From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 26 Aug 2011 13:07:49 +0000 (+0000)
Subject: * Don't SEGFAULT if SSLProxyMachineCertificateChainFile is not set. Just skip the... 
X-Git-Tag: 2.3.15~346
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e63cd2cc79998a656cb5a97a91e50ce763b211e9;p=thirdparty%2Fapache%2Fhttpd.git

* Don't SEGFAULT if SSLProxyMachineCertificateChainFile is not set. Just skip the additional lookups in this case.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1162103 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 9ed669dc2b7..4cb918690f1 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1803,6 +1803,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
     STACK_OF(X509_NAME) *ca_list;
     STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
     STACK_OF(X509_INFO) *ca_certs;
+    STACK_OF(X509_INFO) **ca_cert_chains;
     int i, j, k;
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
@@ -1833,6 +1834,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
         return TRUE;
     }
 
+    ca_cert_chains = sc->proxy->pkp->ca_certs;
     for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
         ca_name = sk_X509_NAME_value(ca_list, i);
 
@@ -1849,20 +1851,25 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
                 return TRUE;
             }
 
-            /* Failed to find direct issuer - search intermediaries (by issuer name) */
-            ca_certs = sc->proxy->pkp->ca_certs[j];
-            for (k = 0; k < sk_X509_INFO_num(ca_certs); k++) {
-                ca_info = sk_X509_INFO_value(ca_certs, k);
-                ca_issuer = X509_get_issuer_name(ca_info->x509);
-
-                if(X509_NAME_cmp(ca_issuer, ca_name) == 0 ) {
-                    modssl_proxy_info_log(s, info, "found acceptable cert by intermediary");
+            if (ca_cert_chains) {
+                /*
+                 * Failed to find direct issuer - search intermediaries
+                 * (by issuer name), if provided.
+                 */
+                ca_certs = ca_cert_chains[j];
+                for (k = 0; k < sk_X509_INFO_num(ca_certs); k++) {
+                    ca_info = sk_X509_INFO_value(ca_certs, k);
+                    ca_issuer = X509_get_issuer_name(ca_info->x509);
 
-                    modssl_set_cert_info(info, x509, pkey);
+                    if(X509_NAME_cmp(ca_issuer, ca_name) == 0 ) {
+                        modssl_proxy_info_log(s, info, "found acceptable cert by intermediary");
 
-                    return TRUE;
-                }
-            } /* end loop through chained certs */
+                        modssl_set_cert_info(info, x509, pkey);
+ 
+                        return TRUE;
+                    }
+                } /* end loop through chained certs */
+            }
         } /* end loop through available certs */
     }