ruby-changes:43349
From: rhe <ko1@a...>
Date: Thu, 16 Jun 2016 00:02:51 +0900 (JST)
Subject: [ruby-changes:43349] rhe:r55423 (trunk): openssl: refactor OpenSSL::OCSP::*#verify
rhe 2016-06-16 00:02:46 +0900 (Thu, 16 Jun 2016) New Revision: 55423 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55423 Log: openssl: refactor OpenSSL::OCSP::*#verify * ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): Use ossl_clear_error() so that they don't print warnings to stderr and leak errors in the OpenSSL error queue. Also, check the return value of OCSP_*_verify() correctly. They can return -1 on verification failure. Modified files: trunk/ChangeLog trunk/ext/openssl/ossl_ocsp.c Index: ChangeLog =================================================================== --- ChangeLog (revision 55422) +++ ChangeLog (revision 55423) @@ -1,3 +1,11 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Jun 16 00:02:32 2016 Kazuki Yamaguchi <k@r...> + + * ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): + Use ossl_clear_error() so that they don't print warnings to stderr and + leak errors in the OpenSSL error queue. Also, check the return value + of OCSP_*_verify() correctly. They can return -1 on verification + failure. + Wed Jun 15 19:52:23 2016 Kazuki Yamaguchi <k@r...> * ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow Index: ext/openssl/ossl_ocsp.c =================================================================== --- ext/openssl/ossl_ocsp.c (revision 55422) +++ ext/openssl/ossl_ocsp.c (revision 55423) @@ -360,10 +360,11 @@ ossl_ocspreq_sign(int argc, VALUE *argv, https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ocsp.c#L360 /* * call-seq: - * request.verify(certificates, store) -> true or false - * request.verify(certificates, store, flags) -> true or false + * request.verify(certificates, store, flags = 0) -> true or false * - * Verifies this request using the given +certificates+ and X509 +store+. + * Verifies this request using the given +certificates+ and +store+. + * +certificates+ is an array of OpenSSL::X509::Certificate, +store+ is an + * OpenSSL::X509::Store. */ static VALUE @@ -376,15 +377,16 @@ ossl_ocspreq_verify(int argc, VALUE *arg https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ocsp.c#L377 int flg, result; rb_scan_args(argc, argv, "21", &certs, &store, &flags); + GetOCSPReq(self, req); x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); - GetOCSPReq(self, req); result = OCSP_request_verify(req, x509s, x509st, flg); sk_X509_pop_free(x509s, X509_free); - if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL)); + if (!result) + ossl_clear_error(); - return result ? Qtrue : Qfalse; + return result > 0 ? Qtrue : Qfalse; } /* @@ -855,31 +857,31 @@ ossl_ocspbres_sign(int argc, VALUE *argv https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ocsp.c#L857 /* * call-seq: - * basic_response.verify(certificates, store) -> true or false - * basic_response.verify(certificates, store, flags) -> true or false + * basic_response.verify(certificates, store, flags = 0) -> true or false * - * Verifies the signature of the response using the given +certificates+, - * +store+ and +flags+. + * Verifies the signature of the response using the given +certificates+ and + * +store+. This works in the similar way as OpenSSL::OCSP::Request#verify. */ static VALUE ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self) { - VALUE certs, store, flags, result; + VALUE certs, store, flags; OCSP_BASICRESP *bs; STACK_OF(X509) *x509s; X509_STORE *x509st; - int flg; + int flg, result; rb_scan_args(argc, argv, "21", &certs, &store, &flags); + GetOCSPBasicRes(self, bs); x509st = GetX509StorePtr(store); flg = NIL_P(flags) ? 0 : NUM2INT(flags); x509s = ossl_x509_ary2sk(certs); - GetOCSPBasicRes(self, bs); - result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse; + result = OCSP_basic_verify(bs, x509s, x509st, flg); sk_X509_pop_free(x509s, X509_free); - if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL)); + if (!result) + ossl_clear_error(); - return result; + return result > 0 ? Qtrue : Qfalse; } /* -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/