[Privoxy-commits] [privoxy] 16/26: Factor out enforce_sane_certificate_state()

Mon Jan 18 13:32:24 UTC 2021

This is an automated email from the git hooks/post-receive script.

git pushed a commit to branch master
in repository privoxy.

commit e6c7a0409aed822fc6a8ad8028b7e7bde0b711ac
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Sat Jan 16 14:52:55 2021 +0100

    Factor out enforce_sane_certificate_state()
---
 openssl.c    | 28 +++++++++-------------------
 ssl.c        | 28 +++++++++-------------------
 ssl_common.c | 35 +++++++++++++++++++++++++++++++++++
 ssl_common.h |  1 +
 4 files changed, 54 insertions(+), 38 deletions(-)

diff --git a/openssl.c b/openssl.c
index e6973103..d27f9187 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1764,6 +1764,15 @@ static int generate_host_certificate(struct client_state *csp)
       return -1;
    }
 
+   if (enforce_sane_certificate_state(cert_opt.output_file,
+         cert_opt.subject_key))
+   {
+      freez(cert_opt.output_file);
+      freez(cert_opt.subject_key);
+
+      return -1;
+   }
+
    if (file_exists(cert_opt.output_file) == 1)
    {
       /* The file exists, but is it valid? */
@@ -1802,25 +1811,6 @@ static int generate_host_certificate(struct client_state *csp)
       }
    }
 
-   if (file_exists(cert_opt.output_file) == 0 &&
-       file_exists(cert_opt.subject_key) == 1)
-   {
-      log_error(LOG_LEVEL_ERROR,
-         "A website key already exists but there's no matching certificate. "
-         "Removing %s before creating a new key and certificate.",
-         cert_opt.subject_key);
-      if (unlink(cert_opt.subject_key))
-      {
-         log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
-            cert_opt.subject_key);
-
-         freez(cert_opt.output_file);
-         freez(cert_opt.subject_key);
-
-         return -1;
-      }
-   }
-
    /*
     * Create key for requested host
     */
diff --git a/ssl.c b/ssl.c
index 58f0bb3b..ebcac3f2 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1310,6 +1310,15 @@ static int generate_host_certificate(struct client_state *csp)
       return -1;
    }
 
+   if (enforce_sane_certificate_state(cert_opt.output_file,
+         cert_opt.subject_key))
+   {
+      freez(cert_opt.output_file);
+      freez(cert_opt.subject_key);
+
+      return -1;
+   }
+
    if (file_exists(cert_opt.output_file) == 1)
    {
       /* The file exists, but is it valid? */
@@ -1348,25 +1357,6 @@ static int generate_host_certificate(struct client_state *csp)
       }
    }
 
-   if (file_exists(cert_opt.output_file) == 0 &&
-       file_exists(cert_opt.subject_key) == 1)
-   {
-      log_error(LOG_LEVEL_ERROR,
-         "A website key already exists but there's no matching certificate. "
-         "Removing %s before creating a new key and certificate.",
-         cert_opt.subject_key);
-      if (unlink(cert_opt.subject_key))
-      {
-         log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
-            cert_opt.subject_key);
-
-         freez(cert_opt.output_file);
-         freez(cert_opt.subject_key);
-
-         return -1;
-      }
-   }
-
    /*
     * Create key for requested host
     */
diff --git a/ssl_common.c b/ssl_common.c
index 41f05757..6d2e11f6 100644
--- a/ssl_common.c
+++ b/ssl_common.c
@@ -31,6 +31,7 @@
 #include <string.h>
 
 #include <ctype.h>
+#include <unistd.h>
 #include "config.h"
 #include "project.h"
 #include "miscutil.h"
@@ -698,3 +699,37 @@ extern int host_is_ip_address(const char *host)
    return 1;
 
 }
+
+
+/*********************************************************************
+ *
+ * Function    :  enforce_sane_certificate_state
+ *
+ * Description :  Makes sure the certificate state is sane.
+ *
+ * Parameters  :
+ *          1  :  certificate = Path to the potentionally existing certifcate.
+ *          2  :  key = Path to the potentionally existing key.
+ *
+ * Returns     :   -1 => Error
+ *                 0 => Certificate state is sane
+ *
+ *********************************************************************/
+extern int enforce_sane_certificate_state(const char *certificate, const char *key)
+{
+   if (file_exists(certificate) == 0 && file_exists(key) == 1)
+   {
+      log_error(LOG_LEVEL_ERROR,
+         "A website key already exists but there's no matching certificate. "
+         "Removing %s before creating a new key and certificate.", key);
+      if (unlink(key))
+      {
+         log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E", key);
+
+         return -1;
+      }
+   }
+
+   return 0;
+
+}
diff --git a/ssl_common.h b/ssl_common.h
index 3caa17cf..5075ca8e 100644
--- a/ssl_common.h
+++ b/ssl_common.h
@@ -74,5 +74,6 @@ extern unsigned long get_certificate_serial(struct client_state *csp);
 extern int get_certificate_valid_from_date(char *buffer, size_t buffer_size, const char *fmt);
 extern int get_certificate_valid_to_date(char *buffer, size_t buffer_size, const char *fmt);
 extern int host_is_ip_address(const char *host);
+extern int enforce_sane_certificate_state(const char *certificate, const char *key);
 
 #endif /* ndef SSL_COMMON_H_INCLUDED */

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
