From b84cd3d82e61aa185a871a4fc3362d63fc5e105e Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Wed, 8 Mar 2017 21:17:11 +0100
Subject: [PATCH] Remove duplicate X509 env variables
Commit 13b585e8 added support for multiple X509 env variables with the
same name, but as a side effect caused these variables to pile up for
each renegotiation. The old code would simply overwrite the old variables
(as long as an equally-long chain was used for the new session).
To stop the variables from piling up, this commit removes any old X509
env variables if we start negotiating a new TLS session.
Trac: #854
Signed-off-by: Steffan Karger <steffan@karger.me>
---
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl_verify.c | 17 +++++++++++++++++
src/openvpn/ssl_verify.h | 3 +++
3 files changed, 23 insertions(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 401b8fd..1189f56 100644
|
a
|
b
|
tls_process(struct tls_multi *multi, |
| 2821 | 2821 | session->opt->crl_file, session->opt->crl_file_inline); |
| 2822 | 2822 | } |
| 2823 | 2823 | |
| | 2824 | /* New connection, remove any old X509 env variables */ |
| | 2825 | tls_x509_clear_env(session->opt->es); |
| | 2826 | |
| 2824 | 2827 | dmsg(D_TLS_DEBUG_MED, "STATE S_START"); |
| 2825 | 2828 | } |
| 2826 | 2829 | |
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 9f12ab8..a6e9be3 100644
|
a
|
b
|
verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) |
| 1486 | 1486 | gc_free(&gc); |
| 1487 | 1487 | } |
| 1488 | 1488 | } |
| | 1489 | |
| | 1490 | void |
| | 1491 | tls_x509_clear_env(struct env_set *es) |
| | 1492 | { |
| | 1493 | struct env_item *item = es->list; |
| | 1494 | while (item) |
| | 1495 | { |
| | 1496 | struct env_item *next = item->next; |
| | 1497 | if (item->string |
| | 1498 | && 0 == strncmp("X509_", item->string, strlen("X509_"))) |
| | 1499 | { |
| | 1500 | env_set_del(es, item->string); |
| | 1501 | } |
| | 1502 | item = next; |
| | 1503 | } |
| | 1504 | } |
| | 1505 | |
| 1489 | 1506 | #endif /* ENABLE_CRYPTO */ |
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
index ffab218..d91799e 100644
|
a
|
b
|
tls_client_reason(struct tls_multi *multi) |
| 238 | 238 | #endif |
| 239 | 239 | } |
| 240 | 240 | |
| | 241 | /** Remove any X509_ env variables from env_set es */ |
| | 242 | void tls_x509_clear_env(struct env_set *es); |
| | 243 | |
| 241 | 244 | #endif /* ENABLE_CRYPTO */ |
| 242 | 245 | |
| 243 | 246 | #endif /* SSL_VERIFY_H_ */ |
