When using the chroot option, the init_ssl function can be called before
entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This
commit ensures that OpenVPN tries to open the correct path for the CRL
file in either situation.
This commit does not address key and certificate files. For these, the
--persist-key option should be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <
20210415091248.18149-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22117.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Initialize the OpenSSL library's global
* SSL context.
*/
- init_ssl(options, &(c->c1.ks.ssl_ctx));
+ init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
{
switch (auth_retry_get())
return element_count;
}
+
+struct buffer
+prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
+{
+ size_t len = strlen(dir) + strlen(PATH_SEPARATOR_STR) + strlen(path) + 1;
+ struct buffer combined_path = alloc_buf_gc(len, gc);
+ buf_printf(&combined_path, "%s%s%s", dir, PATH_SEPARATOR_STR, path);
+ ASSERT(combined_path.len > 0);
+
+ return combined_path;
+}
int
get_num_elements(const char *string, char delimiter);
+/**
+ * Prepend a directory to a path.
+ */
+struct buffer
+prepend_dir(const char *dir, const char *path, struct gc_arena *gc);
+
#endif /* ifndef MISC_H */
{
struct gc_arena gc = gc_new();
struct buffer chroot_file;
- int len = 0;
-
- /* Build up a new full path including chroot directory */
- len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
- chroot_file = alloc_buf_gc(len, &gc);
- buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
- ASSERT(chroot_file.len > 0);
+ chroot_file = prepend_dir(chroot, file, &gc);
ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
gc_free(&gc);
}
* All files are in PEM format.
*/
void
-init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
{
ASSERT(NULL != new_ctx);
/* Read CRL */
if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
{
- tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
+ /* If we're running with the chroot option, we may run init_ssl() before
+ * and after chroot-ing. We can use the crl_file path as-is if we're
+ * not going to chroot, or if we already are inside the chroot.
+ *
+ * If we're going to chroot later, we need to prefix the path of the
+ * chroot directory to crl_file.
+ */
+ if (!options->chroot_dir || in_chroot || options->crl_file_inline)
+ {
+ tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
+ }
+ else
+ {
+ struct gc_arena gc = gc_new();
+ struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
+ tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
+ gc_free(&gc);
+ }
}
/* Once keys and cert are loaded, load ECDH parameters */
* Build master SSL context object that serves for the whole of OpenVPN
* instantiation
*/
-void init_ssl(const struct options *options, struct tls_root_ctx *ctx);
+void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot);
/** @addtogroup control_processor
* @{ */
projects / thirdparty / openvpn.git / commitdiff
