openssl: refactor OpenSSL::OCSP::*#verify

* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): Use ossl_clear_error() so that they don't print warnings to stderr and leak errors in the OpenSSL error queue. Also, check the return value of OCSP_*_verify() correctly. They can return -1 on verification failure. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2016-06-15 15:02:46 +00:00 · 2016-06-15 15:02:46 +00:00 · 9192f253b9
commit 9192f253b9
parent 2851f19f49
2 changed files with 26 additions and 16 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
 Thu Jun 16 00:02:32 2016  Kazuki Yamaguchi  <k@rhe.jp>
 	* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify):
 	  Use ossl_clear_error() so that they don't print warnings to stderr and
 	  leak errors in the OpenSSL error queue. Also, check the return value
 	  of OCSP_*_verify() correctly. They can return -1 on verification
 	  failure.
 Wed Jun 15 19:52:23 2016  Kazuki Yamaguchi  <k@rhe.jp>
 	* ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@ -360,10 +360,11 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
 /*
 * call-seq:
- *   request.verify(certificates, store)        -> true or false
+ *   request.verify(certificates, store, flags = 0) -> true or false
 *   request.verify(certificates, store, flags) -> true or false
 *
- * Verifies this request using the given +certificates+ and X509 +store+.
+ * Verifies this request using the given +certificates+ and +store+.
 * +certificates+ is an array of OpenSSL::X509::Certificate, +store+ is an
 * OpenSSL::X509::Store.
 */
 static VALUE
@ -376,15 +377,16 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
    int flg, result;
    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    GetOCSPReq(self, req);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
    GetOCSPReq(self, req);
    result = OCSP_request_verify(req, x509s, x509st, flg);
    sk_X509_pop_free(x509s, X509_free);
-    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+    if (!result)
 	ossl_clear_error();
-    return result ? Qtrue : Qfalse;
+    return result > 0 ? Qtrue : Qfalse;
 }
 /*
@ -855,31 +857,31 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
 /*
 * call-seq:
- *   basic_response.verify(certificates, store) -> true or false
+ *   basic_response.verify(certificates, store, flags = 0) -> true or false
 *   basic_response.verify(certificates, store, flags) -> true or false
 *
- * Verifies the signature of the response using the given +certificates+,
+ * Verifies the signature of the response using the given +certificates+ and
- * +store+ and +flags+.
+ * +store+. This works in the similar way as OpenSSL::OCSP::Request#verify.
 */
 static VALUE
 ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
 {
-    VALUE certs, store, flags, result;
+    VALUE certs, store, flags;
    OCSP_BASICRESP *bs;
    STACK_OF(X509) *x509s;
    X509_STORE *x509st;
-    int flg;
+    int flg, result;
    rb_scan_args(argc, argv, "21", &certs, &store, &flags);
    GetOCSPBasicRes(self, bs);
    x509st = GetX509StorePtr(store);
    flg = NIL_P(flags) ? 0 : NUM2INT(flags);
    x509s = ossl_x509_ary2sk(certs);
-    GetOCSPBasicRes(self, bs);
+    result = OCSP_basic_verify(bs, x509s, x509st, flg);
    result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse;
    sk_X509_pop_free(x509s, X509_free);
-    if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+    if (!result)
 	ossl_clear_error();
-    return result;
+    return result > 0 ? Qtrue : Qfalse;
 }
 /*