-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set time directly on the x509 store #770
base: master
Are you sure you want to change the base?
Set time directly on the x509 store #770
Conversation
b4ae6c4
to
dca2ee8
Compare
a508d5c
to
2679889
Compare
Depends on ruby/openssl#770
Unsure why that one build failed, @rhenium mind restarting it? Everything was green earlier |
ext/openssl/ossl_x509store.c
Outdated
#if !HAVE_X509_STORE_GET0_PARAM | ||
if (!X509_STORE_set1_param(store, param)) | ||
{ | ||
X509_VERIFY_PARAM_free(param); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JFYI; you may want to unconditionally call X509_VERIFY_PARAM_free
, since X509_STORE_set1_param
appears to perform a state copy rather than transfering ownership of the param
that gets passed in. Consequently you may end up leaking memory in the "happy" case here.
(OpenSSL's docs are unclear on this, unfortunately -- this is from me tracing OpenSSL's x509_lu.c
by hand.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, in OpenSSL's convension set0
is used for functions that transfer ownership, and set1
is used for those that copy contents or increment a reference counter.
ext/openssl/ossl_x509store.c
Outdated
#if HAVE_X509_STORE_GET0_PARAM | ||
param = X509_STORE_get0_param(store); | ||
#else | ||
param = X509_VERIFY_PARAM_new(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Struct fields on X509_STORE
(and in general) were part of public API in OpenSSL 1.0.2.
param = X509_VERIFY_PARAM_new(); | |
param = store->param; |
The X509_STORE_set1_param()
call later will become unnecessary with this.
@@ -599,8 +614,6 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) | |||
sk_X509_pop_free(x509s, X509_free); | |||
ossl_raise(eX509StoreError, "X509_STORE_CTX_init"); | |||
} | |||
if (!NIL_P(t = rb_iv_get(store, "@time"))) | |||
ossl_x509stctx_set_time(self, t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this line removed, you can also remove the function prototype for ossl_x509stctx_set_time()
above.
Instead of an ivar, so other ossl functions that take a store will use the correct time when verifying
2679889
to
69c57f6
Compare
@rhenium done! |
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Instead of an ivar, so other ossl functions that take a store (such as
OpenSSL::Timestamp::Response#verify
) will use the correct time when verifying