On 13-07-15 21:10, Gert Doering wrote:
With the --daemon / SSL init reordering in da9b292733, we fail if we
daemonize first and then try to ask for a private key passphrase (or,
for that matter, username+password if --auth-nocache is set) - but
no meaningful error message was printed, instead depending on operating
system and library versions, either we looped around "ssl init failed"
or died with an unspecified "fatal error".
So: check if get_user_pass_cr() is called in a context that needs
"from_stdin", but both stdin and stderr are not connected to a tty
device (which getpass() needs). In that case, print a meaningful
error message pointing to --askpass, and die.
Trac #574 and #576
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
src/openvpn/misc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 4fdbf17..c4438b6 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1056,6 +1056,10 @@ get_user_pass_cr (struct user_pass *up,
*/
else if (from_stdin)
{
+ /* did we --daemon'ize before asking for passwords? */
+ if ( !isatty(0) && !isatty(2) )
+ { msg(M_FATAL, "neither stdin nor stderr are a tty device, can't ask for
%s password. If you used --daemon, you need to use --askpass to make
passphrase-protected keys work, and you can not use --auth-nocache.", prefix ); }
+
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
ACK
-Steffan