| 1 |
fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded |
| 2 |
|
| 3 |
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the |
| 4 |
file extension was '.0'. However the file name should be 8 letters long |
| 5 |
certificate hash of the certificate subject name, followed by a numeric |
| 6 |
suffix which is used to differentiate between two certificates with the |
| 7 |
same subject name. |
| 8 |
|
| 9 |
Wit this patch, certificate file names are matched correctly (using |
| 10 |
regular expressions). |
| 11 |
|
| 12 |
Author: Jan Vcelak <jvcelak@redhat.com> |
| 13 |
Upstream ITS: #7374 |
| 14 |
Resolves: #811468 |
| 15 |
|
| 16 |
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c |
| 17 |
index 5e49fc5..61d71d4 100644 |
| 18 |
--- a/libraries/libldap/tls_m.c |
| 19 |
+++ b/libraries/libldap/tls_m.c |
| 20 |
@@ -38,6 +38,7 @@ |
| 21 |
#include <ac/unistd.h> |
| 22 |
#include <ac/param.h> |
| 23 |
#include <ac/dirent.h> |
| 24 |
+#include <ac/regex.h> |
| 25 |
|
| 26 |
#include "ldap-int.h" |
| 27 |
#include "ldap-tls.h" |
| 28 |
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods; |
| 29 |
|
| 30 |
#define PEM_LIBRARY "nsspem" |
| 31 |
#define PEM_MODULE "PEM" |
| 32 |
-/* hash files for use with cacertdir have this file name suffix */ |
| 33 |
-#define PEM_CA_HASH_FILE_SUFFIX ".0" |
| 34 |
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2 |
| 35 |
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$" |
| 36 |
|
| 37 |
static SECMODModule *pem_module; |
| 38 |
|
| 39 |
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir |
| 40 |
PRDir *dir; |
| 41 |
PRDirEntry *entry; |
| 42 |
PRStatus fistatus = PR_FAILURE; |
| 43 |
+ regex_t hashfile_re; |
| 44 |
|
| 45 |
memset( &fi, 0, sizeof(fi) ); |
| 46 |
fistatus = PR_GetFileInfo( cacertdir, &fi ); |
| 47 |
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir |
| 48 |
goto done; |
| 49 |
} |
| 50 |
|
| 51 |
+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) { |
| 52 |
+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 ); |
| 53 |
+ goto done; |
| 54 |
+ } |
| 55 |
+ |
| 56 |
do { |
| 57 |
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); |
| 58 |
if ( ( NULL != entry ) && ( NULL != entry->name ) ) { |
| 59 |
char *fullpath = NULL; |
| 60 |
- char *ptr; |
| 61 |
+ int match; |
| 62 |
|
| 63 |
- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX ); |
| 64 |
- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) { |
| 65 |
+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 ); |
| 66 |
+ if ( match == REG_NOMATCH ) { |
| 67 |
Debug( LDAP_DEBUG_TRACE, |
| 68 |
- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate " |
| 69 |
- "directory file with a properly hashed file name - skipping.\n", |
| 70 |
- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 ); |
| 71 |
+ "TLS: skipping '%s' - filename does not have expected format " |
| 72 |
+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 ); |
| 73 |
+ continue; |
| 74 |
+ } else if ( match != 0 ) { |
| 75 |
+ Debug( LDAP_DEBUG_ANY, |
| 76 |
+ "TLS: cannot execute regex for CA hash file matching (%d).\n", |
| 77 |
+ match, 0, 0 ); |
| 78 |
continue; |
| 79 |
} |
| 80 |
+ |
| 81 |
fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); |
| 82 |
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { |
| 83 |
Debug( LDAP_DEBUG_TRACE, |
| 84 |
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir |
| 85 |
PR_smprintf_free( fullpath ); |
| 86 |
} |
| 87 |
} while ( NULL != entry ); |
| 88 |
+ regfree ( &hashfile_re ); |
| 89 |
PR_CloseDir( dir ); |
| 90 |
} |
| 91 |
done: |
| 92 |
-- |
| 93 |
1.7.11.4 |
| 94 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
