mbedTLS: Fix setting certificate directory

mikezackles · ethomson · commit cdb9f3903ef6 · 2021-08-29T21:52:30.000-04:00
fixes libgit2#6003
diff --git a/src/libgit2.c b/src/libgit2.c
@@ -261,10 +261,7 @@ int git_libgit2_opts(int key, ...)
 		{
 			const char *file = va_arg(ap, const char *);
 			const char *path = va_arg(ap, const char *);
-			if (file)
-				error = git_mbedtls__set_cert_location(file, 0);
-			if (error && path)
-				error = git_mbedtls__set_cert_location(path, 1);
+			error = git_mbedtls__set_cert_location(file, path);
 		}
 #else
 		git_error_set(GIT_ERROR_SSL, "TLS backend doesn't support certificate locations");
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
@@ -68,8 +68,6 @@ static void shutdown_ssl(void)
 	}
 }
 
-int git_mbedtls__set_cert_location(const char *path, int is_dir);
-
 int git_mbedtls_stream_global_init(void)
 {
 	int loaded = 0;
@@ -148,9 +146,9 @@ int git_mbedtls_stream_global_init(void)
 
 	/* load default certificates */
 	if (crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISREG(statbuf.st_mode))
-		loaded = (git_mbedtls__set_cert_location(crtpath, 0) == 0);
+		loaded = (git_mbedtls__set_cert_location(crtpath, NULL) == 0);
 	if (!loaded && crtpath != NULL && stat(crtpath, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
-		loaded = (git_mbedtls__set_cert_location(crtpath, 1) == 0);
+		loaded = (git_mbedtls__set_cert_location(NULL, crtpath) == 0);
 
 	return git_runtime_shutdown_register(shutdown_ssl);
 
@@ -438,23 +436,22 @@ int git_mbedtls_stream_new(
 	return error;
 }
 
-int git_mbedtls__set_cert_location(const char *path, int is_dir)
+int git_mbedtls__set_cert_location(const char *file, const char *path)
 {
 	int ret = 0;
 	char errbuf[512];
 	mbedtls_x509_crt *cacert;
 
-	GIT_ASSERT_ARG(path);
+	GIT_ASSERT_ARG(file || path);
 
 	cacert = git__malloc(sizeof(mbedtls_x509_crt));
 	GIT_ERROR_CHECK_ALLOC(cacert);
 
 	mbedtls_x509_crt_init(cacert);
-	if (is_dir) {
+	if (file)
+		ret = mbedtls_x509_crt_parse_file(cacert, file);
+	if (ret >= 0 && path)
 		ret = mbedtls_x509_crt_parse_path(cacert, path);
-	} else {
-		ret = mbedtls_x509_crt_parse_file(cacert, path);
-	}
 	/* mbedtls_x509_crt_parse_path returns the number of invalid certs on success */
 	if (ret < 0) {
 		mbedtls_x509_crt_free(cacert);
diff --git a/src/streams/mbedtls.h b/src/streams/mbedtls.h
@@ -14,7 +14,7 @@
 extern int git_mbedtls_stream_global_init(void);
 
 #ifdef GIT_MBEDTLS
-extern int git_mbedtls__set_cert_location(const char *path, int is_dir);
+extern int git_mbedtls__set_cert_location(const char *file, const char *path);
 
 extern int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port);
 extern int git_mbedtls_stream_wrap(git_stream **out, git_stream *in, const char *host);

Original file line number	Diff line number	Diff line change
`@@ -261,10 +261,7 @@ int git_libgit2_opts(int key, ...)`
`261`	`261`	`{`
`262`	`262`	`const char file = va_arg(ap, const char );`
`263`	`263`	`const char path = va_arg(ap, const char );`
`264`		`- if (file)`
`265`		`- error = git_mbedtls__set_cert_location(file, 0);`
`266`		`- if (error && path)`
`267`		`- error = git_mbedtls__set_cert_location(path, 1);`
	`264`	`+ error = git_mbedtls__set_cert_location(file, path);`
`268`	`265`	`}`
`269`	`266`	`#else`
`270`	`267`	`git_error_set(GIT_ERROR_SSL, "TLS backend doesn't support certificate locations");`