From fcf170ac08903a4ba471f07e3c4cfc6626b2f987 Mon Sep 17 00:00:00 2001
From: HoneyryderChuck <cardoso_tiago@hotmail.com>
Date: Sat, 19 Oct 2024 16:37:25 +0100
Subject: [PATCH] store and storecontext: check whether object is frozen before
 executing state change functions

this makes them mostly useless, considering how they're used standalone
---
 ext/openssl/ossl_x509store.c   | 15 +++++++++++++++
 test/openssl/test_x509store.rb |  7 +++++++
 2 files changed, 22 insertions(+)

diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 670519feb..9548e5d68 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -246,6 +246,7 @@ static VALUE
 ossl_x509store_set_flags(VALUE self, VALUE flags)
 {
     X509_STORE *store;
+    rb_check_frozen(self);
     long f = NUM2LONG(flags);
 
     GetX509Store(self, store);
@@ -281,6 +282,7 @@ static VALUE
 ossl_x509store_set_purpose(VALUE self, VALUE purpose)
 {
     X509_STORE *store;
+    rb_check_frozen(self);
     int p = NUM2INT(purpose);
 
     GetX509Store(self, store);
@@ -305,6 +307,7 @@ static VALUE
 ossl_x509store_set_trust(VALUE self, VALUE trust)
 {
     X509_STORE *store;
+    rb_check_frozen(self);
     int t = NUM2INT(trust);
 
     GetX509Store(self, store);
@@ -331,6 +334,7 @@ ossl_x509store_set_time(VALUE self, VALUE time)
     X509_STORE *store;
     X509_VERIFY_PARAM *param;
 
+    rb_check_frozen(self);
     GetX509Store(self, store);
 #ifdef HAVE_X509_STORE_GET0_PARAM
     param = X509_STORE_get0_param(store);
@@ -358,6 +362,7 @@ ossl_x509store_add_file(VALUE self, VALUE file)
     X509_LOOKUP *lookup;
     const char *path;
 
+    rb_check_frozen(self);
     GetX509Store(self, store);
     path = StringValueCStr(file);
     lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
@@ -393,6 +398,7 @@ ossl_x509store_add_path(VALUE self, VALUE dir)
     X509_LOOKUP *lookup;
     const char *path;
 
+    rb_check_frozen(self);
     GetX509Store(self, store);
     path = StringValueCStr(dir);
     lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
@@ -422,6 +428,7 @@ ossl_x509store_set_default_paths(VALUE self)
 {
     X509_STORE *store;
 
+    rb_check_frozen(self);
     GetX509Store(self, store);
     if (X509_STORE_set_default_paths(store) != 1)
         ossl_raise(eX509StoreError, "X509_STORE_set_default_paths");
@@ -443,6 +450,7 @@ ossl_x509store_add_cert(VALUE self, VALUE arg)
     X509_STORE *store;
     X509 *cert;
 
+    rb_check_frozen(self);
     cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
     GetX509Store(self, store);
     if (X509_STORE_add_cert(store, cert) != 1)
@@ -465,6 +473,7 @@ ossl_x509store_add_crl(VALUE self, VALUE arg)
     X509_STORE *store;
     X509_CRL *crl;
 
+    rb_check_frozen(self);
     crl = GetX509CRLPtr(arg); /* NO NEED TO DUP */
     GetX509Store(self, store);
     if (X509_STORE_add_crl(store, crl) != 1)
@@ -498,6 +507,7 @@ ossl_x509store_verify(int argc, VALUE *argv, VALUE self)
     VALUE cert, chain;
     VALUE ctx, proc, result;
 
+    rb_check_frozen(self);
     rb_scan_args(argc, argv, "11", &cert, &chain);
     ctx = rb_funcall(cX509StoreContext, rb_intern("new"), 3, self, cert, chain);
     proc = rb_block_given_p() ?  rb_block_proc() :
@@ -695,6 +705,7 @@ ossl_x509stctx_set_error(VALUE self, VALUE err)
 {
     X509_STORE_CTX *ctx;
 
+    rb_check_frozen(self);
     GetX509StCtx(self, ctx);
     X509_STORE_CTX_set_error(ctx, NUM2INT(err));
 
@@ -793,6 +804,7 @@ static VALUE
 ossl_x509stctx_set_flags(VALUE self, VALUE flags)
 {
     X509_STORE_CTX *store;
+    rb_check_frozen(self);
     long f = NUM2LONG(flags);
 
     GetX509StCtx(self, store);
@@ -814,6 +826,7 @@ static VALUE
 ossl_x509stctx_set_purpose(VALUE self, VALUE purpose)
 {
     X509_STORE_CTX *store;
+    rb_check_frozen(self);
     int p = NUM2INT(purpose);
 
     GetX509StCtx(self, store);
@@ -835,6 +848,7 @@ static VALUE
 ossl_x509stctx_set_trust(VALUE self, VALUE trust)
 {
     X509_STORE_CTX *store;
+    rb_check_frozen(self);
     int t = NUM2INT(trust);
 
     GetX509StCtx(self, store);
@@ -857,6 +871,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
     X509_STORE_CTX *store;
     long t;
 
+    rb_check_frozen(self);
     t = NUM2LONG(rb_Integer(time));
     GetX509StCtx(self, store);
     X509_STORE_CTX_set_time(store, 0, t);
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index d6c0e707a..06761de91 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -91,6 +91,13 @@ def test_verify_simple
     assert_match(/ok/i, store.error_string)
     assert_equal(OpenSSL::X509::V_OK, store.error)
     assert_equal([ee1_cert, ca2_cert, ca1_cert], store.chain)
+
+    # frozen, operation invalid
+    store = OpenSSL::X509::Store.new
+    store.freeze
+    assert_raise(FrozenError) do
+      store.verify(ee1_cert, [ca2_cert, ca1_cert])
+    end
   end
 
   def test_verify_callback