mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 03:52:28 +02:00
Code

polarssl: fix --client-cert-not-required

Browse Source 
PolarSSL 1.3 determines whether to use a client key/cert based on the
private key and/or certificate structs being allocated or not.  We
previously would always allocate the structs in
tls_ctx_{client,server}_new(), which made polarssl clients without a
client key/cert (can also be mgmt-external-key or pkcs11) fail to connect.

Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2
does not contain the 'pk' abtraction layer and therefore behaves slightly
different.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10287
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Steffan Karger 2015-10-16 00:43:14 +02:00 committed by Gert Doering
parent 41e4b67a22
commit 444a93eab3
1 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/openvpn/ssl_polarssl.c
View File

@ -77,11 +77,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
CLEAR(*ctx);
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
ctx->endpoint = SSL_IS_SERVER;
ctx->initialised = true;
@ -94,10 +91,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
CLEAR(*ctx);
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
ctx->endpoint = SSL_IS_CLIENT;
ctx->initialised = true;
@ -109,16 +103,20 @@ tls_ctx_free(struct tls_root_ctx *ctx)
if (ctx)
{
pk_free(ctx->priv_key);
free(ctx->priv_key);
if (ctx->priv_key)
free(ctx->priv_key);
x509_crt_free(ctx->ca_chain);
free(ctx->ca_chain);
if (ctx->ca_chain)
free(ctx->ca_chain);
x509_crt_free(ctx->crt_chain);
free(ctx->crt_chain);
if (ctx->crt_chain)
free(ctx->crt_chain);
dhm_free(ctx->dhm_ctx);
free(ctx->dhm_ctx);
if (ctx->dhm_ctx)
free(ctx->dhm_ctx);
#if defined(ENABLE_PKCS11)
if (ctx->priv_key_pkcs11 != NULL) {
@ -272,6 +270,11 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
{
ASSERT(NULL != ctx);
if (!ctx->crt_chain)
{
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
}
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
{
if (!polar_ok(x509_crt_parse(ctx->crt_chain,
@ -295,6 +298,11 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
int status;
ASSERT(NULL != ctx);
if (!ctx->priv_key)
{
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
}
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline)
{
status = pk_parse_key(ctx->priv_key,
@ -527,6 +535,11 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
{
ASSERT(NULL != ctx);
if (!ctx->crt_chain)
{
ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt);
}
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
{
if (!polar_ok(x509_crt_parse(ctx->crt_chain,