Author: brane
Date: Thu Jan 1 17:33:48 2026
New Revision: 1931046
Log:
Fix a bug in the client certificate loading logic. It was hidden from
view because the error that should have been reported gets thrown away
when the error callback was not defined.
* buckets/ssl_buckets.c (ssl_need_client_cert):
Add a rather caustic FIXME that the function should be split in two.
Use OSSL_STORE_open() instead of the _ex() variant because we don't
use any of the extended parameters.
When iterating over a certificate store's contents, check the EOF
condition only after attempting to read the next item.
Modified:
serf/trunk/buckets/ssl_buckets.c
Modified: serf/trunk/buckets/ssl_buckets.c
==============================================================================
--- serf/trunk/buckets/ssl_buckets.c Thu Jan 1 15:08:48 2026
(r1931045)
+++ serf/trunk/buckets/ssl_buckets.c Thu Jan 1 17:33:48 2026
(r1931046)
@@ -1628,6 +1628,10 @@ static int ssl_need_client_cert(SSL *ssl
}
#if defined(SERF_HAVE_OSSL_STORE_OPEN_EX)
+ /* FIXME: This is completely messed up. Extract the OPENSSL_STORE
+ part into a separate function instead of using break
+ + ERR_peek_error() for something that, for lack of a more
+ friendly term, might be called "error handling". */
/* until further notice */
*cert = NULL;
@@ -1669,8 +1673,7 @@ static int ssl_need_client_cert(SSL *ssl
/* server side request some certs? this list may be empty */
requested = SSL_get_client_CA_list(ssl);
- store = OSSL_STORE_open_ex(cert_uri, NULL, NULL, ui_method, ctx, NULL,
- NULL, NULL);
+ store = OSSL_STORE_open(cert_uri, ui_method, ctx, NULL, NULL);
if (!store) {
if (ctx->error_callback) {
@@ -1685,8 +1688,13 @@ static int ssl_need_client_cert(SSL *ssl
/* walk the store, what are we working with */
- while (!OSSL_STORE_eof(store)) {
+ for (;;) {
info = OSSL_STORE_load(store);
+ if (OSSL_STORE_eof(store)) {
+ /* NOTE: OSSL_STORE_eof() is not signalled until *after* the
+ first OSSL_STORE_load() fails. */
+ break;
+ }
if (!info) {
