ruby-changes:47120
From: usa <ko1@a...>
Date: Fri, 30 Jun 2017 21:42:38 +0900 (JST)
Subject: [ruby-changes:47120] usa:r59235 (ruby_2_3): * ext/openssl/ossl_x509store.c: clear error queue after calling
usa 2017-06-30 21:42:31 +0900 (Fri, 30 Jun 2017) New Revision: 59235 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=59235 Log: * ext/openssl/ossl_x509store.c: clear error queue after calling X509_LOOKUP_load_file() X509_LOOKUP_load_file(), which ends up calling X509_load_cert_crl_file() internally, may leave error entries in the queue even when it returns non-zero value (which indicates success). This will be fixed by OpenSSL 1.1.1, but can be worked around by clearing the error queue ourselves. Fixes: [Backport #11033] Modified files: branches/ruby_2_3/ChangeLog branches/ruby_2_3/ext/openssl/ossl_x509store.c branches/ruby_2_3/test/openssl/test_x509store.rb branches/ruby_2_3/version.h Index: ruby_2_3/ext/openssl/ossl_x509store.c =================================================================== --- ruby_2_3/ext/openssl/ossl_x509store.c (revision 59234) +++ ruby_2_3/ext/openssl/ossl_x509store.c (revision 59235) @@ -249,6 +249,13 @@ ossl_x509store_add_file(VALUE self, VALU https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ext/openssl/ossl_x509store.c#L249 if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){ ossl_raise(eX509StoreError, NULL); } + /* + * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file() + * did not check the return value of X509_STORE_add_{cert,crl}(), leaking + * "cert already in hash table" errors on the error queue, if duplicate + * certificates are found. This will be fixed by OpenSSL 1.1.1. + */ + ERR_clear_error(); return self; } Index: ruby_2_3/version.h =================================================================== --- ruby_2_3/version.h (revision 59234) +++ ruby_2_3/version.h (revision 59235) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/version.h#L1 #define RUBY_VERSION "2.3.5" #define RUBY_RELEASE_DATE "2017-06-30" -#define RUBY_PATCHLEVEL 331 +#define RUBY_PATCHLEVEL 332 #define RUBY_RELEASE_YEAR 2017 #define RUBY_RELEASE_MONTH 6 Index: ruby_2_3/test/openssl/test_x509store.rb =================================================================== --- ruby_2_3/test/openssl/test_x509store.rb (revision 59234) +++ ruby_2_3/test/openssl/test_x509store.rb (revision 59235) @@ -36,6 +36,32 @@ class OpenSSL::TestX509Store < Test::Uni https://github.com/ruby/ruby/blob/trunk/ruby_2_3/test/openssl/test_x509store.rb#L36 OpenSSL::TestUtils.issue_crl(*args) end + def test_add_file + now = Time.at(Time.now.to_i) + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + cert1 = issue_cert(@ca1, @rsa1024, 1, now, now+3600, ca_exts, + nil, nil, "sha1") + cert2 = issue_cert(@ca2, @rsa2048, 1, now, now+3600, ca_exts, + nil, nil, "sha1") + tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f } + + store = OpenSSL::X509::Store.new + assert_equal false, store.verify(cert1) + assert_equal false, store.verify(cert2) + store.add_file(tmpfile.path) + assert_equal true, store.verify(cert1) + assert_equal true, store.verify(cert2) + + # OpenSSL < 1.1.1 leaks an error on a duplicate certificate + assert_nothing_raised { store.add_file(tmpfile.path) } + assert_equal [], OpenSSL.errors + ensure + tmpfile and tmpfile.close! + end + def test_verify now = Time.at(Time.now.to_i) ca_exts = [ Index: ruby_2_3/ChangeLog =================================================================== --- ruby_2_3/ChangeLog (revision 59234) +++ ruby_2_3/ChangeLog (revision 59235) @@ -1,3 +1,18 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ChangeLog#L1 +Fri Jun 30 21:40:42 2017 Kazuki Yamaguchi <k@r...> + + * ext/openssl/ossl_x509store.c: clear error queue after calling + X509_LOOKUP_load_file() + + X509_LOOKUP_load_file(), which ends up calling + X509_load_cert_crl_file() + internally, may leave error entries in the queue even when it returns + non-zero value (which indicates success). + + This will be fixed by OpenSSL 1.1.1, but can be worked around by + clearing the error queue ourselves. + + Fixes: [Backport #11033] + Fri Jun 30 21:35:16 2017 Nobuyoshi Nakada <nobu@r...> * gc.c (heap_page_allocate): expand sorted pages before inserting -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/