ruby-changes:20489

nahi	2011-07-14 14:41:05 +0900 (Thu, 14 Jul 2011)

  New Revision: 32537

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=32537

  Log:
    * ext/openssl/ossl.c (ossl_verify_cb): trap the exception from
      verify callback of SSLContext and X509Store and make the 
      verification fail normally. Raising exception directly from callback
      causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi. 
      See #4445.
    
    * test/openssl/test_ssl.rb
      (test_exception_in_verify_callback_is_ignored): test it.

  Modified files:
    trunk/ChangeLog
    trunk/ext/openssl/ossl.c
    trunk/test/openssl/test_pair.rb
    trunk/test/openssl/test_ssl.rb
    trunk/test/openssl/utils.rb

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 32536)
+++ ChangeLog	(revision 32537)
@@ -1,3 +1,14 @@
+Thu Jul 14 12:19:34 2011  Hiroshi Nakamura  <nahi@r...>
+
+	* ext/openssl/ossl.c (ossl_verify_cb): trap the exception from
+	  verify callback of SSLContext and X509Store and make the
+	  verification fail normally. Raising exception directly from callback
+	  causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi.
+	  See #4445.
+
+	* test/openssl/test_ssl.rb
+	  (test_exception_in_verify_callback_is_ignored): test it.
+
 Tue Jul 12 23:41:49 2011  KOSAKI Motohiro  <kosaki.motohiro@g...>
 
 	* NEWS: add a description of Signal.trap change.
Index: ext/openssl/ossl.c
===================================================================
--- ext/openssl/ossl.c	(revision 32536)
+++ ext/openssl/ossl.c	(revision 32537)
@@ -223,8 +223,11 @@
 	    args.proc = proc;
 	    args.preverify_ok = ok ? Qtrue : Qfalse;
 	    args.store_ctx = rctx;
-	    ret = rb_ensure(ossl_call_verify_cb_proc, (VALUE)&args,
-			    ossl_x509stctx_clear_ptr, rctx);
+	    ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
+	    ossl_x509stctx_clear_ptr(rctx);
+	    if (state) {
+		rb_warn("exception in verify_callback is ignored");
+	    }
 	}
 	if (ret == Qtrue) {
 	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
Index: test/openssl/test_pair.rb
===================================================================
--- test/openssl/test_pair.rb	(revision 32536)
+++ test/openssl/test_pair.rb	(revision 32537)
@@ -238,6 +238,8 @@
     s1.print "a\ndef"
     assert_equal("a\n", s2.gets)
   ensure
+    s1.close if s1 && !s1.closed?
+    s2.close if s2 && !s2.closed?
     serv.close if serv && !serv.closed?
     sock1.close if sock1 && !sock1.closed?
     sock2.close if sock2 && !sock2.closed?
Index: test/openssl/utils.rb
===================================================================
--- test/openssl/utils.rb	(revision 32536)
+++ test/openssl/utils.rb	(revision 32537)
@@ -275,7 +275,7 @@
           server_loop(ctx, ssls, server_proc)
         end
 
-        $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG
+        $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG
 
         block.call(server, port.to_i)
       ensure
Index: test/openssl/test_ssl.rb
===================================================================
--- test/openssl/test_ssl.rb	(revision 32536)
+++ test/openssl/test_ssl.rb	(revision 32537)
@@ -238,6 +238,26 @@
     }
   end
 
+  def test_exception_in_verify_callback_is_ignored
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params(
+        :verify_callback => Proc.new do |preverify_ok, store_ctx|
+          store_ctx.error = OpenSSL::X509::V_OK
+          raise RuntimeError
+        end
+      )
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      OpenSSL::TestUtils.silent do
+        # SSLError, not RuntimeError
+        assert_raise(OpenSSL::SSL::SSLError) { ssl.connect }
+      end
+      assert_equal(OpenSSL::X509::V_ERR_CERT_REJECTED, ssl.verify_result)
+      ssl.close
+    }
+  end
+
   def test_sslctx_set_params
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
       sock = TCPSocket.new("127.0.0.1", port)

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/