Hi,
On 21-10-2019 13:35, Santtu Lakkala wrote:
> Clear error stack on successful certificate loading in
> tls_ctx_load_cert_file_and_copy() and handle errors also for
> PEM_read_bio_PrivateKey() call in tls_ctx_load_priv_file().
>
> Due to certificate loading possibly leaking non-fatal errors on OpenSSL
> error stack, and some slight oversights in error handling, the
>
>> PASSWORD:Verification Failed: 'Private Key'
>
> line was never produced on the management channel for PEM formatted keys.
>
> Signed-off-by: Santtu Lakkala
> ---
> src/openvpn/ssl_openssl.c | 11 +--
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 07916c3c..74c8fa65 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -921,6 +921,10 @@ end:
> crypto_msg(M_FATAL, "Cannot load certificate file %s",
> cert_file);
> }
> }
> +else
> +{
> +crypto_print_openssl_errors(M_DEBUG);
> +}
>
> if (in != NULL)
> {
> @@ -963,12 +967,7 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const
> char *priv_key_file,
> pkey = PEM_read_bio_PrivateKey(in, NULL,
> SSL_CTX_get_default_passwd_cb(ctx->ctx),
>
> SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
> -if (!pkey)
> -{
> -goto end;
> -}
> -
> -if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
> +if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
> {
> #ifdef ENABLE_MANAGEMENT
> if (management && (ERR_GET_REASON(ERR_peek_error()) ==
> EVP_R_BAD_DECRYPT))
>
Thanks, and apologies for the late repsonse. This patch does was it
says, and looks good to me. I think this one should go into both master
and release/2.4.
Acked-by: Steffan Karger
-Steffan
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
