[ruby-core:21762] [Bug #1091] possible bad handling of return value of OCSP_basic_verify in ext/openssl/ossl

< ^ > P N |<>|^_>< --- | ~ ...Help

Bug #1091: possible bad handling of return value of OCSP_basic_verify in ext/openssl/ossl_ocsp.c
http://redmine.ruby-lang.org/issues/show/1091

Author: Lucas Nussbaum
Status: Open, Priority: Normal
ruby -v: 1.9.0

This bug was reported on the Debian bug tracker. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528

Looking at the code, it affects both ruby 1.8 and 1.9.

Quoting:
> I was looking at return codes for applications making use of
> openssl functions and found this in ext/openssl/ossl_ocsp.c:
> 
>     result = OCSP_basic_verify(bs, x509s, x509st, flg);
>     sk_X509_pop_free(x509s, X509_free);
>     if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL));
> 
>     return result ? Qtrue : Qfalse;
> 
> OCSP_basic_verify() can return both 0 and -1 in error cases,
> so this function can incorrectly return information to the
> caller.
> 
> I have no idea if what this code is used for and what the consequences
> of this might be.


----------------------------------------
http://redmine.ruby-lang.org