polarssl: fix --client-cert-not-required

PolarSSL 1.3 determines whether to use a client key/cert based on the
private key and/or certificate structs being allocated or not.  We
previously would always allocate the structs in
tls_ctx_{client,server}_new(), which made polarssl clients without a
client key/cert (can also be mgmt-external-key or pkcs11) fail to connect.

Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2
does not contain the 'pk' abtraction layer and therefore behaves slightly
different.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10287
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index cd77aa57692fb5dd679db597a118a39b44252bdb..27cd7355d9a25bb1d5a3bea47bbdcc3d27da95ec 100644 (file)
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -77,11 +77,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
   CLEAR(*ctx);
 
   ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
-  ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
 
   ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
-  ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
-
 
   ctx->endpoint = SSL_IS_SERVER;
   ctx->initialised = true;
@@ -94,10 +91,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
   CLEAR(*ctx);
 
   ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
-  ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
-
   ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt);
-  ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
 
   ctx->endpoint = SSL_IS_CLIENT;
   ctx->initialised = true;
@@ -109,16 +103,20 @@ tls_ctx_free(struct tls_root_ctx *ctx)
   if (ctx)
     {
       pk_free(ctx->priv_key);
-      free(ctx->priv_key);
+      if (ctx->priv_key)
+       free(ctx->priv_key);
 
       x509_crt_free(ctx->ca_chain);
-      free(ctx->ca_chain);
+      if (ctx->ca_chain)
+       free(ctx->ca_chain);
 
       x509_crt_free(ctx->crt_chain);
-      free(ctx->crt_chain);
+      if (ctx->crt_chain)
+       free(ctx->crt_chain);
 
       dhm_free(ctx->dhm_ctx);
-      free(ctx->dhm_ctx);
+      if (ctx->dhm_ctx)
+       free(ctx->dhm_ctx);
 
 #if defined(ENABLE_PKCS11)
       if (ctx->priv_key_pkcs11 != NULL) {
@@ -272,6 +270,11 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
 {
   ASSERT(NULL != ctx);
 
+  if (!ctx->crt_chain)
+    {
+      ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt);
+    }
+
   if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
     {
       if (!polar_ok(x509_crt_parse(ctx->crt_chain,
@@ -295,6 +298,11 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
   int status;
   ASSERT(NULL != ctx);
 
+  if (!ctx->priv_key)
+    {
+      ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context);
+    }
+
   if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline)
     {
       status = pk_parse_key(ctx->priv_key,
@@ -527,6 +535,11 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
 {
   ASSERT(NULL != ctx);
 
+  if (!ctx->crt_chain)
+    {
+      ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt);
+    }
+
   if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
     {
       if (!polar_ok(x509_crt_parse(ctx->crt_chain,