ruby-changes:20490
From: nahi <ko1@a...>
Date: Thu, 14 Jul 2011 14:46:10 +0900 (JST)
Subject: [ruby-changes:20490] nahi:r32538 (ruby_1_9_3): * backport r32537 from trunk.
nahi 2011-07-14 14:46:00 +0900 (Thu, 14 Jul 2011) New Revision: 32538 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=32538 Log: * backport r32537 from trunk. * ext/openssl/ossl.c (ossl_verify_cb): trap the exception from verify callback of SSLContext and X509Store and make the verification fail normally. Raising exception directly from callback causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi. See #4445. * test/openssl/test_ssl.rb (test_exception_in_verify_callback_is_ignored): test it. Modified files: branches/ruby_1_9_3/ChangeLog branches/ruby_1_9_3/ext/openssl/ossl.c branches/ruby_1_9_3/test/openssl/test_pair.rb branches/ruby_1_9_3/test/openssl/test_ssl.rb branches/ruby_1_9_3/test/openssl/utils.rb Index: ruby_1_9_3/ChangeLog =================================================================== --- ruby_1_9_3/ChangeLog (revision 32537) +++ ruby_1_9_3/ChangeLog (revision 32538) @@ -1,3 +1,16 @@ +Thu Jul 14 12:40:07 2011 Hiroshi Nakamura <nahi@r...> + + * backport r32537 from trunk. + + * ext/openssl/ossl.c (ossl_verify_cb): trap the exception from + verify callback of SSLContext and X509Store and make the + verification fail normally. Raising exception directly from callback + causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi. + See #4445. + + * test/openssl/test_ssl.rb + (test_exception_in_verify_callback_is_ignored): test it. + Wed Jul 13 08:20:08 2011 Shota Fukumori <sorah@t...> * lib/test/unit.rb(Test::Unit::Options#process_args): Fix bug. @@ -13,7 +26,7 @@ Mon Jul 11 23:47:00 2011 Yutaka Kanemoto <kanemoto@r...> * thread_pthread.c (get_stack): need to adjust stack addr for - [Bug #1813] on AIX. backported r32511 from trunk. + [Bug #1813] on AIX. backported r32511 from trunk. Mon Jul 11 15:17:03 2011 NAKAMURA Usaku <usa@r...> Index: ruby_1_9_3/ext/openssl/ossl.c =================================================================== --- ruby_1_9_3/ext/openssl/ossl.c (revision 32537) +++ ruby_1_9_3/ext/openssl/ossl.c (revision 32538) @@ -223,8 +223,11 @@ args.proc = proc; args.preverify_ok = ok ? Qtrue : Qfalse; args.store_ctx = rctx; - ret = rb_ensure(ossl_call_verify_cb_proc, (VALUE)&args, - ossl_x509stctx_clear_ptr, rctx); + ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state); + ossl_x509stctx_clear_ptr(rctx); + if (state) { + rb_warn("exception in verify_callback is ignored"); + } } if (ret == Qtrue) { X509_STORE_CTX_set_error(ctx, X509_V_OK); Index: ruby_1_9_3/test/openssl/test_pair.rb =================================================================== --- ruby_1_9_3/test/openssl/test_pair.rb (revision 32537) +++ ruby_1_9_3/test/openssl/test_pair.rb (revision 32538) @@ -238,6 +238,8 @@ s1.print "a\ndef" assert_equal("a\n", s2.gets) ensure + s1.close if s1 && !s1.closed? + s2.close if s2 && !s2.closed? serv.close if serv && !serv.closed? sock1.close if sock1 && !sock1.closed? sock2.close if sock2 && !sock2.closed? Index: ruby_1_9_3/test/openssl/utils.rb =================================================================== --- ruby_1_9_3/test/openssl/utils.rb (revision 32537) +++ ruby_1_9_3/test/openssl/utils.rb (revision 32538) @@ -275,7 +275,7 @@ server_loop(ctx, ssls, server_proc) end - $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) if $DEBUG + $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG block.call(server, port.to_i) ensure Index: ruby_1_9_3/test/openssl/test_ssl.rb =================================================================== --- ruby_1_9_3/test/openssl/test_ssl.rb (revision 32537) +++ ruby_1_9_3/test/openssl/test_ssl.rb (revision 32538) @@ -238,6 +238,26 @@ } end + def test_exception_in_verify_callback_is_ignored + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port| + sock = TCPSocket.new("127.0.0.1", port) + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params( + :verify_callback => Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_OK + raise RuntimeError + end + ) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + OpenSSL::TestUtils.silent do + # SSLError, not RuntimeError + assert_raise(OpenSSL::SSL::SSLError) { ssl.connect } + end + assert_equal(OpenSSL::X509::V_ERR_CERT_REJECTED, ssl.verify_result) + ssl.close + } + end + def test_sslctx_set_params start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/