summaryrefslogtreecommitdiff
path: root/ext/openssl
diff options
context:
space:
mode:
authorrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-15 15:02:46 +0000
committerrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-15 15:02:46 +0000
commit9192f253b96d80920f723a7b801a9d34ca750361 (patch)
treea06df1204e87dada20570382a59364d2a95f9845 /ext/openssl
parent2851f19f49783149a2ba43f7c1be743601c7cf2d (diff)
openssl: refactor OpenSSL::OCSP::*#verify
* ext/openssl/ossl_ocsp.c (ossl_ocspreq_verify, ossl_ocspbres_verify): Use ossl_clear_error() so that they don't print warnings to stderr and leak errors in the OpenSSL error queue. Also, check the return value of OCSP_*_verify() correctly. They can return -1 on verification failure. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55423 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/openssl')
-rw-r--r--ext/openssl/ossl_ocsp.c34
1 files changed, 18 insertions, 16 deletions
diff --git a/ext/openssl/ossl_ocsp.c b/ext/openssl/ossl_ocsp.c
index 3560443..b63361d 100644
--- a/ext/openssl/ossl_ocsp.c
+++ b/ext/openssl/ossl_ocsp.c
@@ -360,10 +360,11 @@ ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
/*
* call-seq:
- * request.verify(certificates, store) -> true or false
- * request.verify(certificates, store, flags) -> true or false
+ * request.verify(certificates, store, flags = 0) -> true or false
*
- * Verifies this request using the given +certificates+ and X509 +store+.
+ * Verifies this request using the given +certificates+ and +store+.
+ * +certificates+ is an array of OpenSSL::X509::Certificate, +store+ is an
+ * OpenSSL::X509::Store.
*/
static VALUE
@@ -376,15 +377,16 @@ ossl_ocspreq_verify(int argc, VALUE *argv, VALUE self)
int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
+ GetOCSPReq(self, req);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
- GetOCSPReq(self, req);
result = OCSP_request_verify(req, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
- if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+ if (!result)
+ ossl_clear_error();
- return result ? Qtrue : Qfalse;
+ return result > 0 ? Qtrue : Qfalse;
}
/*
@@ -855,31 +857,31 @@ ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
/*
* call-seq:
- * basic_response.verify(certificates, store) -> true or false
- * basic_response.verify(certificates, store, flags) -> true or false
+ * basic_response.verify(certificates, store, flags = 0) -> true or false
*
- * Verifies the signature of the response using the given +certificates+,
- * +store+ and +flags+.
+ * Verifies the signature of the response using the given +certificates+ and
+ * +store+. This works in the similar way as OpenSSL::OCSP::Request#verify.
*/
static VALUE
ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self)
{
- VALUE certs, store, flags, result;
+ VALUE certs, store, flags;
OCSP_BASICRESP *bs;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
- int flg;
+ int flg, result;
rb_scan_args(argc, argv, "21", &certs, &store, &flags);
+ GetOCSPBasicRes(self, bs);
x509st = GetX509StorePtr(store);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
x509s = ossl_x509_ary2sk(certs);
- GetOCSPBasicRes(self, bs);
- result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse;
+ result = OCSP_basic_verify(bs, x509s, x509st, flg);
sk_X509_pop_free(x509s, X509_free);
- if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
+ if (!result)
+ ossl_clear_error();
- return result;
+ return result > 0 ? Qtrue : Qfalse;
}
/*