Hi,
On 02/04/2020 15:15, Antonio Quartulli wrote:
> Hi,
>
> On 02/04/2020 12:38, Arne Schwabe wrote:
>> Commit f67efa94 exposed that tls_ctx_add_extra_certs will always leave
>> an error of PEM_R_NO_START_LINE on the stack that will printed the next
>> time that the error is printed.
>>
>> Fix this by discarding this error. Also clean up the logic to report
>> real error on other errors and also the no start line error if no
>> certificate can be found at all and it is required (--extra-certs
>> config option)
>>
>> Patch V2: fix optional flag was flipped betwen --cert and --extra-certs
>> Patch V3: Make logic more easy to follow, no functional changes
>>
>> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
>> ---
>> src/openvpn/ssl_openssl.c | 30 +++++++++++++++++++++---------
>> 1 file changed, 21 insertions(+), 9 deletions(-)
>>
>> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
>> index 3f0031ff..1731474d 100644
>> --- a/src/openvpn/ssl_openssl.c
>> +++ b/src/openvpn/ssl_openssl.c
>> @@ -881,24 +881,36 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const
>> char *cryptoapi_cert)
>> #endif /* ENABLE_CRYPTOAPI */
>>
>> static void
>> -tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio)
>> +tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
>> {
>> X509 *cert;
>> - for (;; )
>> + while (true)
>> {
>> cert = NULL;
>> - if (!PEM_read_bio_X509(bio, &cert, NULL, NULL)) /* takes ownership
>> of cert */
>> - {
>> - break;
>> - }
>> - if (!cert)
>> + if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
>> {
>> + /* Error indicates that no certificate is found in the buffer.
there is also a typ0 in the line above: certificateS -> certificate.
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
