[Rt-commit] rt branch, 4.2/smime, updated. rt-4.1.19-218-g9acf810

Alex Vandiver alexmv at bestpractical.com
Wed Sep 4 13:08:34 EDT 2013 

The branch, 4.2/smime has been updated
       via  9acf8107b6548f05202fbeefdfd4babc3df67f60 (commit)
      from  44484ab736e7426c5ee66092b41051e9a53c6557 (commit)

Summary of changes:
 lib/RT/Crypt/SMIME.pm | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

- Log -----------------------------------------------------------------
commit 9acf8107b6548f05202fbeefdfd4babc3df67f60
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Sep 4 13:03:48 2013 -0400

    OpenSSL 1.0.1d and above return non-0 values from `openssl verify`
    
    Versions of OpenSSL prior to 1.0.1d always returned 0, even for
    certificates whihc did not verify.  Starting with 1.0.1d, a openssl will
    exit with a return code of 2 if the certificate chain fails to verify.
    
    Cope by interpreting exit codes of 0 or 2, when not accompanied by an
    explicit "OK", as verification failure, not openssl failure.
    Additionally, add a trust level of "unknown" if openssl does abort
    unexpectedly.

diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 37acb8a..9512554 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -889,21 +889,22 @@ sub GetCertificateInfo {
         ];
         my $buf = '';
         safe_run_child { run3( $cmd, \$PEM, \$buf, \$res{stderr} ) };
-        if ( $? ) {
-            $res{exit_code} = $?;
-            $res{message} = "openssl exited with error code ". ($? >> 8)
-                ." and error: $res{stderr}";
-            return %res;
-        }
 
         if ($buf =~ /^stdin: OK$/) {
             $res{info}[0]{Trust} = "Signed by trusted CA $res{info}[0]{Issuer}[0]{String}";
             $res{info}[0]{TrustTerse} = "full";
             $res{info}[0]{TrustLevel} = 2;
-        } else {
+        } elsif ($? == 0 or ($? >> 8) == 2) {
             $res{info}[0]{Trust} = "UNTRUSTED signing CA $res{info}[0]{Issuer}[0]{String}";
             $res{info}[0]{TrustTerse} = "none";
             $res{info}[0]{TrustLevel} = -1;
+        } else {
+            $res{exit_code} = $?;
+            $res{message} = "openssl exited with error code ". ($? >> 8)
+                ." and stout: $buf";
+            $res{info}[0]{Trust} = "unknown (openssl failed)";
+            $res{info}[0]{TrustTerse} = "unknown";
+            $res{info}[0]{TrustLevel} = 0;
         }
     } else {
         $res{info}[0]{Trust} = "unknown (no CAPath set)";

-----------------------------------------------------------------------

More information about the Rt-commit mailing list