From: Steffan Karger <steffan@karger.me>
Date: Thu, 9 Mar 2017 08:13:32 +0000 (+0100)
Subject: Remove duplicate X509 env variables
X-Git-Tag: v2.4.1~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19d6cd4e63557c983cb0ab5094688c974588c2ff;p=thirdparty%2Fopenvpn.git

Remove duplicate X509 env variables

Commit 13b585e8 added support for multiple X509 env variables with the
same name, but as a side effect caused these variables to pile up for
each renegotiation.  The old code would simply overwrite the old variables
(as long as an equally-long chain was used for the new session).

To stop the variables from piling up, this commit removes any old X509
env variables if we start negotiating a new TLS session.

Trac: #854

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1489047212-31994-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14237.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fd0361813cd3d5a55f3408a018e2ed776d79fef6)
---

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index fe5ea9409..2d596aca2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2822,6 +2822,9 @@ tls_process(struct tls_multi *multi,
                                    session->opt->crl_file, session->opt->crl_file_inline);
             }
 
+            /* New connection, remove any old X509 env variables */
+            tls_x509_clear_env(session->opt->es);
+
             dmsg(D_TLS_DEBUG_MED, "STATE S_START");
         }
 
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 9f12ab8b2..a6e9be3a8 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1486,4 +1486,21 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
         gc_free(&gc);
     }
 }
+
+void
+tls_x509_clear_env(struct env_set *es)
+{
+    struct env_item *item = es->list;
+    while (item)
+    {
+        struct env_item *next = item->next;
+        if (item->string
+            && 0 == strncmp("X509_", item->string, strlen("X509_")))
+        {
+            env_set_del(es, item->string);
+        }
+        item = next;
+    }
+}
+
 #endif /* ENABLE_CRYPTO */
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
index ffab2189b..d91799e11 100644
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@@ -238,6 +238,9 @@ tls_client_reason(struct tls_multi *multi)
 #endif
 }
 
+/** Remove any X509_ env variables from env_set es */
+void tls_x509_clear_env(struct env_set *es);
+
 #endif /* ENABLE_CRYPTO */
 
 #endif /* SSL_VERIFY_H_ */