Prepare to provide SSL_CTX_set1_cert_store()

SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store()
since it takes ownership of the store argument. Apparently a few people ran
into the issue of not bumping the refcount themselves, leading to use after
frees about 10 years ago. This is a quite rarely used API and there are no
misuses in the ports tree, but since someone did the work of writing a diff,
we can still add it.

Needless to say that SSL_CTX_get_cert_store() obviously has the exact same
issue and nobody seems to have thought of adding a get0 or get1 version to
match...

Fixes https://github.com/libressl/openbsd/issues/71
From Kenjiro Nakayama

1 files changed, 11 insertions, 1 deletions

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4cf5c46fda..1a2bf36952 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.329 2024/08/03 04:50:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -3403,6 +3403,16 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
 }
 LSSL_ALIAS(SSL_CTX_set_cert_store);
 
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
+{
+        if (store != NULL)
+                X509_STORE_up_ref(store);
+
+        SSL_CTX_set_cert_store(ctx, store);
+}
+LSSL_ALIAS(SSL_CTX_set1_cert_store);
+
 X509 *
 SSL_CTX_get0_certificate(const SSL_CTX *ctx)
 {