[ruby/openssl] ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4

In OpenSSL 3.4, TS_VERIFY_CTX_set_certs() and TS_VERIFY_CTX_set_store()
are deprecated in favor of the new functions with "set0" in the names.

The new functions have a slightly different behavior. They will free the
previous value automatically. Increment the reference counter of
X509_STORE before setting it to TS_VERIFY_CTX, and do not try to
manually unset it.

We avoided doing this to work around a bug that was present in older
versions of OpenSSL, which has now been fixed in OpenSSL 1.0.2 by commit
https://github.com/openssl/openssl/commit/bff9ce4db38b.

https://github.com/ruby/openssl/commit/ce37f7d93a

3 files changed, 19 insertions, 11 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 249444135a..5bb045e895 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -144,7 +144,6 @@ have_func("EVP_PKEY_check(NULL)", evp_h)
 # added in 3.0.0
 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
 have_func("ERR_get_error_all(NULL, NULL, NULL, NULL, NULL)", "openssl/err.h")
-have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", ts_h)
 have_func("SSL_CTX_load_verify_file(NULL, \"\")", ssl_h)
 have_func("BN_check_prime(NULL, NULL, NULL)", "openssl/bn.h")
 have_func("EVP_MD_CTX_get0_md(NULL)", evp_h)
@@ -152,6 +151,9 @@ have_func("EVP_MD_CTX_get_pkey_ctx(NULL)", evp_h)
 have_func("EVP_PKEY_eq(NULL, NULL)", evp_h)
 have_func("EVP_PKEY_dup(NULL)", evp_h)
 
+# added in 3.4.0
+have_func("TS_VERIFY_CTX_set0_certs(NULL, NULL)", ts_h)
+
 Logging::message "=== Checking done. ===\n"
 
 # Append flags from environment variables.
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index eb5eaa6cf9..6592f9ccea 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -13,10 +13,6 @@
 #include "ruby/config.h"
 
 /* added in 3.0.0 */
-#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)
-#  define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)
-#endif
-
 #ifndef HAVE_EVP_MD_CTX_GET0_MD
 #  define EVP_MD_CTX_get0_md(ctx) EVP_MD_CTX_md(ctx)
 #endif
diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c
index 3aabcc013b..c7d2bd271b 100644
--- a/ext/openssl/ossl_ts.c
+++ b/ext/openssl/ossl_ts.c
@@ -855,16 +855,26 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
         X509_up_ref(cert);
     }
 
+    if (!X509_STORE_up_ref(x509st)) {
+        sk_X509_pop_free(x509inter, X509_free);
+        TS_VERIFY_CTX_free(ctx);
+        ossl_raise(eTimestampError, "X509_STORE_up_ref");
+    }
+
+#ifdef HAVE_TS_VERIFY_CTX_SET0_CERTS
+    TS_VERIFY_CTX_set0_certs(ctx, x509inter);
+    TS_VERIFY_CTX_set0_store(ctx, x509st);
+#else
+# if OSSL_OPENSSL_PREREQ(3, 0, 0) || OSSL_IS_LIBRESSL
     TS_VERIFY_CTX_set_certs(ctx, x509inter);
-    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
+# else
+    TS_VERIFY_CTS_set_certs(ctx, x509inter);
+# endif
     TS_VERIFY_CTX_set_store(ctx, x509st);
+#endif
+    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
 
     ok = TS_RESP_verify_response(ctx, resp);
-    /*
-     * TS_VERIFY_CTX_set_store() call above does not increment the reference
-     * counter, so it must be unset before TS_VERIFY_CTX_free() is called.
-     */
-    TS_VERIFY_CTX_set_store(ctx, NULL);
     TS_VERIFY_CTX_free(ctx);
 
     if (!ok)