|
|
00df7d |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
00df7d |
index 57b76c0..814ec4f 100644
|
|
|
00df7d |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
00df7d |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
00df7d |
@@ -1522,70 +1522,18 @@ void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_poo
|
|
|
00df7d |
}
|
|
|
00df7d |
}
|
|
|
00df7d |
|
|
|
00df7d |
-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
|
|
|
00df7d |
- const X509_NAME * const *b)
|
|
|
00df7d |
-{
|
|
|
00df7d |
- return(X509_NAME_cmp(*a, *b));
|
|
|
00df7d |
-}
|
|
|
00df7d |
-
|
|
|
00df7d |
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
|
|
|
00df7d |
- server_rec *s, apr_pool_t *ptemp,
|
|
|
00df7d |
- const char *file)
|
|
|
00df7d |
-{
|
|
|
00df7d |
- int n;
|
|
|
00df7d |
- STACK_OF(X509_NAME) *sk;
|
|
|
00df7d |
-
|
|
|
00df7d |
- sk = (STACK_OF(X509_NAME) *)
|
|
|
00df7d |
- SSL_load_client_CA_file(file);
|
|
|
00df7d |
-
|
|
|
00df7d |
- if (!sk) {
|
|
|
00df7d |
- return;
|
|
|
00df7d |
- }
|
|
|
00df7d |
-
|
|
|
00df7d |
- for (n = 0; n < sk_X509_NAME_num(sk); n++) {
|
|
|
00df7d |
- X509_NAME *name = sk_X509_NAME_value(sk, n);
|
|
|
00df7d |
-
|
|
|
00df7d |
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
|
|
|
00df7d |
- "CA certificate: %s",
|
|
|
00df7d |
- SSL_X509_NAME_to_string(ptemp, name, 0));
|
|
|
00df7d |
-
|
|
|
00df7d |
- /*
|
|
|
00df7d |
- * note that SSL_load_client_CA_file() checks for duplicates,
|
|
|
00df7d |
- * but since we call it multiple times when reading a directory
|
|
|
00df7d |
- * we must also check for duplicates ourselves.
|
|
|
00df7d |
- */
|
|
|
00df7d |
-
|
|
|
00df7d |
- if (sk_X509_NAME_find(ca_list, name) < 0) {
|
|
|
00df7d |
- /* this will be freed when ca_list is */
|
|
|
00df7d |
- sk_X509_NAME_push(ca_list, name);
|
|
|
00df7d |
- }
|
|
|
00df7d |
- else {
|
|
|
00df7d |
- /* need to free this ourselves, else it will leak */
|
|
|
00df7d |
- X509_NAME_free(name);
|
|
|
00df7d |
- }
|
|
|
00df7d |
- }
|
|
|
00df7d |
-
|
|
|
00df7d |
- sk_X509_NAME_free(sk);
|
|
|
00df7d |
-}
|
|
|
00df7d |
-
|
|
|
00df7d |
STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
|
|
|
00df7d |
apr_pool_t *ptemp,
|
|
|
00df7d |
const char *ca_file,
|
|
|
00df7d |
const char *ca_path)
|
|
|
00df7d |
{
|
|
|
00df7d |
- STACK_OF(X509_NAME) *ca_list;
|
|
|
00df7d |
-
|
|
|
00df7d |
- /*
|
|
|
00df7d |
- * Start with a empty stack/list where new
|
|
|
00df7d |
- * entries get added in sorted order.
|
|
|
00df7d |
- */
|
|
|
00df7d |
- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
|
|
|
00df7d |
+ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
|
|
|
00df7d |
|
|
|
00df7d |
/*
|
|
|
00df7d |
* Process CA certificate bundle file
|
|
|
00df7d |
*/
|
|
|
00df7d |
if (ca_file) {
|
|
|
00df7d |
- ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
|
|
|
00df7d |
+ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
|
|
|
00df7d |
/*
|
|
|
00df7d |
* If ca_list is still empty after trying to load ca_file
|
|
|
00df7d |
* then the file failed to load, and users should hear about that.
|
|
|
00df7d |
@@ -1619,17 +1567,12 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
|
|
|
00df7d |
continue; /* don't try to load directories */
|
|
|
00df7d |
}
|
|
|
00df7d |
file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL);
|
|
|
00df7d |
- ssl_init_PushCAList(ca_list, s, ptemp, file);
|
|
|
00df7d |
+ SSL_add_file_cert_subjects_to_stack(ca_list, file);
|
|
|
00df7d |
}
|
|
|
00df7d |
|
|
|
00df7d |
apr_dir_close(dir);
|
|
|
00df7d |
}
|
|
|
00df7d |
|
|
|
00df7d |
- /*
|
|
|
00df7d |
- * Cleanup
|
|
|
00df7d |
- */
|
|
|
00df7d |
- (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
|
|
|
00df7d |
-
|
|
|
00df7d |
return ca_list;
|
|
|
00df7d |
}
|
|
|
00df7d |
|