mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
polarssl: fix --client-cert-not-required
PolarSSL 1.3 determines whether to use a client key/cert based on the private key and/or certificate structs being allocated or not. We previously would always allocate the structs in tls_ctx_{client,server}_new(), which made polarssl clients without a client key/cert (can also be mgmt-external-key or pkcs11) fail to connect. Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2 does not contain the 'pk' abtraction layer and therefore behaves slightly different. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10287 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
41e4b67a22
commit
444a93eab3
@ -77,11 +77,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
|
||||
CLEAR(*ctx);
|
||||
|
||||
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
|
||||
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
|
||||
|
||||
ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
|
||||
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
|
||||
|
||||
|
||||
ctx->endpoint = SSL_IS_SERVER;
|
||||
ctx->initialised = true;
|
||||
@ -94,10 +91,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
|
||||
CLEAR(*ctx);
|
||||
|
||||
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
|
||||
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
|
||||
|
||||
ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
|
||||
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
|
||||
|
||||
ctx->endpoint = SSL_IS_CLIENT;
|
||||
ctx->initialised = true;
|
||||
@ -109,16 +103,20 @@ tls_ctx_free(struct tls_root_ctx *ctx)
|
||||
if (ctx)
|
||||
{
|
||||
pk_free(ctx->priv_key);
|
||||
free(ctx->priv_key);
|
||||
if (ctx->priv_key)
|
||||
free(ctx->priv_key);
|
||||
|
||||
x509_crt_free(ctx->ca_chain);
|
||||
free(ctx->ca_chain);
|
||||
if (ctx->ca_chain)
|
||||
free(ctx->ca_chain);
|
||||
|
||||
x509_crt_free(ctx->crt_chain);
|
||||
free(ctx->crt_chain);
|
||||
if (ctx->crt_chain)
|
||||
free(ctx->crt_chain);
|
||||
|
||||
dhm_free(ctx->dhm_ctx);
|
||||
free(ctx->dhm_ctx);
|
||||
if (ctx->dhm_ctx)
|
||||
free(ctx->dhm_ctx);
|
||||
|
||||
#if defined(ENABLE_PKCS11)
|
||||
if (ctx->priv_key_pkcs11 != NULL) {
|
||||
@ -272,6 +270,11 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
|
||||
{
|
||||
ASSERT(NULL != ctx);
|
||||
|
||||
if (!ctx->crt_chain)
|
||||
{
|
||||
ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
|
||||
}
|
||||
|
||||
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
|
||||
{
|
||||
if (!polar_ok(x509_crt_parse(ctx->crt_chain,
|
||||
@ -295,6 +298,11 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
|
||||
int status;
|
||||
ASSERT(NULL != ctx);
|
||||
|
||||
if (!ctx->priv_key)
|
||||
{
|
||||
ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
|
||||
}
|
||||
|
||||
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline)
|
||||
{
|
||||
status = pk_parse_key(ctx->priv_key,
|
||||
@ -527,6 +535,11 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
|
||||
{
|
||||
ASSERT(NULL != ctx);
|
||||
|
||||
if (!ctx->crt_chain)
|
||||
{
|
||||
ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt);
|
||||
}
|
||||
|
||||
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
|
||||
{
|
||||
if (!polar_ok(x509_crt_parse(ctx->crt_chain,
|
||||
|
Loading…
Reference in New Issue
Block a user