Hi, This one applies cleanly on top of master.
On Mon, Apr 2, 2018 at 7:44 AM, Steffan Karger <stef...@karger.me> wrote: > > Check the return values of management_query_cert() and > tls_ctx_use_external_private_key(), and error out with a more descriptive > error message. To do so, we make the openssl-backed implementation of > tls_ctx_use_external_private_key() not throw fatal error anymore. > > (And fix line wrapping while touching this code.) > > Signed-off-by: Steffan Karger <stef...@karger.me> > --- > v2: error out with M_FATAL as suggested by Selva. > v3: rebase on master (without extra patches) > > src/openvpn/ssl.c | 28 ++++++++++++++++++++-------- > src/openvpn/ssl_openssl.c | 2 +- > 2 files changed, 21 insertions(+), 9 deletions(-) > > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 669f941b..b06820ba 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -660,18 +660,30 @@ init_ssl(const struct options *options, struct > tls_root_ctx *new_ctx) > else if ((options->management_flags & MF_EXTERNAL_KEY) > && (options->cert_file || options->management_flags & > MF_EXTERNAL_CERT)) > { > - if (options->cert_file) > + if (options->cert_file > + && 0 != tls_ctx_use_external_private_key(new_ctx, > + options->cert_file, > + > options->cert_file_inline)) > { > - tls_ctx_use_external_private_key(new_ctx, options->cert_file, > - options->cert_file_inline); > + msg(M_FATAL, "Failed to initialize management-external-key"); > } > else But I can't believe I missed this in the last round. This else clause will now get executed not only if options->cert_file is false, but also if its true and the call to tls_ctx_use_external_private_key() succeeds! That would be wrong and is not what we want. > > { > - char *external_certificate = management_query_cert(management, > - > options->management_certificate); > - tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG, > - external_certificate); > - free(external_certificate); > + char *external_cert = management_query_cert( > + management, options->management_certificate); > + > > + if (!external_cert) > + { > + msg(M_FATAL, "Failed to initialize > management-external-cert"); > + } > + > + if (0 != tls_ctx_use_external_private_key(new_ctx, > INLINE_FILE_TAG, > + external_cert)) > + { > + msg(M_FATAL, "Failed to initialize management-external-key"); > + } > + > + free(external_cert); > } > } > #endif > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 8ef68ebd..4d434fa2 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -1330,7 +1330,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx > *ctx, > return 0; > > err: > - crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); > + crypto_msg(M_WARN, "Cannot enable SSL external private key capability"); > return 1; > } Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel