From 8663ace30034bc7c7e0775ed48a77c5f7f5c8da2 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 24 Jan 2009 17:47:18 +0000
Subject: removed limit on ca certificates' number

---
diff --git a/NEWS b/NEWS
index 26fa82b..5dea61e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,9 @@
-** Verison 0.5.4 (2009-01-04)
+** Version 0.5.5 (unreleased)
+
+- Removed limits on CA certificate loading. Reported by
+  Sander Marechal and Jack Bates.
+
+** Version 0.5.4 (2009-01-04)
 
 - mod_gnutls.h: modified definition to extern to avoid compilation
   errors in darwin.
diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in
index 9af95a0..ec28e07 100644
--- a/include/mod_gnutls.h.in
+++ b/include/mod_gnutls.h.in
@@ -79,10 +79,6 @@ typedef struct
 } mgs_dirconf_rec;
 
 
-/* The maximum number of client CA certificates allowed.
- */
-#define MAX_CA_CRTS 128
-
 /* The maximum number of certificates to send in a chain
  */
 #define MAX_CHAIN_SIZE 8
@@ -111,7 +107,7 @@ typedef struct
     const char* cache_config;
     const char* srp_tpasswd_file;
     const char* srp_tpasswd_conf_file;
-    gnutls_x509_crt_t ca_list[MAX_CA_CRTS];
+    gnutls_x509_crt_t *ca_list;
     gnutls_openpgp_keyring_t pgp_list;
     unsigned int ca_list_size;
     int client_verify_mode;
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index e290d90..0a56b38 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -398,6 +398,7 @@ const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
     return NULL;
 }
 
+#define INIT_CA_SIZE 128
 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
 				   const char *arg)
 {
@@ -419,15 +420,36 @@ const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
 			    "Client CA File '%s'", file);
     }
 
-    sc->ca_list_size = MAX_CA_CRTS;
+    sc->ca_list_size = INIT_CA_SIZE;
+    sc->ca_list = malloc(sc->ca_list_size * sizeof(*sc->ca_list));
+    if (sc->ca_list == NULL) {
+		return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
+    }
+
     rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
-				     &data, GNUTLS_X509_FMT_PEM,
-				     GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
-    if (rv < 0) {
-	return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+				     &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+    if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+			return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
 			    "Client CA File '%s': (%d) %s", file, rv,
 			    gnutls_strerror(rv));
     }
+    
+    if (INIT_CA_SIZE < sc->ca_list_size) {
+		    sc->ca_list = realloc(sc->ca_list, sc->ca_list_size*sizeof(*sc->ca_list));
+		    if (sc->ca_list == NULL) {
+				return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
+		    }
+
+    		/* re-read */
+    		rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
+				     &data, GNUTLS_X509_FMT_PEM, 0);
+
+		    if (rv < 0) {
+					return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+					    "Client CA File '%s': (%d) %s", file, rv,
+					    gnutls_strerror(rv));
+		    }
+    }
 
     apr_pool_destroy(spool);
     return NULL;
--
cgit v0.9.2