From 750f7f895b5aa5e5408c5f2a902eeea2b8ca03f0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 15 Nov 2010 20:45:47 +0000
Subject: [PATCH] ITS#6705 from Rich Megginson @ Red Hat - only use .0 files in
 cacertdir

---
 libraries/libldap/tls_m.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index e713459448..124b85d53e 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -105,6 +105,9 @@ static const PRIOMethods tlsm_PR_methods;
 
 #define PEM_LIBRARY	"nsspem"
 #define PEM_MODULE	"PEM"
+/* hash files for use with cacertdir have this file name suffix */
+#define PEM_CA_HASH_FILE_SUFFIX	".0"
+#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
 
 static SECMODModule *pem_module;
 
@@ -1235,8 +1238,19 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
 
 		do {
 			entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
-			if ( NULL != entry ) {
-				char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
+			if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
+				char *fullpath = NULL;
+				char *ptr;
+
+				ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
+				if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
+					Debug( LDAP_DEBUG_TRACE,
+						   "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
+						   "directory file with a properly hashed file name - skipping.\n",
+						   entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
+					continue;
+				}
+				fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
 				if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
 					Debug( LDAP_DEBUG_TRACE,
 						   "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
-- 
2.39.5