From: Joe Orton Date: Mon, 12 Feb 2024 08:37:35 +0000 (+0000) Subject: Merge r1825120 from trunk: X-Git-Tag: 2.4.59-rc1-candidate~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d02cfc9f8b9933e7863c7831204b36eb3329d6b4;p=thirdparty%2Fapache%2Fhttpd.git Merge r1825120 from trunk: * modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function. (ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack() instead. [Edit: This does change behaviour: the acceptable client CA list is now always be sent in sorted order rather than configured/file order. In the case of SSLCACertificatePath and SSLCADNRequestPath, the order will be stable rather than non-determistic as previously.] PR: 61574 Github: closes #406 Reviewed by: jorton, jfclere, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1915740 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/pr61574.txt b/changes-entries/pr61574.txt new file mode 100644 index 00000000000..784b505e936 --- /dev/null +++ b/changes-entries/pr61574.txt @@ -0,0 +1,4 @@ + *) mod_ssl: Use OpenSSL-standard functions to assemble CA + name lists for SSLCACertificatePath/SSLCADNRequestPath. + Names will now be consistently sorted. PR 61574. + [Joe Orton] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 0fdef2d1063..8b03e416db8 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -2248,46 +2248,6 @@ static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, return(X509_NAME_cmp(*a, *b)); } -static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, - server_rec *s, apr_pool_t *ptemp, - const char *file) -{ - int n; - STACK_OF(X509_NAME) *sk; - - sk = (STACK_OF(X509_NAME) *) - SSL_load_client_CA_file(file); - - if (!sk) { - return; - } - - for (n = 0; n < sk_X509_NAME_num(sk); n++) { - X509_NAME *name = sk_X509_NAME_value(sk, n); - - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209) - "CA certificate: %s", - modssl_X509_NAME_to_string(ptemp, name, 0)); - - /* - * note that SSL_load_client_CA_file() checks for duplicates, - * but since we call it multiple times when reading a directory - * we must also check for duplicates ourselves. - */ - - if (sk_X509_NAME_find(ca_list, name) < 0) { - /* this will be freed when ca_list is */ - sk_X509_NAME_push(ca_list, name); - } - else { - /* need to free this ourselves, else it will leak */ - X509_NAME_free(name); - } - } - - sk_X509_NAME_free(sk); -} - static apr_status_t ssl_init_ca_cert_path(server_rec *s, apr_pool_t *ptemp, const char *path, @@ -2310,7 +2270,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s, } file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); if (ca_list) { - ssl_init_PushCAList(ca_list, s, ptemp, file); + SSL_add_file_cert_subjects_to_stack(ca_list, file); } if (xi_list) { load_x509_info(ptemp, xi_list, file); @@ -2339,7 +2299,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, * Process CA certificate bundle file */ if (ca_file) { - ssl_init_PushCAList(ca_list, s, ptemp, ca_file); + SSL_add_file_cert_subjects_to_stack(ca_list, ca_file); /* * If ca_list is still empty after trying to load ca_file * then the file failed to load, and users should hear about that.