Ticket #854: 0001-Remove-duplicate-X509-env-variables.patch

File 0001-Remove-duplicate-X509-env-variables.patch, 2.3 KB (added by Steffan Karger, 5 years ago)
  • src/openvpn/ssl.c

    From b84cd3d82e61aa185a871a4fc3362d63fc5e105e Mon Sep 17 00:00:00 2001
    From: Steffan Karger <steffan@karger.me>
    Date: Wed, 8 Mar 2017 21:17:11 +0100
    Subject: [PATCH] Remove duplicate X509 env variables
    
    Commit 13b585e8 added support for multiple X509 env variables with the
    same name, but as a side effect caused these variables to pile up for
    each renegotiation.  The old code would simply overwrite the old variables
    (as long as an equally-long chain was used for the new session).
    
    To stop the variables from piling up, this commit removes any old X509
    env variables if we start negotiating a new TLS session.
    
    Trac: #854
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    ---
     src/openvpn/ssl.c        |  3 +++
     src/openvpn/ssl_verify.c | 17 +++++++++++++++++
     src/openvpn/ssl_verify.h |  3 +++
     3 files changed, 23 insertions(+)
    
    diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
    index 401b8fd..1189f56 100644
    a b tls_process(struct tls_multi *multi, 
    28212821                                   session->opt->crl_file, session->opt->crl_file_inline);
    28222822            }
    28232823
     2824            /* New connection, remove any old X509 env variables */
     2825            tls_x509_clear_env(session->opt->es);
     2826
    28242827            dmsg(D_TLS_DEBUG_MED, "STATE S_START");
    28252828        }
    28262829
  • src/openvpn/ssl_verify.c

    diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
    index 9f12ab8..a6e9be3 100644
    a b verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) 
    14861486        gc_free(&gc);
    14871487    }
    14881488}
     1489
     1490void
     1491tls_x509_clear_env(struct env_set *es)
     1492{
     1493    struct env_item *item = es->list;
     1494    while (item)
     1495    {
     1496        struct env_item *next = item->next;
     1497        if (item->string
     1498            && 0 == strncmp("X509_", item->string, strlen("X509_")))
     1499        {
     1500            env_set_del(es, item->string);
     1501        }
     1502        item = next;
     1503    }
     1504}
     1505
    14891506#endif /* ENABLE_CRYPTO */
  • src/openvpn/ssl_verify.h

    diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
    index ffab218..d91799e 100644
    a b tls_client_reason(struct tls_multi *multi) 
    238238#endif
    239239}
    240240
     241/** Remove any X509_ env variables from env_set es */
     242void tls_x509_clear_env(struct env_set *es);
     243
    241244#endif /* ENABLE_CRYPTO */
    242245
    243246#endif /* SSL_VERIFY_H_ */