From: Steffan Karger Date: Thu, 15 Oct 2015 22:43:14 +0000 (+0200) Subject: polarssl: fix --client-cert-not-required X-Git-Tag: v2.4_alpha1~209 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=444a93eab38d117d4f802e95a318d71ea886bcc6;p=thirdparty%2Fopenvpn.git polarssl: fix --client-cert-not-required PolarSSL 1.3 determines whether to use a client key/cert based on the private key and/or certificate structs being allocated or not. We previously would always allocate the structs in tls_ctx_{client,server}_new(), which made polarssl clients without a client key/cert (can also be mgmt-external-key or pkcs11) fail to connect. Note that this bug is not present in OpenVPN 2.3, because PolarSSL 1.2 does not contain the 'pk' abtraction layer and therefore behaves slightly different. Signed-off-by: Steffan Karger Acked-by: Arne Schwabe Message-Id: <1444948995-18720-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10287 Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index cd77aa576..27cd7355d 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -77,11 +77,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) CLEAR(*ctx); ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); - ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); - ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); - ctx->endpoint = SSL_IS_SERVER; ctx->initialised = true; @@ -94,10 +91,7 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) CLEAR(*ctx); ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); - ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); - ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); - ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); ctx->endpoint = SSL_IS_CLIENT; ctx->initialised = true; @@ -109,16 +103,20 @@ tls_ctx_free(struct tls_root_ctx *ctx) if (ctx) { pk_free(ctx->priv_key); - free(ctx->priv_key); + if (ctx->priv_key) + free(ctx->priv_key); x509_crt_free(ctx->ca_chain); - free(ctx->ca_chain); + if (ctx->ca_chain) + free(ctx->ca_chain); x509_crt_free(ctx->crt_chain); - free(ctx->crt_chain); + if (ctx->crt_chain) + free(ctx->crt_chain); dhm_free(ctx->dhm_ctx); - free(ctx->dhm_ctx); + if (ctx->dhm_ctx) + free(ctx->dhm_ctx); #if defined(ENABLE_PKCS11) if (ctx->priv_key_pkcs11 != NULL) { @@ -272,6 +270,11 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, { ASSERT(NULL != ctx); + if (!ctx->crt_chain) + { + ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); + } + if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) { if (!polar_ok(x509_crt_parse(ctx->crt_chain, @@ -295,6 +298,11 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, int status; ASSERT(NULL != ctx); + if (!ctx->priv_key) + { + ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); + } + if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline) { status = pk_parse_key(ctx->priv_key, @@ -527,6 +535,11 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file { ASSERT(NULL != ctx); + if (!ctx->crt_chain) + { + ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt); + } + if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) { if (!polar_ok(x509_crt_parse(ctx->crt_chain,