Attachment 607923 Details for Bug 811468 – proposed patch

[patch] proposed patch

jvcelak-20120829-moznss-beter-file-name-matching-for-hashed-cacertdir.patch (text/plain), 3.40 KB, created by Jan Vcelak on 2012-08-29 14:46:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jan Vcelak

Created: 2012-08-29 14:46:38 UTC

Size: 3.40 KB

patch

obsolete

>From 1682f17f347f4d025ccd111985296a18b30e7f32 Mon Sep 17 00:00:00 2001
>From: Jan Vcelak <jvcelak@redhat.com>
>Date: Wed, 29 Aug 2012 16:23:52 +0200
>Subject: [PATCH] MozNSS: better file name matching for hashed CA certificate
> directory
>
>CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
>file extension was '.0'. However the file name should be 8 letters long
>certificate hash of the certificate subject name, followed by a numeric
>suffix which is used to differentiate between two certificates with the
>same subject name.
>
>Wit this patch, certificate file names are matched correctly (using
>regular expressions).
>---
> libraries/libldap/tls_m.c | 29 ++++++++++++++++++++---------
> 1 file changed, 20 insertions(+), 9 deletions(-)
>
>diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
>index 1422ce2..215a79c 100644
>--- a/libraries/libldap/tls_m.c
>+++ b/libraries/libldap/tls_m.c
>@@ -38,6 +38,7 @@
> #include <ac/unistd.h>
> #include <ac/param.h>
> #include <ac/dirent.h>
>+#include <ac/regex.h>
> 
> #include "ldap-int.h"
> #include "ldap-tls.h"
>@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
> 
> #define PEM_LIBRARY	"nsspem"
> #define PEM_MODULE	"PEM"
>-/* hash files for use with cacertdir have this file name suffix */
>-#define PEM_CA_HASH_FILE_SUFFIX	".0"
>-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
>+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
> 
> static SECMODModule *pem_module;
> 
>@@ -1471,6 +1470,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
> 		PRDir *dir;
> 		PRDirEntry *entry;
> 		PRStatus fistatus = PR_FAILURE;
>+		regex_t hashfile_re;
> 
> 		memset( &fi, 0, sizeof(fi) );
> 		fistatus = PR_GetFileInfo( cacertdir, &fi );
>@@ -1500,20 +1500,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
> 			goto done;
> 		}
> 
>+		if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
>+			Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
>+			goto done;
>+		}
>+
> 		do {
> 			entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
> 			if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
> 				char *fullpath = NULL;
>-				char *ptr;
>+				int match;
> 
>-				ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
>-				if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
>+				match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
>+				if ( match == REG_NOMATCH ) {
> 					Debug( LDAP_DEBUG_TRACE,
>-						   "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
>-						   "directory file with a properly hashed file name - skipping.\n",
>-						   entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
>+						   "TLS: skipping '%s' - filename does not have expected format "
>+						   "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
>+					continue;
>+				} else if ( match != 0 ) {
>+					Debug( LDAP_DEBUG_ANY,
>+						   "TLS: cannot execute regex for CA hash file matching (%d).\n",
>+						   match, 0, 0 );
> 					continue;
> 				}
>+
> 				fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
> 				if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
> 					Debug( LDAP_DEBUG_TRACE,
>@@ -1529,6 +1539,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
> 				PR_smprintf_free( fullpath );
> 			}
> 		} while ( NULL != entry );
>+		regfree ( &hashfile_re );
> 		PR_CloseDir( dir );
> 	}
> done:
>-- 
>1.7.11.4
>

Actions: View | Diff

Attachments on bug 811468: 607923