Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/487?usp=email
to look at the new patch set (#2).
Change subject: Keep exported certificate files for following calls
......................................................................
Keep exported certificate files for following calls
Since the lifetime of environment variables is quite different, we
need to tie the lifetime of these files to their environment variables
which in turn requires a special function to be called on the removal
of these env variables.
Change-Id: Ic494d43c835220ae71f10e3afbe53db918887370
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
M doc/man-sections/script-options.rst
M src/openvpn/ssl_verify.c
2 files changed, 44 insertions(+), 19 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/487/2
diff --git a/doc/man-sections/script-options.rst
b/doc/man-sections/script-options.rst
index e05100a..32943d2 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -424,7 +424,8 @@
parameters passed as environmental variables.
--tls-export-cert dir
- Adds an environment variable ``peer_cert`` when calling the
+ Adds an environment variable ``peer_cert_{x}`` (and an alias
+ ``peer_cert`` for the current certificate depth) when calling the
``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin
hook to verify the certificate.
@@ -777,6 +778,11 @@
the path to the current peer certificate to be verified in PEM format.
See also the argument certificate_depth to the ``--tls-verify`` command.
+:code:`peer_cert_{n}`
+ If the option ``--tls-export-cert`` is enabled, this option contains
+ the path to the current peer certificate to be verified in PEM format
+ where ``n`` is the verification level.
+
:code:`proto`
The ``--proto`` parameter. Set on program initiation and reset on
SIGHUP.
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 55b3cf0..de0d59c 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -39,6 +39,7 @@
#include "run_command.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"
+#include "platform.h"
#ifdef ENABLE_CRYPTO_OPENSSL
#include "ssl_verify_openssl.h"
@@ -459,24 +460,45 @@
}
/**
+ * Unlinks a file specified by in the env item that has the form
+ * key=filename.
+ */
+static void
+unlink_file_env(struct env_item *env)
+{
+ /* values in env are always x=y */
+ const char *filename = strchr(env->string, '=');
+ ASSERT(filename);
+
+ /* Move just past the = */
+ filename += 1;
+
+ platform_unlink((const char *) filename);
+}
+
+/**
* Exports the certificate in \c peer_cert into the environment and adds
* the filname
*/
static bool
-verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert,
- const char *pem_export_fname)
+verify_cert_cert_export_env(const struct tls_options *opt,
+ openvpn_x509_cert_t *peer_cert, int cert_depth)
{
- /* export the path to the current certificate in pem file format */
- setenv_str(es, "peer_cert", pem_export_fname);
+ struct gc_arena gc = gc_new();
+ const char *pem_export_filename =
platform_create_temp_file(opt->export_peer_cert_dir,
+ "pef", &gc);
+ char envstr[128];
- return backend_x509_write_pem(peer_cert, pem_export_fname) == SUCCESS;
-}
+ /* export the path to the certificate in pem file format */
+ openvpn_snprintf(envstr, sizeof(envstr), "peer_cert_%d=%s", cert_depth,
+ pem_export_filename);
+ setenv_str(opt->es, envstr, pem_export_filename);
+ env_set_add_specialfree(opt->es, envstr, &unlink_file_env);
-static void
-verify_cert_cert_delete_env(struct env_set *es, const char *pem_export_fname)
-{
- env_set_del(es, "peer_cert");
- unlink(pem_export_fname);
+ /* compatibility with older scripts/plugins that expect peer_cert without
+ * suffix */
+ setenv_str(opt->es, "peer_cert", pem_export_filename);
+ return backend_x509_write_pem(peer_cert, pem_export_filename) == SUCCESS;
}
/*
@@ -598,7 +620,6 @@
* them defined */
result_t ret = FAILURE;
struct gc_arena gc = gc_new();
- const char *pem_export_fname = NULL;
const struct tls_options *opt = session->opt;
ASSERT(opt);
@@ -731,11 +752,7 @@
if (opt->export_peer_cert_dir)
{
- pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir,
- "pef", &gc);
-
- if (!pem_export_fname
- || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname))
+ if (!verify_cert_cert_export_env(opt, cert, cert_depth))
{
msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for "
"--tls-export-cert in %s", opt->export_peer_cert_dir);
@@ -793,7 +810,9 @@
ret = SUCCESS;
cleanup:
- verify_cert_cert_delete_env(opt->es, pem_export_fname);
+ /* delete the variable for the current depth if present as it does not make
+ * sense going forward in other calls of other scripts */
+ env_set_del(opt->es, "peer_cert");
if (ret != SUCCESS)
{
tls_clear_error(); /* always? */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/487?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ic494d43c835220ae71f10e3afbe53db918887370
Gerrit-Change-Number: 487
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
