From: Joe Orton Date: Tue, 25 Nov 2003 12:35:45 +0000 (+0000) Subject: * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1e2d0c4ecf8109d44d28cd8cefe0c26801fb640;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early (rather than segfault later) if a client cert is configured which is missing either the certificate or private key. PR: 24030 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@101878 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/ssl_engine_init.c b/ssl_engine_init.c index 2885925dae6..f5ab29560d9 100644 --- a/ssl_engine_init.c +++ b/ssl_engine_init.c @@ -913,7 +913,7 @@ static void ssl_init_proxy_certs(server_rec *s, apr_pool_t *ptemp, modssl_ctx_t *mctx) { - int ncerts = 0; + int n, ncerts = 0; STACK_OF(X509_INFO) *sk; modssl_pk_proxy_t *pkp = mctx->pkp; @@ -934,18 +934,32 @@ static void ssl_init_proxy_certs(server_rec *s, SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path); } - if ((ncerts = sk_X509_INFO_num(sk)) > 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "loaded %d client certs for SSL proxy", - ncerts); - - pkp->certs = sk; - } - else { + if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { + sk_X509_INFO_free(sk); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "no client certs found for SSL proxy"); - sk_X509_INFO_free(sk); + return; } + + /* Check that all client certs have got certificates and private + * keys. */ + for (n = 0; n < ncerts; n++) { + X509_INFO *inf = sk_X509_INFO_value(sk, n); + + if (!inf->x509 || !inf->x_pkey) { + sk_X509_INFO_free(sk); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "incomplete client cert configured for SSL proxy " + "(missing or encrypted private key?)"); + ssl_die(); + return; + } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "loaded %d client certs for SSL proxy", + ncerts); + pkp->certs = sk; } static void ssl_init_proxy_ctx(server_rec *s,