summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_verify.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
committerBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
commitcf55ab99392458e723c7ebcc32c19bbd225b1f4b (patch)
treeb895b41b7629c9a31de5cc15e7aa7805ddac87ce /src/openvpn/ssl_verify.c
parent9683f890944ffb114f5f8214f694e0b339cf5a5a (diff)
New upstream version 2.4.5
Diffstat (limited to 'src/openvpn/ssl_verify.c')
-rw-r--r--src/openvpn/ssl_verify.c36
1 files changed, 23 insertions, 13 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 9cd36d7..c7e595e 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -547,14 +547,14 @@ verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, stru
FILE *peercert_file;
const char *peercert_filename = "";
- if (!tmp_dir)
+ /* create tmp file to store peer cert */
+ if (!tmp_dir
+ || !(peercert_filename = create_temp_file(tmp_dir, "pcf", gc)))
{
+ msg (M_WARN, "Failed to create peer cert file");
return NULL;
}
- /* create tmp file to store peer cert */
- peercert_filename = create_temp_file(tmp_dir, "pcf", gc);
-
/* write peer-cert in tmp-file */
peercert_file = fopen(peercert_filename, "w+");
if (!peercert_file)
@@ -589,10 +589,13 @@ verify_cert_call_command(const char *verify_command, struct env_set *es,
if (verify_export_cert)
{
- if ((tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc)))
+ tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc);
+ if (!tmp_file)
{
- setenv_str(es, "peer_cert", tmp_file);
+ ret = false;
+ goto cleanup;
}
+ setenv_str(es, "peer_cert", tmp_file);
}
argv_parse_cmd(&argv, verify_command);
@@ -609,6 +612,7 @@ verify_cert_call_command(const char *verify_command, struct env_set *es,
}
}
+cleanup:
gc_free(&gc);
argv_reset(&argv);
@@ -879,21 +883,21 @@ key_state_rm_auth_control_file(struct key_state *ks)
}
}
-static void
+static bool
key_state_gen_auth_control_file(struct key_state *ks, const struct tls_options *opt)
{
struct gc_arena gc = gc_new();
- const char *acf;
key_state_rm_auth_control_file(ks);
- acf = create_temp_file(opt->tmp_dir, "acf", &gc);
+ const char *acf = create_temp_file(opt->tmp_dir, "acf", &gc);
if (acf)
{
ks->auth_control_file = string_alloc(acf, NULL);
setenv_str(opt->es, "auth_control_file", ks->auth_control_file);
- } /* FIXME: Should have better error handling? */
+ }
gc_free(&gc);
+ return acf;
}
static unsigned int
@@ -1184,7 +1188,12 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up,
#ifdef PLUGIN_DEF_AUTH
/* generate filename for deferred auth control file */
- key_state_gen_auth_control_file(ks, session->opt);
+ if (!key_state_gen_auth_control_file(ks, session->opt))
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error (%s): "
+ "could not create deferred auth control file", __func__);
+ goto cleanup;
+ }
#endif
/* call command */
@@ -1209,6 +1218,7 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up,
msg(D_TLS_ERRORS, "TLS Auth Error (verify_user_pass_plugin): peer provided a blank username");
}
+cleanup:
return retval;
}