httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl ssl_engine_init.c
Date Wed, 10 Nov 2004 11:49:38 GMT
jorton      2004/11/10 03:49:38

  Modified:    modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_init.c
  Log:
  Backport from HEAD:
  
  * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
  (rather than segfault later) if a client cert is configured which is
  missing either the certificate or private key.
  
  PR: 24030
  Reviewed by: jorton, minfrin, jerenkrantz, wrowe
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.106.2.15 +24 -10    httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.106.2.14
  retrieving revision 1.106.2.15
  diff -d -w -u -r1.106.2.14 -r1.106.2.15
  --- ssl_engine_init.c	10 Nov 2004 11:42:05 -0000	1.106.2.14
  +++ ssl_engine_init.c	10 Nov 2004 11:49:37 -0000	1.106.2.15
  @@ -892,7 +892,7 @@
                                    apr_pool_t *ptemp,
                                    modssl_ctx_t *mctx)
   {
  -    int ncerts = 0;
  +    int n, ncerts = 0;
       STACK_OF(X509_INFO) *sk;
       modssl_pk_proxy_t *pkp = mctx->pkp;
   
  @@ -913,18 +913,32 @@
           SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
       }
   
  -    if ((ncerts = sk_X509_INFO_num(sk)) > 0) {
  -        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
  -                     "loaded %d client certs for SSL proxy",
  -                     ncerts);
  -
  -        pkp->certs = sk;
  -    }
  -    else {
  +    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
  +        sk_X509_INFO_free(sk);
           ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                        "no client certs found for SSL proxy");
  +        return;
  +    }
  +
  +    /* Check that all client certs have got certificates and private
  +     * keys. */
  +    for (n = 0; n < ncerts; n++) {
  +        X509_INFO *inf = sk_X509_INFO_value(sk, n);
  +
  +        if (!inf->x509 || !inf->x_pkey) {
           sk_X509_INFO_free(sk);
  +            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
  +                         "incomplete client cert configured for SSL proxy "
  +                         "(missing or encrypted private key?)");
  +            ssl_die();
  +            return;
       }
  +    }
  +
  +    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
  +                 "loaded %d client certs for SSL proxy",
  +                 ncerts);
  +    pkp->certs = sk;
   }
   
   static void ssl_init_proxy_ctx(server_rec *s,
  
  
  

Mime
View raw message