* backport r32537 from trunk.

* ext/openssl/ossl.c (ossl_verify_cb): trap the exception from verify callback of SSLContext and X509Store and make the verification fail normally. Raising exception directly from callback causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi. See #4445. * test/openssl/test_ssl.rb (test_exception_in_verify_callback_is_ignored): test it. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32538 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2011-07-14 05:46:00 +0000
committer: nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2011-07-14 05:46:00 +0000
commit: bdd7cf158ef5d80aa36b713ed6fd713407f58193 (patch)
tree: 63911fc7f811aff58f76938b6a843dc4c6425149 /ext/openssl
parent: 3fc759ae746ce5d6d86adf152d07293441e05f0a (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index c5321b60ae..f3410b64e8 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -223,8 +223,11 @@ ossl_verify_cb(int ok, X509_STORE_CTX *ctx)
 	    args.proc = proc;
 	    args.preverify_ok = ok ? Qtrue : Qfalse;
 	    args.store_ctx = rctx;
-	    ret = rb_ensure(ossl_call_verify_cb_proc, (VALUE)&args,
-			    ossl_x509stctx_clear_ptr, rctx);
+	    ret = rb_protect((VALUE(*)(VALUE))ossl_call_verify_cb_proc, (VALUE)&args, &state);
+	    ossl_x509stctx_clear_ptr(rctx);
+	    if (state) {
+		rb_warn("exception in verify_callback is ignored");
+	    }
 	}
 	if (ret == Qtrue) {
 	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
author	nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2011-07-14 05:46:00 +0000
committer	nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2011-07-14 05:46:00 +0000
commit	bdd7cf158ef5d80aa36b713ed6fd713407f58193 (patch)
tree	63911fc7f811aff58f76938b6a843dc4c6425149 /ext/openssl
parent	3fc759ae746ce5d6d86adf152d07293441e05f0a (diff)