Set time directly on the x509 store #770
Conversation
segiddins
force-pushed
the
segiddins/set-time-directly-on-the-x509-store
branch
from
b4ae6c4
to
dca2ee8
Compare
segiddins
force-pushed
the
segiddins/set-time-directly-on-the-x509-store
branch
2 times, most recently
from
a508d5c
to
2679889
Compare
Depends on ruby/openssl#770
|
Unsure why that one build failed, @rhenium mind restarting it? Everything was green earlier |
ext/openssl/ossl_x509store.c
Outdated
| #if !HAVE_X509_STORE_GET0_PARAM | ||
| if (!X509_STORE_set1_param(store, param)) | ||
| { | ||
| X509_VERIFY_PARAM_free(param); |
There was a problem hiding this comment.
JFYI; you may want to unconditionally call X509_VERIFY_PARAM_free, since X509_STORE_set1_param appears to perform a state copy rather than transfering ownership of the param that gets passed in. Consequently you may end up leaking memory in the "happy" case here.
(OpenSSL's docs are unclear on this, unfortunately -- this is from me tracing OpenSSL's x509_lu.c by hand.)
There was a problem hiding this comment.
Yes, in OpenSSL's convension set0 is used for functions that transfer ownership, and set1 is used for those that copy contents or increment a reference counter.
ext/openssl/ossl_x509store.c
Outdated
| #if HAVE_X509_STORE_GET0_PARAM | ||
| param = X509_STORE_get0_param(store); | ||
| #else | ||
| param = X509_VERIFY_PARAM_new(); |
There was a problem hiding this comment.
Struct fields on X509_STORE (and in general) were part of public API in OpenSSL 1.0.2.
| param = X509_VERIFY_PARAM_new(); | |
| param = store->param; |
The X509_STORE_set1_param() call later will become unnecessary with this.
| @@ -599,8 +614,6 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) | |||
| sk_X509_pop_free(x509s, X509_free); | |||
| ossl_raise(eX509StoreError, "X509_STORE_CTX_init"); | |||
| } | |||
| if (!NIL_P(t = rb_iv_get(store, "@time"))) | |||
| ossl_x509stctx_set_time(self, t); | |||
There was a problem hiding this comment.
With this line removed, you can also remove the function prototype for ossl_x509stctx_set_time() above.
Instead of an ivar, so other ossl functions that take a store will use the correct time when verifying
segiddins
force-pushed
the
segiddins/set-time-directly-on-the-x509-store
branch
from
2679889
to
69c57f6
Compare
|
@rhenium done! |
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Depends on ruby/openssl#770 Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
Instead of an ivar, so other ossl functions that take a store (such as
OpenSSL::Timestamp::Response#verify) will use the correct time when verifying