This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit
091edd8e on the master branch, and commit
dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit
868d9d01802da9bbbb3a758981f3c7310a905813)
int ret;
const X509 *cert;
+ ASSERT (ctx);
+
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
/* OpenSSL 1.0.2 and up */
- cert = SSL_CTX_get0_certificate(ctx->ctx);
+ cert = SSL_CTX_get0_certificate (ctx->ctx);
#else
/* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
- SSL *ssl = SSL_new(ctx->ctx);
- cert = SSL_get_certificate(ssl);
+ SSL *ssl = SSL_new (ctx->ctx);
+ cert = SSL_get_certificate (ssl);
#endif
+ if (cert == NULL)
+ {
+ goto cleanup; /* Nothing to check if there is no certificate */
+ }
+
ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
if (ret == 0)
{
{
msg (M_WARN, "WARNING: Your certificate has expired!");
}
+
+cleanup:
#if OPENSSL_VERSION_NUMBER < 0x10002000L
- SSL_free(ssl);
+ SSL_free (ssl);
#endif
+ return;
}
void
void
tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
{
+ ASSERT (ctx);
+ if (ctx->crt_chain == NULL)
+ {
+ return; /* Nothing to check if there is no certificate */
+ }
+
if (x509_time_future (&ctx->crt_chain->valid_from))
{
msg (M_WARN, "WARNING: Your certificate is not yet valid!");
projects / thirdparty / openvpn.git / commitdiff
