[前][次][番号順一覧][スレッド一覧]

ruby-changes:47120

From: usa <ko1@a...>
Date: Fri, 30 Jun 2017 21:42:38 +0900 (JST)
Subject: [ruby-changes:47120] usa:r59235 (ruby_2_3): * ext/openssl/ossl_x509store.c: clear error queue after calling

usa	2017-06-30 21:42:31 +0900 (Fri, 30 Jun 2017)

  New Revision: 59235

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=59235

  Log:
    * ext/openssl/ossl_x509store.c: clear error queue after calling
      X509_LOOKUP_load_file()
    
      X509_LOOKUP_load_file(), which ends up calling
      X509_load_cert_crl_file()
      internally, may leave error entries in the queue even when it returns
      non-zero value (which indicates success).
    
      This will be fixed by OpenSSL 1.1.1, but can be worked around by
      clearing the error queue ourselves.
    
      Fixes: [Backport #11033]

  Modified files:
    branches/ruby_2_3/ChangeLog
    branches/ruby_2_3/ext/openssl/ossl_x509store.c
    branches/ruby_2_3/test/openssl/test_x509store.rb
    branches/ruby_2_3/version.h
Index: ruby_2_3/ext/openssl/ossl_x509store.c
===================================================================
--- ruby_2_3/ext/openssl/ossl_x509store.c	(revision 59234)
+++ ruby_2_3/ext/openssl/ossl_x509store.c	(revision 59235)
@@ -249,6 +249,13 @@ ossl_x509store_add_file(VALUE self, VALU https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ext/openssl/ossl_x509store.c#L249
     if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
         ossl_raise(eX509StoreError, NULL);
     }
+    /*
+     * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
+     * did not check the return value of X509_STORE_add_{cert,crl}(), leaking
+     * "cert already in hash table" errors on the error queue, if duplicate
+     * certificates are found. This will be fixed by OpenSSL 1.1.1.
+     */
+    ERR_clear_error();
 
     return self;
 }
Index: ruby_2_3/version.h
===================================================================
--- ruby_2_3/version.h	(revision 59234)
+++ ruby_2_3/version.h	(revision 59235)
@@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/version.h#L1
 #define RUBY_VERSION "2.3.5"
 #define RUBY_RELEASE_DATE "2017-06-30"
-#define RUBY_PATCHLEVEL 331
+#define RUBY_PATCHLEVEL 332
 
 #define RUBY_RELEASE_YEAR 2017
 #define RUBY_RELEASE_MONTH 6
Index: ruby_2_3/test/openssl/test_x509store.rb
===================================================================
--- ruby_2_3/test/openssl/test_x509store.rb	(revision 59234)
+++ ruby_2_3/test/openssl/test_x509store.rb	(revision 59235)
@@ -36,6 +36,32 @@ class OpenSSL::TestX509Store < Test::Uni https://github.com/ruby/ruby/blob/trunk/ruby_2_3/test/openssl/test_x509store.rb#L36
     OpenSSL::TestUtils.issue_crl(*args)
   end
 
+  def test_add_file
+    now = Time.at(Time.now.to_i)
+    ca_exts = [
+      ["basicConstraints", "CA:TRUE", true],
+      ["keyUsage", "cRLSign,keyCertSign", true],
+    ]
+    cert1 = issue_cert(@ca1, @rsa1024, 1, now, now+3600, ca_exts,
+                       nil, nil, "sha1")
+    cert2 = issue_cert(@ca2, @rsa2048, 1, now, now+3600, ca_exts,
+                       nil, nil, "sha1")
+    tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f }
+
+    store = OpenSSL::X509::Store.new
+    assert_equal false, store.verify(cert1)
+    assert_equal false, store.verify(cert2)
+    store.add_file(tmpfile.path)
+    assert_equal true, store.verify(cert1)
+    assert_equal true, store.verify(cert2)
+
+    # OpenSSL < 1.1.1 leaks an error on a duplicate certificate
+    assert_nothing_raised { store.add_file(tmpfile.path) }
+    assert_equal [], OpenSSL.errors
+  ensure
+    tmpfile and tmpfile.close!
+  end
+
   def test_verify
     now = Time.at(Time.now.to_i)
     ca_exts = [
Index: ruby_2_3/ChangeLog
===================================================================
--- ruby_2_3/ChangeLog	(revision 59234)
+++ ruby_2_3/ChangeLog	(revision 59235)
@@ -1,3 +1,18 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ChangeLog#L1
+Fri Jun 30 21:40:42 2017  Kazuki Yamaguchi <k@r...>
+
+	* ext/openssl/ossl_x509store.c: clear error queue after calling
+	  X509_LOOKUP_load_file()
+
+	  X509_LOOKUP_load_file(), which ends up calling
+	  X509_load_cert_crl_file()
+	  internally, may leave error entries in the queue even when it returns
+	  non-zero value (which indicates success).
+
+	  This will be fixed by OpenSSL 1.1.1, but can be worked around by
+	  clearing the error queue ourselves.
+
+	  Fixes: [Backport #11033]
+
 Fri Jun 30 21:35:16 2017  Nobuyoshi Nakada  <nobu@r...>
 
 	* gc.c (heap_page_allocate): expand sorted pages before inserting

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]