GitList

Browse code

Don't throw fatal errors from verify_cert_export_cert()

As with create_temp_file(), this function is called on client connects
and should not cause fatal errors when I/O (possibly temporarily) fails.
Fix this and the openssl backend implementation of x509_write_pem() to
no longer throw fatal errors.

The callers of this function are already fixed in the commit that does
the same for create_temp_file().

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1514933571-4592-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16136.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2018/01/03 07:52:51
Showing 2 changed files

src/openvpn/ssl_verify.c

History View file @ fb515a8

@@ -549,7 +549,7 @@ verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, stru
     if (!tmp_dir
         || !(peercert_filename = create_temp_file(tmp_dir, "pcf", gc)))
     {
-        msg (M_WARN, "Failed to create peer cert file");
+        msg(M_NONFATAL, "Failed to create peer cert file");
         return NULL;
     }
 
@@ -557,13 +557,16 @@ verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, stru
     peercert_file = fopen(peercert_filename, "w+");
     if (!peercert_file)
     {
-        msg(M_ERR, "Failed to open temporary file : %s", peercert_filename);
+        msg(M_NONFATAL|M_ERRNO, "Failed to open temporary file: %s",
+            peercert_filename);
         return NULL;
     }
 
     if (SUCCESS != x509_write_pem(peercert_file, peercert))
     {
-        msg(M_ERR, "Error writing PEM file containing certificate");
+        msg(M_NONFATAL, "Error writing PEM file containing certificate");
+        (void) platform_unlink(peercert_filename);
+        peercert_filename = NULL;
     }
 
     fclose(peercert_file);

src/openvpn/ssl_verify_openssl.c

History View file @ fb515a8

@@ -767,7 +767,7 @@ x509_write_pem(FILE *peercert_file, X509 *peercert)
 {
     if (PEM_write_X509(peercert_file, peercert) < 0)
     {
-        msg(M_ERR, "Failed to write peer certificate in PEM format");
+        msg(M_NONFATAL, "Failed to write peer certificate in PEM format");
         return FAILURE;
     }
     return SUCCESS;

...	...	@@ -549,7 +549,7 @@ verify_cert_export_cert(openvpn_x509_cert_t peercert, const char tmp_dir, stru
549	549	if (!tmp_dir
550	550	\|\| !(peercert_filename = create_temp_file(tmp_dir, "pcf", gc)))
551	551	{
552		- msg (M_WARN, "Failed to create peer cert file");
	552	+ msg(M_NONFATAL, "Failed to create peer cert file");
553	553	return NULL;
554	554	}
555	555
...	...	@@ -557,13 +557,16 @@ verify_cert_export_cert(openvpn_x509_cert_t peercert, const char tmp_dir, stru
557	557	peercert_file = fopen(peercert_filename, "w+");
558	558	if (!peercert_file)
559	559	{
560		- msg(M_ERR, "Failed to open temporary file : %s", peercert_filename);
	560	+ msg(M_NONFATAL\|M_ERRNO, "Failed to open temporary file: %s",
	561	+ peercert_filename);
561	562	return NULL;
562	563	}
563	564
564	565	if (SUCCESS != x509_write_pem(peercert_file, peercert))
565	566	{
566		- msg(M_ERR, "Error writing PEM file containing certificate");
	567	+ msg(M_NONFATAL, "Error writing PEM file containing certificate");
	568	+ (void) platform_unlink(peercert_filename);
	569	+ peercert_filename = NULL;
567	570	}
568	571
569	572	fclose(peercert_file);

...	...	@@ -767,7 +767,7 @@ x509_write_pem(FILE peercert_file, X509 peercert)
767	767	{
768	768	if (PEM_write_X509(peercert_file, peercert) < 0)
769	769	{
770		- msg(M_ERR, "Failed to write peer certificate in PEM format");
	770	+ msg(M_NONFATAL, "Failed to write peer certificate in PEM format");
771	771	return FAILURE;
772	772	}
773	773	return SUCCESS;