openssl: refactor OpenSSL::OCSP::*#verify

* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): Use ossl_clear_error() so that they don't print warnings to stderr and leak errors in the OpenSSL error queue. Also, check the return value of OCSP_*_verify() correctly. They can return -1 on verification failure. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2016-06-15 15:02:46 +00:00 · 2016-06-15 15:02:46 +00:00 · 9192f253b9
commit 9192f253b9
parent 2851f19f49
2 changed files with 26 additions and 16 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Thu Jun 16 00:02:32 2016  Kazuki Yamaguchi  <k@rhe.jp>
+
+	* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify):
+	  Use ossl_clear_error() so that they don't print warnings to stderr and
+	  leak errors in the OpenSSL error queue. Also, check the return value
+	  of OCSP_*_verify() correctly. They can return -1 on verification
+	  failure.
+
 Wed Jun 15 19:52:23 2016  Kazuki Yamaguchi  <k@rhe.jp>

 	* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@ -360,10 +360,11 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)

 /*
 * call-seq:
- *   request.verify(certificates, store)        -> true or false
- *   request.verify(certificates, store, flags) -> true or false
+ *   request.verify(certificates, store, flags = 0) -> true or false
 *
- * Verifies this request using the given +certificates+ and X509 +store+.
+ * Verifies this request using the given +certificates+ and +store+.
+ * +certificates+ is an array of OpenSSL::X509::Certificate, +store+ is an
+ * OpenSSL::X509::Store.
 */

 static VALUE
@ -376,15 +377,16 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
+    GetOCSPReq(self, req);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
-    GetOCSPReq(self, req);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
-    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+    if (!result)
+	ossl_clear_error();

-    return result ? Qtrue : Qfalse;
+    return result > 0 ? Qtrue : Qfalse;
 }

 /*
@ -855,31 +857,31 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)

 /*
 * call-seq:
- *   basic_response.verify(certificates, store) -> true or false
- *   basic_response.verify(certificates, store, flags) -> true or false
+ *   basic_response.verify(certificates, store, flags = 0) -> true or false
 *
- * Verifies the signature of the response using the given +certificates+,
- * +store+ and +flags+.
+ * Verifies the signature of the response using the given +certificates+ and
+ * +store+. This works in the similar way as OpenSSL::OCSP::Request#verify.
 */
 static VALUE
 ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
 {
-    VALUE certs, store, flags, result;
+    VALUE certs, store, flags;
    OCSP_BASICRESP *bs;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
-    int flg;
+    int flg, result;

    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
+    GetOCSPBasicRes(self, bs);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
-    GetOCSPBasicRes(self, bs);
-    result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse;
+    result = OCSP_basic_verify(bs, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
-    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+    if (!result)
+	ossl_clear_error();

-    return result;
+    return result > 0 ? Qtrue : Qfalse;
 }

 /*