summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_openssl.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-04-19 15:52:38 +0200
committerBernhard Schmidt <berni@debian.org>2020-04-19 15:52:38 +0200
commit7728a9676dc67128c9adf56bc1d31a4e5b815b26 (patch)
treeae25e1ac822e848183a4e61eac8d5c53f520f128 /src/openvpn/ssl_openssl.c
parentf90a78a23c77c840b764b0a95732f3ee3738ef99 (diff)
parent620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (diff)
Update upstream source from tag 'upstream/2.4.9'
Update to upstream version '2.4.9' with Debian dir b64ac777b141e10bd0a11149a47506fd704401b8
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r--src/openvpn/ssl_openssl.c87
1 files changed, 59 insertions, 28 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 6aa3ac3..19509b7 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -634,8 +634,11 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
- return;
+
+ /* OpenSSL 1.1.0 and newer have always ecdh auto loading enabled,
+ * so do nothing */
#endif
+ return;
#else
/* For older OpenSSL we have to extract the curve from key on our own */
EC_KEY *eckey = NULL;
@@ -837,24 +840,36 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
#endif /* ENABLE_CRYPTOAPI */
static void
-tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio)
+tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
{
X509 *cert;
- for (;; )
+ while (true)
{
cert = NULL;
- if (!PEM_read_bio_X509(bio, &cert, NULL, NULL)) /* takes ownership of cert */
- {
- break;
- }
- if (!cert)
+ if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
{
+ /* a PEM_R_NO_START_LINE "Error" indicates that no certificate
+ * is found in the buffer. If loading more certificates is
+ * optional, break without raising an error
+ */
+ if (optional
+ && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
+ {
+ /* remove that error from error stack */
+ (void)ERR_get_error();
+ break;
+ }
+
+ /* Otherwise, bail out with error */
crypto_msg(M_FATAL, "Error reading extra certificate");
}
+ /* takes ownership of cert like a set1 method */
if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
{
crypto_msg(M_FATAL, "Error adding extra certificate");
}
+ /* We loaded at least one certificate, so loading more is optional */
+ optional = true;
}
}
@@ -904,7 +919,7 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx,
ret = SSL_CTX_use_certificate(ctx->ctx, x);
if (ret)
{
- tls_ctx_add_extra_certs(ctx, in);
+ tls_ctx_add_extra_certs(ctx, in, true);
}
end:
@@ -919,6 +934,10 @@ end:
crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file);
}
}
+ else
+ {
+ crypto_print_openssl_errors(M_DEBUG);
+ }
if (in != NULL)
{
@@ -972,12 +991,7 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
pkey = PEM_read_bio_PrivateKey(in, NULL,
SSL_CTX_get_default_passwd_cb(ctx->ctx),
SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
- if (!pkey)
- {
- goto end;
- }
-
- if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
+ if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
@@ -1012,7 +1026,6 @@ void
backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
const char *crl_inline)
{
- X509_CRL *crl = NULL;
BIO *in = NULL;
X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
@@ -1053,21 +1066,39 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
goto end;
}
- crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
- if (crl == NULL)
+ int num_crls_loaded = 0;
+ while (true)
{
- msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file);
- goto end;
- }
+ X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+ if (crl == NULL)
+ {
+ /*
+ * PEM_R_NO_START_LINE can be considered equivalent to EOF.
+ */
+ bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
+ /* but warn if no CRLs have been loaded */
+ if (num_crls_loaded > 0 && eof)
+ {
+ /* remove that error from error stack */
+ (void)ERR_get_error();
+ break;
+ }
- if (!X509_STORE_add_crl(store, crl))
- {
- msg(M_WARN, "CRL: cannot add %s to store", crl_file);
- goto end;
- }
+ crypto_msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file);
+ break;
+ }
+ if (!X509_STORE_add_crl(store, crl))
+ {
+ X509_CRL_free(crl);
+ crypto_msg(M_WARN, "CRL: cannot add %s to store", crl_file);
+ break;
+ }
+ X509_CRL_free(crl);
+ num_crls_loaded++;
+ }
+ msg(M_INFO, "CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
end:
- X509_CRL_free(crl);
BIO_free(in);
}
@@ -1434,7 +1465,7 @@ tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
}
else
{
- tls_ctx_add_extra_certs(ctx, in);
+ tls_ctx_add_extra_certs(ctx, in, false);
}
BIO_free(in);