[ruby/openssl] x509*: fix error queue leak in #extensions= and #attributes= methods

rhenium · tenderworks · commit f7660b2013b3 · 2022-10-27T16:48:21.000-07:00
X509at_delete_attr() in OpenSSL master puts an error queue entry if there is no attribute left to delete. We must either clear the error queue, or try not to call it when the list is already empty. ruby/openssl@a0c878481f
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
@@ -642,12 +642,12 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509(self, x509);
-    while ((ext = X509_delete_ext(x509, 0)))
-	X509_EXTENSION_free(ext);
+    for (i = X509_get_ext_count(x509); i > 0; i--)
+        X509_EXTENSION_free(X509_delete_ext(x509, 0));
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
 	if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
-	    ossl_raise(eX509CertError, NULL);
+	    ossl_raise(eX509CertError, "X509_add_ext");
 	}
     }
 
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
@@ -474,12 +474,12 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509CRL(self, crl);
-    while ((ext = X509_CRL_delete_ext(crl, 0)))
-	X509_EXTENSION_free(ext);
+    for (i = X509_CRL_get_ext_count(crl); i > 0; i--)
+        X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0));
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
 	if (!X509_CRL_add_ext(crl, ext, -1)) {
-	    ossl_raise(eX509CRLError, NULL);
+	    ossl_raise(eX509CRLError, "X509_CRL_add_ext");
 	}
     }
 
diff --git a/ext/openssl/ossl_x509req.c b/ext/openssl/ossl_x509req.c
@@ -380,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);
     }
     GetX509Req(self, req);
-    while ((attr = X509_REQ_delete_attr(req, 0)))
-	X509_ATTRIBUTE_free(attr);
+    for (i = X509_REQ_get_attr_count(req); i > 0; i--)
+        X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0));
     for (i=0;i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
 	attr = GetX509AttrPtr(item);
 	if (!X509_REQ_add1_attr(req, attr)) {
-	    ossl_raise(eX509ReqError, NULL);
+	    ossl_raise(eX509ReqError, "X509_REQ_add1_attr");
 	}
     }
     return ary;
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
@@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509Rev(self, rev);
-    while ((ext = X509_REVOKED_delete_ext(rev, 0)))
-	X509_EXTENSION_free(ext);
+    for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--)
+        X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0));
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	item = RARRAY_AREF(ary, i);
 	ext = GetX509ExtPtr(item);
 	if(!X509_REVOKED_add_ext(rev, ext, -1)) {
-	    ossl_raise(eX509RevError, NULL);
+	    ossl_raise(eX509RevError, "X509_REVOKED_add_ext");
 	}
     }
 

Original file line number	Diff line number	Diff line change
`@@ -642,12 +642,12 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)`
`642`	`642`	`OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);`
`643`	`643`	`}`
`644`	`644`	`GetX509(self, x509);`
`645`		`- while ((ext = X509_delete_ext(x509, 0)))`
`646`		`- X509_EXTENSION_free(ext);`
	`645`	`+ for (i = X509_get_ext_count(x509); i > 0; i--)`
	`646`	`+ X509_EXTENSION_free(X509_delete_ext(x509, 0));`
`647`	`647`	`for (i=0; i<RARRAY_LEN(ary); i++) {`
`648`	`648`	`ext = GetX509ExtPtr(RARRAY_AREF(ary, i));`
`649`	`649`	`if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */`
`650`		`- ossl_raise(eX509CertError, NULL);`
	`650`	`+ ossl_raise(eX509CertError, "X509_add_ext");`
`651`	`651`	`}`
`652`	`652`	`}`
`653`	`653`
Original file line number	Diff line number	Diff line change
`@@ -474,12 +474,12 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)`
`474`	`474`	`OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);`
`475`	`475`	`}`
`476`	`476`	`GetX509CRL(self, crl);`
`477`		`- while ((ext = X509_CRL_delete_ext(crl, 0)))`
`478`		`- X509_EXTENSION_free(ext);`
	`477`	`+ for (i = X509_CRL_get_ext_count(crl); i > 0; i--)`
	`478`	`+ X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0));`
`479`	`479`	`for (i=0; i<RARRAY_LEN(ary); i++) {`
`480`	`480`	`ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */`
`481`	`481`	`if (!X509_CRL_add_ext(crl, ext, -1)) {`
`482`		`- ossl_raise(eX509CRLError, NULL);`
	`482`	`+ ossl_raise(eX509CRLError, "X509_CRL_add_ext");`
`483`	`483`	`}`
`484`	`484`	`}`
`485`	`485`
Original file line number	Diff line number	Diff line change
`@@ -380,13 +380,13 @@ ossl_x509req_set_attributes(VALUE self, VALUE ary)`
`380`	`380`	`OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Attr);`
`381`	`381`	`}`
`382`	`382`	`GetX509Req(self, req);`
`383`		`- while ((attr = X509_REQ_delete_attr(req, 0)))`
`384`		`- X509_ATTRIBUTE_free(attr);`
	`383`	`+ for (i = X509_REQ_get_attr_count(req); i > 0; i--)`
	`384`	`+ X509_ATTRIBUTE_free(X509_REQ_delete_attr(req, 0));`
`385`	`385`	`for (i=0;i<RARRAY_LEN(ary); i++) {`
`386`	`386`	`item = RARRAY_AREF(ary, i);`
`387`	`387`	`attr = GetX509AttrPtr(item);`
`388`	`388`	`if (!X509_REQ_add1_attr(req, attr)) {`
`389`		`- ossl_raise(eX509ReqError, NULL);`
	`389`	`+ ossl_raise(eX509ReqError, "X509_REQ_add1_attr");`
`390`	`390`	`}`
`391`	`391`	`}`
`392`	`392`	`return ary;`
Original file line number	Diff line number	Diff line change
`@@ -223,13 +223,13 @@ ossl_x509revoked_set_extensions(VALUE self, VALUE ary)`
`223`	`223`	`OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);`
`224`	`224`	`}`
`225`	`225`	`GetX509Rev(self, rev);`
`226`		`- while ((ext = X509_REVOKED_delete_ext(rev, 0)))`
`227`		`- X509_EXTENSION_free(ext);`
	`226`	`+ for (i = X509_REVOKED_get_ext_count(rev); i > 0; i--)`
	`227`	`+ X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0));`
`228`	`228`	`for (i=0; i<RARRAY_LEN(ary); i++) {`
`229`	`229`	`item = RARRAY_AREF(ary, i);`
`230`	`230`	`ext = GetX509ExtPtr(item);`
`231`	`231`	`if(!X509_REVOKED_add_ext(rev, ext, -1)) {`
`232`		`- ossl_raise(eX509RevError, NULL);`
	`232`	`+ ossl_raise(eX509RevError, "X509_REVOKED_add_ext");`
`233`	`233`	`}`
`234`	`234`	`}`
`235`	`235`