diff options
| author | Steffan Karger | 2016-01-03 10:47:56 +0100 |
|---|---|---|
| committer | Gert Doering | 2016-01-03 10:50:26 +0100 |
| commit | 868d9d01802da9bbbb3a758981f3c7310a905813 (patch) | |
| tree | dd04894f62f2217b6e999045cfb3ae321c15ccf5 /src/openvpn/ssl_openssl.c | |
| parent | cdc65ea0f1f94974f55352d794627561c78c4151 (diff) | |
| download | openvpn-868d9d01802da9bbbb3a758981f3c7310a905813.zip openvpn-868d9d01802da9bbbb3a758981f3c7310a905813.tar.gz | |
Fix regression in setups without a client certificate
This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0a7f14b..d2f40e7 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -356,15 +356,22 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) int ret; const X509 *cert; + ASSERT (ctx); + #if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 and up */ - cert = SSL_CTX_get0_certificate(ctx->ctx); + cert = SSL_CTX_get0_certificate (ctx->ctx); #else /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ - SSL *ssl = SSL_new(ctx->ctx); - cert = SSL_get_certificate(ssl); + SSL *ssl = SSL_new (ctx->ctx); + cert = SSL_get_certificate (ssl); #endif + if (cert == NULL) + { + goto cleanup; /* Nothing to check if there is no certificate */ + } + ret = X509_cmp_time (X509_get_notBefore (cert), NULL); if (ret == 0) { @@ -384,9 +391,12 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) { msg (M_WARN, "WARNING: Your certificate has expired!"); } + +cleanup: #if OPENSSL_VERSION_NUMBER < 0x10002000L - SSL_free(ssl); + SSL_free (ssl); #endif + return; } void |