From: Kaspar Brand Date: Sun, 27 Sep 2015 14:08:16 +0000 (+0000) Subject: deduplicate the code handling the directory traversal for the X-Git-Tag: 2.5.0-alpha~2800 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=908587e75f8ec45a9e9697380b3175af3604ca3d;p=apache deduplicate the code handling the directory traversal for the SSL[Proxy]CACertificatePath and SSLProxyMachineCertificatePath directives git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705539 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index fcda4fbdf7..8dda133d7c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -31,6 +31,9 @@ #include "mod_ssl_openssl.h" #include "mpm_common.h" +static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *, + STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *); + APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), (s,p,is_proxy,ctx), OK, DECLINED) @@ -1354,26 +1357,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, } if (pkp->cert_path) { - apr_dir_t *dir; - apr_finfo_t dirent; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - - if (apr_dir_open(&dir, pkp->cert_path, ptemp) == APR_SUCCESS) { - while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) { - const char *fullname; - - if (dirent.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - - fullname = apr_pstrcat(ptemp, - pkp->cert_path, "/", dirent.name, - NULL); - load_x509_info(ptemp, sk, fullname); - } - - apr_dir_close(dir); - } + ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk); } if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { @@ -1781,6 +1765,40 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, sk_X509_NAME_free(sk); } +static apr_status_t ssl_init_ca_cert_path(server_rec *s, + apr_pool_t *ptemp, + const char *path, + STACK_OF(X509_NAME) *ca_list, + STACK_OF(X509_INFO) *xi_list) +{ + apr_dir_t *dir; + apr_finfo_t direntry; + apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; + + if (!path || (!ca_list && !xi_list) || + (apr_dir_open(&dir, path, ptemp) != APR_SUCCESS)) { + return APR_EGENERAL; + } + + while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { + const char *file; + if (direntry.filetype == APR_DIR) { + continue; /* don't try to load directories */ + } + file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); + if (ca_list) { + ssl_init_PushCAList(ca_list, s, ptemp, file); + } + if (xi_list) { + load_x509_info(ptemp, xi_list, file); + } + } + + apr_dir_close(dir); + + return APR_SUCCESS; +} + STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *ptemp, const char *ca_file, @@ -1813,30 +1831,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, /* * Process CA certificate path files */ - if (ca_path) { - apr_dir_t *dir; - apr_finfo_t direntry; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - apr_status_t rv; - - if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211) - "Failed to open Certificate Path `%s'", - ca_path); - sk_X509_NAME_pop_free(ca_list, X509_NAME_free); - return NULL; - } - - while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { - const char *file; - if (direntry.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL); - ssl_init_PushCAList(ca_list, s, ptemp, file); - } - - apr_dir_close(dir); + if (ca_path && + ssl_init_ca_cert_path(s, ptemp, + ca_path, ca_list, NULL) != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02211) + "Failed to open Certificate Path `%s'", ca_path); + sk_X509_NAME_pop_free(ca_list, X509_NAME_free); + return NULL; } /*