* ext/openssl/ossl_x509store.c: clear error queue after calling

  X509_LOOKUP_load_file()

  X509_LOOKUP_load_file(), which ends up calling
  X509_load_cert_crl_file()
  internally, may leave error entries in the queue even when it returns
  non-zero value (which indicates success).

  This will be fixed by OpenSSL 1.1.1, but can be worked around by
  clearing the error queue ourselves.

  Fixes: [Backport #11033]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59235 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 26 insertions, 0 deletions

diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 9964cc8fc4..0ae94e2c64 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -36,6 +36,32 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
     OpenSSL::TestUtils.issue_crl(*args)
   end
 
+  def test_add_file
+    now = Time.at(Time.now.to_i)
+    ca_exts = [
+      ["basicConstraints", "CA:TRUE", true],
+      ["keyUsage", "cRLSign,keyCertSign", true],
+    ]
+    cert1 = issue_cert(@ca1, @rsa1024, 1, now, now+3600, ca_exts,
+                       nil, nil, "sha1")
+    cert2 = issue_cert(@ca2, @rsa2048, 1, now, now+3600, ca_exts,
+                       nil, nil, "sha1")
+    tmpfile = Tempfile.open { |f| f << cert1.to_pem << cert2.to_pem; f }
+
+    store = OpenSSL::X509::Store.new
+    assert_equal false, store.verify(cert1)
+    assert_equal false, store.verify(cert2)
+    store.add_file(tmpfile.path)
+    assert_equal true, store.verify(cert1)
+    assert_equal true, store.verify(cert2)
+
+    # OpenSSL < 1.1.1 leaks an error on a duplicate certificate
+    assert_nothing_raised { store.add_file(tmpfile.path) }
+    assert_equal [], OpenSSL.errors
+  ensure
+    tmpfile and tmpfile.close!
+  end
+
   def test_verify
     now = Time.at(Time.now.to_i)
     ca_exts = [