mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 20:03:13 +02:00
Fix OpenSSL private key passphrase notices
Clear error stack on successful certificate loading in tls_ctx_load_cert_file_and_copy() and handle errors also for PEM_read_bio_PrivateKey() call in tls_ctx_load_priv_file(). Due to certificate loading possibly leaking non-fatal errors on OpenSSL error stack, and some slight oversights in error handling, the >PASSWORD:Verification Failed: 'Private Key' line was never produced on the management channel for PEM formatted keys. Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20191021113506.30377-1-santtu.lakkala@jolla.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18953.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
072f7d352d
commit
f67efa9412
@ -957,6 +957,10 @@ end:
|
||||
crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
crypto_print_openssl_errors(M_DEBUG);
|
||||
}
|
||||
|
||||
if (in != NULL)
|
||||
{
|
||||
@ -999,12 +1003,7 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
|
||||
pkey = PEM_read_bio_PrivateKey(in, NULL,
|
||||
SSL_CTX_get_default_passwd_cb(ctx->ctx),
|
||||
SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
|
||||
if (!pkey)
|
||||
{
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
|
||||
if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
|
||||
{
|
||||
#ifdef ENABLE_MANAGEMENT
|
||||
if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
|
||||
|
Loading…
Reference in New Issue
Block a user