From 99e8bb8140fe72de5ad4cb9e84d3bf0020c3a7a3 Mon Sep 17 00:00:00 2001
From: Mattias Ellert <mattias.ellert@physics.uu.se>
Date: Mar 03 2017 11:48:32 +0000
Subject: Make sure the effective CA is always defined


---

diff --git a/xrootd-effca.patch b/xrootd-effca.patch
new file mode 100644
index 0000000..6313937
--- /dev/null
+++ b/xrootd-effca.patch
@@ -0,0 +1,64 @@
+diff --git a/src/XrdCrypto/XrdCryptoX509Chain.cc b/src/XrdCrypto/XrdCryptoX509Chain.cc
+index 2cdd22e..2d9c7ab 100644
+--- a/src/XrdCrypto/XrdCryptoX509Chain.cc
++++ b/src/XrdCrypto/XrdCryptoX509Chain.cc
+@@ -259,6 +259,9 @@ void XrdCryptoX509Chain::PutInFront(XrdCryptoX509 *c)
+          end = nc;
+       size++;
+    }
++
++   // Search for the effective CA (the last one, in case of subCAs)
++   SetEffectiveCA();
+ }
+ 
+ //___________________________________________________________________________
+@@ -286,6 +289,9 @@ void XrdCryptoX509Chain::InsertAfter(XrdCryptoX509 *c, XrdCryptoX509 *cp)
+       if (!nc)
+          PushBack(c);
+    }
++
++   // Search for the effective CA (the last one, in case of subCAs)
++   SetEffectiveCA();
+ }
+ 
+ //___________________________________________________________________________
+@@ -303,6 +309,9 @@ void XrdCryptoX509Chain::PushBack(XrdCryptoX509 *c)
+       end = nc;
+       size++;
+    }
++
++   // Search for the effective CA (the last one, in case of subCAs)
++   SetEffectiveCA();
+ }
+ 
+ //___________________________________________________________________________
+@@ -360,6 +369,9 @@ void XrdCryptoX509Chain::Remove(XrdCryptoX509 *c)
+    // Cleanup and update size
+    delete curr;
+    size--;
++
++   // Search for the effective CA (the last one, in case of subCAs)
++   SetEffectiveCA();
+ }
+ 
+ //___________________________________________________________________________
+@@ -639,14 +651,15 @@ int XrdCryptoX509Chain::Reorder()
+ void XrdCryptoX509Chain::SetEffectiveCA()
+ {
+    // Search for the effective CA (the last one, in case of subCAs)
+-   effca = 0;
++   effca = 0; caname = ""; cahash = "";
++
+    XrdCryptoX509ChainNode *np = begin;
+    while (np) {
+       if (np->Cert()) {
+          if (np->Cert()->type == XrdCryptoX509::kCA) {
+-            effca = np;
+-         } else {
+-            break;
++            if (!effca || (effca &&
++                          !(strcmp(effca->Cert()->SubjectHash(),
++                                   np->Cert()->IssuerHash())))) effca = np;
+          }
+       }
+       np = np->Next();
diff --git a/xrootd.spec b/xrootd.spec
index 573ff25..3952e7c 100644
--- a/xrootd.spec
+++ b/xrootd.spec
@@ -16,7 +16,7 @@
 Name:		xrootd
 Epoch:		1
 Version:	4.6.0
-Release:	6%{?dist}
+Release:	7%{?dist}
 Summary:	Extended ROOT file server
 
 Group:		System Environment/Daemons
@@ -60,6 +60,9 @@ Patch7:		%{name}-backward-compat.patch
 #		https://github.com/xrootd/xrootd/pull/472
 #		https://github.com/xrootd/xrootd/pull/473
 Patch8:		%{name}-old-config.patch
+#		Make sure the effective CA is always defined
+#		https://github.com/xrootd/xrootd/issues/476
+Patch9:		%{name}-effca.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:	cmake
@@ -291,6 +294,7 @@ This package contains the API documentation of the xrootd libraries.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %if %{?fedora}%{!?fedora:0} <= 9 && %{?rhel}%{!?rhel:0} <= 5
 # Older versions of SELinux do not have policy for open
@@ -672,6 +676,9 @@ fi
 %doc %{_pkgdocdir}
 
 %changelog
+* Fri Mar 03 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 1:4.6.0-7
+- Make sure the effective CA is always defined
+
 * Thu Mar 02 2017 Mattias Ellert <mattias.ellert@physics.uu.se> - 1:4.6.0-6
 - Ignore parameter of discarded old configuration directive