Package: libopenssl-ruby1.8
Version: 1.8.2-7sarge4
This bug affect the verification of SMIME signatures. When one signature
verification
fails appropriately, the error state is not cleared, so that a subsequent signature
verification fails inappropriately. A program to reproduce the error follows. The
program generates two signatures, attempts to verify the first against altered signed
data, which should fail, and then verifies the second against unaltered data which
should succeed but fails.
Below the program is a patch that fixes the problem, and "make test" succeeds with
the patch. The patch adds a call to ossl_raise() near the end of ossl_pkcs7_verify(),
which clears the error flag. There is a change in behaviour in that with the patch
ossl_pkcs7_verify() will throw an exception rather than return false on (at least
some) failing signatures.
################################################################################
require 'openssl'
include OpenSSL
ca_store = X509::Store.new
ca_store.add_path( '/etc/ssl/certs/' )
cert = X509::Certificate.new( File::read( 'foo.crt' ) )
key = PKey::RSA.new( File::read( 'foo.key' ), 'aaaa' )
flags = PKCS7::DETACHED | PKCS7::BINARY | PKCS7::NOATTR | PKCS7::NOCERTS
data1 = "This is the first bit of data to sign."
sig1 = PKCS7::sign( cert, key, data1, [], flags ).to_pem
data2 = "This is the second bit of data to sign."
sig2 = PKCS7::sign( cert, key, data2, [], flags ).to_pem
ret = false
pkcs7 = PKCS7::PKCS7.new( sig1 )
# The data here is different, so verification should fail
pkcs7.data = data1 + "fail!"
begin
# Without patch, this call returns false and sets the error flag
# With patch, it throws
ret = pkcs7.verify( [cert], ca_store )
rescue => e
puts "First verification threw exception"
end
puts "First verification gave #{ret}"
ret = false
pkcs7 = PKCS7::PKCS7.new( sig2 )
begin
# Here the data is unaltered, verification should succeed
# Without patch, this call (i.e. data=) throws since the
# error flag from the earlier error has not been cleared
pkcs7.data = data2
puts "Data was added to PKCS7 without exception"
ret = pkcs7.verify( [cert], ca_store )
rescue => e
puts "Adding data to second PKCS7 threw exception"
end
puts "Second verification gave #{ret}"
################################################################################
diff -ruN ruby-1.8.2/ext/openssl/ossl_pkcs7.c
ruby-1.8.2-1/ext/openssl/ossl_pkcs7.c
--- ruby-1.8.2/ext/openssl/ossl_pkcs7.c 2004-12-14 17:54:38.000000000 -0800
+++ ruby-1.8.2-1/ext/openssl/ossl_pkcs7.c 2006-10-20 10:29:58.000000000
-0700
@@ -609,6 +609,10 @@
ossl_pkcs7_set_data(self, data);
sk_X509_pop_free(x509s, X509_free);
+ if(ERR_peek_error()){
+ ossl_raise(ePKCS7Error, NULL);
+ }
+
return (ok == 1) ? Qtrue : Qfalse;
}
################################################################################
Output without the patch:
$ ruby bug.rb
First verification gave false
Adding data to second PKCS7 threw exception
Second verification gave false
Output with the patch:
$ ~/SSL/src/ruby/bin/ruby bug.rb
First verification threw exception
First verification gave false
Data was added to PKCS7 without exception
Second verification gave true
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
