From: Doug MacEachern <dougm@apache.org>
Date: Thu, 28 Feb 2002 04:00:51 +0000 (+0000)
Subject: need to free X509_NAME duplicates already found in the stack built by
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dc316c24962616defff67e69802bf68fdbcb7b6e;p=apache

need to free X509_NAME duplicates already found in the stack built by
ssl_init_FindCAList().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93626 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 56c57dbab0..0c2ab1501c 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -870,17 +870,26 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
      */
     skCAList = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
 
+    /*
+     * note that SSL_load_client_CA_file() checks for duplicates,
+     * but since we call it multiple times when reading a directory
+     * we must also check for duplicates ourselves.
+     */
+
     /*
      * Process CA certificate bundle file
      */
     if (cpCAfile != NULL) {
         sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile);
         for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
+            X509_NAME *name = sk_X509_NAME_value(sk, n);
             ssl_log(s, SSL_LOG_TRACE,
                     "CA certificate: %s",
-                    X509_NAME_oneline(sk_X509_NAME_value(sk, n), NULL, 0));
-            if (sk_X509_NAME_find(skCAList, sk_X509_NAME_value(sk, n)) < 0)
-                sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
+                    X509_NAME_oneline(name, NULL, 0));
+            if (sk_X509_NAME_find(skCAList, name) < 0)
+                sk_X509_NAME_push(skCAList, name); /* this will be freed when skCAList is */
+            else
+                X509_NAME_free(name);
         }
         sk_X509_NAME_free(sk);
     }
@@ -894,11 +903,14 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
             cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
             sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp);
             for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
+                X509_NAME *name = sk_X509_NAME_value(sk, n);
                 ssl_log(s, SSL_LOG_TRACE,
                         "CA certificate: %s",
-                        X509_NAME_oneline(sk_X509_NAME_value(sk, n), NULL, 0));
-                if (sk_X509_NAME_find(skCAList, sk_X509_NAME_value(sk, n)) < 0)
-                    sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
+                        X509_NAME_oneline(name, NULL, 0));
+                if (sk_X509_NAME_find(skCAList, name) < 0)
+                    sk_X509_NAME_push(skCAList, name); /* this will be freed when skCAList is */
+                else
+                    X509_NAME_free(name);
             }
             sk_X509_NAME_free(sk);
         }