fix read_certificate problem after failed proxy attempt

2025-10-03 02:15:43 -04:00 · 2002-10-26 04:47:24 +00:00 · 2002-10-26 04:47:24 +00:00 · 54e997dbe0
commit 54e997dbe0
parent e11f713860
2 changed files with 33 additions and 4 deletions
--- a/panda/src/downloader/httpChannel.cxx
+++ b/panda/src/downloader/httpChannel.cxx
@ -793,11 +793,10 @@ run_proxy_reading_header() {
  if (get_status_code() == 407 && last_status != 407 && !_proxy.empty()) {
    // 407: not authorized to proxy.  Try to get the authorization.
    string authenticate_request = get_header_value("Proxy-Authenticate");
-    _proxy_auth = 
-      _client->generate_auth(_proxy, true, authenticate_request);
+    _proxy_auth = _client->generate_auth(_proxy, true, authenticate_request);
    if (_proxy_auth != (HTTPAuthorization *)NULL) {
      _proxy_realm = _proxy_auth->get_realm();
-      _proxy_username = _client->select_username(_proxy, false, _proxy_realm);
+      _proxy_username = _client->select_username(_proxy, true, _proxy_realm);
      if (!_proxy_username.empty()) {
        make_proxy_request_text();

--- a/panda/src/downloader/httpClient.cxx
+++ b/panda/src/downloader/httpClient.cxx
@ -717,28 +717,58 @@ load_verify_locations(SSL_CTX *ctx, const Filename &ca_file) {
  // just read, and call the low-level routines to read the
  // certificates from the BIO.
  BIO *mbio = BIO_new_mem_buf((void *)data.data(), data.length());
+
+  // We have to be sure and clear the OpenSSL error state before we
+  // call this function, or it will get confused.
+  ERR_clear_error();
  inf = PEM_X509_INFO_read_bio(mbio, NULL, NULL, NULL);
  BIO_free(mbio);

  if (!inf) {
    // Could not scan certificates.
+    downloader_cat.info()
+      << "PEM_X509_INFO_read_bio() returned NULL.\n";
+#ifdef REPORT_SSL_ERRORS
+    ERR_print_errors_fp(stderr);
+#endif
    return 0;
  }
+  
+  if (downloader_cat.is_spam()) {
+    downloader_cat.spam()
+      << "PEM_X509_INFO_read_bio() found " << sk_X509_INFO_num(inf)
+      << " entries.\n";
+  }

  // Now add the certificates to the context.
  X509_STORE *store = ctx->cert_store;

  int count = 0;
-  for (int i = 0; i < sk_X509_INFO_num(inf); i++) {
+  int num_entries = sk_X509_INFO_num(inf);
+  for (int i = 0; i < num_entries; i++) {
    X509_INFO *itmp = sk_X509_INFO_value(inf, i);

    if (itmp->x509) {
      X509_STORE_add_cert(store, itmp->x509);
      count++;
+      if (downloader_cat.is_spam()) {
+        downloader_cat.spam()
+          << "Entry " << i << " is x509\n";
+      }

    } else if (itmp->crl) {
      X509_STORE_add_crl(store, itmp->crl);
      count++;
+      if (downloader_cat.is_spam()) {
+        downloader_cat.spam()
+          << "Entry " << i << " is crl\n";
+      }
+
+    } else {
+      if (downloader_cat.is_spam()) {
+        downloader_cat.spam()
+          << "Entry " << i << " is unknown type\n";
+      }
    }
  }
  sk_X509_INFO_pop_free(inf, X509_INFO_free);