From 3f9c5fdbf6e2d94fa9d1ec3900a0b2ef5b98934e Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <postfix-users@dukhovni.org>
Date: Sat, 31 Oct 2015 13:59:07 -0400
Subject: [PATCH] Bitrot: X509 structure opaque in upcoming OpenSSL 1.1.0

---
 postfix/.indent.pro          |  1 -
 postfix/src/tls/tls.h        |  1 -
 postfix/src/tls/tls_dane.c   | 10 +++-------
 postfix/src/tls/tls_verify.c |  2 +-
 4 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/postfix/.indent.pro b/postfix/.indent.pro
index c15aa6353..0e9462f19 100644
--- a/postfix/.indent.pro
+++ b/postfix/.indent.pro
@@ -404,5 +404,4 @@
 -Tssl_comp_stack_t
 -Ttime_t
 -Ttlsa_filter
--Tx509_extension_stack_t
 -Tx509_stack_t
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index 8efb03830..11f9b24f7 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -77,7 +77,6 @@ extern const NAME_CODE tls_level_table[];
 
  /* Appease indent(1) */
 #define x509_stack_t STACK_OF(X509)
-#define x509_extension_stack_t STACK_OF(X509_EXTENSION)
 #define general_name_stack_t STACK_OF(GENERAL_NAME)
 #define ssl_cipher_stack_t STACK_OF(SSL_CIPHER)
 #define ssl_comp_stack_t STACK_OF(SSL_COMP)
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 1e91aa3cb..bb882f206 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -551,7 +551,7 @@ static void ta_cert_insert(TLS_DANE *d, X509 *x)
 {
     TLS_CERTS *new = (TLS_CERTS *) mymalloc(sizeof(*new));
 
-    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x);
     new->cert = x;
     new->next = d->certs;
     d->certs = new;
@@ -1406,12 +1406,8 @@ int     tls_dane_match(TLS_SESS_STATE *TLScontext, int usage,
 
 static int push_ext(X509 *cert, X509_EXTENSION *ext)
 {
-    x509_extension_stack_t *exts;
-
     if (ext) {
-	if ((exts = cert->cert_info->extensions) == 0)
-	    exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
-	if (exts && sk_X509_EXTENSION_push(exts, ext))
+	if (X509_add_ext(cert, ext, -1))
 	    return 1;
 	X509_EXTENSION_free(ext);
     }
@@ -1542,7 +1538,7 @@ static void grow_chain(TLS_SESS_STATE *TLScontext, int trusted, X509 *cert)
     if (cert) {
 	if (trusted && !X509_add1_trust_object(cert, serverAuth))
 	    msg_fatal("out of memory");
-	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+	X509_up_ref(cert);
 	if (!sk_X509_push(*xs, cert))
 	    msg_fatal("out of memory");
     }
diff --git a/postfix/src/tls/tls_verify.c b/postfix/src/tls/tls_verify.c
index cbaae83cc..42bfc1033 100644
--- a/postfix/src/tls/tls_verify.c
+++ b/postfix/src/tls/tls_verify.c
@@ -138,7 +138,7 @@ static void update_error_state(TLS_SESS_STATE *TLScontext, int depth,
     if (TLScontext->errorcert != 0)
 	X509_free(TLScontext->errorcert);
     if (errorcert != 0)
-	CRYPTO_add(&errorcert->references, 1, CRYPTO_LOCK_X509);
+	X509_up_ref(errorcert);
     TLScontext->errorcert = errorcert;
     TLScontext->errorcode = errorcode;
     TLScontext->errordepth = depth;
-- 
2.47.3