Backport #1091 [ruby-core:21762]

possible bad handling of return value of OCSP_basic_verify in ext/openssl/ossl_ocsp.c

Added by Lucas Nussbaum 372 days ago. Updated 257 days ago.

Status :Closed Start :02/03/2009
Priority :Normal Due date :
Assigned to :Shyouhei Urabe % Done :

100%
Category :-
Target version :-

Description

This bug was reported on the Debian bug tracker. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528

Looking at the code, it affects both ruby 1.8 and 1.9.

Quoting:
> I was looking at return codes for applications making use of
> openssl functions and found this in ext/openssl/ossl_ocsp.c:
> 
>     result = OCSP_basic_verify(bs, x509s, x509st, flg);
>     sk_X509_pop_free(x509s, X509_free);
>     if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
> 
>     return result ? Qtrue : Qfalse;
> 
> OCSP_basic_verify() can return both 0 and -1 in error cases,
> so this function can incorrectly return information to the
> caller.
> 
> I have no idea if what this code is used for and what the consequences
> of this might be.

ext_openssl_ossl_ocsp.c.diff (905 Bytes) Laurent Sansonetti, 02/18/2009 04:13 AM

Associated revisions

Revision 22440
Added by nobu 355 days ago

  • ext/openssl/ossl_ocsp.c (ossl_ocspbres_verify): OCSP_basic_verify returns positive value on success, not non-zero. [ruby-core:21762]

History

02/03/2009 10:10 AM - Shyouhei Urabe

  • Assigned to set to GOTOU Yuuzou

02/18/2009 04:12 AM - Laurent Sansonetti

Here is a patch that I quickly made for 1.8 (but could also be applied in 1.9).

02/18/2009 04:13 AM - Laurent Sansonetti

02/18/2009 10:58 AM - Nobuyoshi Nakada

Hi,

At Wed, 18 Feb 2009 04:12:29 +0900,
Laurent Sansonetti wrote in [ruby-core:22199]:
> Here is a patch that I quickly made for 1.8 (but could also be applied in 1.9). 

Do you mean that OCSP_basic_verify() returns positive value on
success?

-- 
Nobu Nakada

02/18/2009 06:39 PM - Laurent Sansonetti

Yes, a return value >0 means success (though it will apparently always return 1, for now). In the case of a failure, it can return -1 or 0.

02/19/2009 03:47 PM - Nobuyoshi Nakada

  • Status changed from Open to Closed
  • % Done changed from 0 to 100
Applied in changeset r22440.

05/12/2009 06:27 PM - Shyouhei Urabe

  • Status changed from Closed to Open
  • Assigned to changed from GOTOU Yuuzou to Shyouhei Urabe

05/28/2009 05:22 PM - Shyouhei Urabe

  • Status changed from Open to Closed

Also available in: Atom PDF