verification storage of
+.Fa ctx
+to or replaces it with
+.Fa store .
+The
+.Fa store Ns 's
+reference count is incremented.
+.Pp
 .Fn SSL_CTX_get_cert_store
 returns a pointer to the current certificate verification storage.
 .Pp
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index d8846a4..9c5e9df 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1107,6 +1107,9 @@ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
 long SSL_CTX_get_timeout(const SSL_CTX *ctx);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
+#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
+#endif
 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
 int SSL_want(const SSL *s);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4cf5c46..5af560e 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -3403,6 +3403,15 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
 }
 LSSL_ALIAS(SSL_CTX_set_cert_store);
 
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
+{
+	if (store != NULL)
+		X509_STORE_up_ref(store);
+	SSL_CTX_set_cert_store(ctx, store);
+}
+LSSL_ALIAS(SSL_CTX_set1_cert_store);
+
 X509 *
 SSL_CTX_get0_certificate(const SSL_CTX *ctx)
 {
-- 
2.39.3 (Apple Git-146)