From patchwork Tue Jan 2 11:52:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 166 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id /DJEB387TlozbwAAgoeIoA for ; Thu, 04 Jan 2018 09:34:39 -0500 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id Y1nrCn87TlqwfwAAgYhSiA ; Thu, 04 Jan 2018 09:34:39 -0500 Received: from smtp40.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net (Dovecot) with LMTP id cTKTBn87Tlq+ZQAA7h+8OQ ; Thu, 04 Jan 2018 09:34:39 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO Authentication-Results: smtp40.gate.ord1c.rsapps.net x-tls.subject="/OU=Domain Control Validated/CN=www.neomailbox.net"; auth=pass (cipher=DHE-RSA-AES256-GCM-SHA384) X-Virus-Scanned: OK X-Orig-To: patchwork@openvpn.net X-Originating-Ip: [5.148.176.60] Authentication-Results: smtp40.gate.ord1c.rsapps.net; iprev=pass policy.iprev="5.148.176.60"; spf=permerror smtp.mailfrom="a@unstable.cc" smtp.helo="s2.neomailbox.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Classification-ID: 6416b746-f15c-11e7-aade-b8ca3a673c88-1-1 Received: from [5.148.176.60] ([5.148.176.60:37006] helo=s2.neomailbox.net) by smtp40.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384 subject="/OU=Domain Control Validated/CN=www.neomailbox.net") id 36/77-02205-E7B3E4A5; Thu, 04 Jan 2018 09:34:39 -0500 Resent-From: Antonio Quartulli Resent-To: patchwork@openvpn.net Resent-Date: Thu, 4 Jan 2018 22:33:33 +0800 Resent-Message-ID: Resent-User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pyko5TGAvSrcw0ARv54+Y5phgc0CMFw7Dejvsrh8C54=; b=Umk7BdxB8kvKYFYnaPsQUNqg/o Fu3RnROBodvW/Q2ndzNw4Q3TSnKmCu7kmCv4gyD3HBkKhGwzKsOscXWaayAp+Den4HSdq0q+1Hy+Q RrBgb+PzpEMpPfj2kEEY4Nhw8YI70wjdd2xZHueAAqk9mlpr4V+4Q1UlAZhvYZzVm35I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pyko5TGAvSrcw0ARv54+Y5phgc0CMFw7Dejvsrh8C54=; b=FpKBSyVqGyYUbBSoaok4YOJNO+ YUmpUyyVpLgLnOVQ7RD47OFyFbOEfVClfw5Abn1chdBpP0sSpFhKpgJ0XyurOl+1Dpu8eJz2yOOSe 6qwz3BQ5J2MchUyjk4h6poCjJm81iMECMrjEUvfKGCI9EMFPpGbS9QWXdB1UckpQiOL8=; From: Steffan Karger To: Date: Tue, 2 Jan 2018 23:52:51 +0100 Message-ID: <1514933571-4592-1-git-send-email-steffan.karger@fox-it.com> In-Reply-To: References: MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1eWVQj-0005lI-Gj Subject: [Openvpn-devel] [PATCH v3] Don't throw fatal errors from verify_cert_export_cert() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-SA-Score: -4.8 X-getmail-retrieved-from-mailbox: Inbox As with create_temp_file(), this function is called on client connects and should not cause fatal errors when I/O (possibly temporarily) fails. Fix this and the openssl backend implementation of x509_write_pem() to no longer throw fatal errors. The callers of this function are already fixed in the commit that does the same for create_temp_file(). Signed-off-by: Steffan Karger Acked-by: Selva Nair --- v2: Use M_NONFATAL (instead of M_WARN/M_ERRNO), as suggested by Selva. v3: Also fix x509_write_pem and unlink file on write error, per Selva too. src/openvpn/ssl_verify.c | 9 ++++++--- src/openvpn/ssl_verify_openssl.c | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index ebb1da2..5ae4fbb 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -549,7 +549,7 @@ verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, stru if (!tmp_dir || !(peercert_filename = create_temp_file(tmp_dir, "pcf", gc))) { - msg (M_WARN, "Failed to create peer cert file"); + msg(M_NONFATAL, "Failed to create peer cert file"); return NULL; } @@ -557,13 +557,16 @@ verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, stru peercert_file = fopen(peercert_filename, "w+"); if (!peercert_file) { - msg(M_ERR, "Failed to open temporary file : %s", peercert_filename); + msg(M_NONFATAL|M_ERRNO, "Failed to open temporary file: %s", + peercert_filename); return NULL; } if (SUCCESS != x509_write_pem(peercert_file, peercert)) { - msg(M_ERR, "Error writing PEM file containing certificate"); + msg(M_NONFATAL, "Error writing PEM file containing certificate"); + (void) platform_unlink(peercert_filename); + peercert_filename = NULL; } fclose(peercert_file); diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 02850fc..238292f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -767,7 +767,7 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) { if (PEM_write_X509(peercert_file, peercert) < 0) { - msg(M_ERR, "Failed to write peer certificate in PEM format"); + msg(M_NONFATAL, "Failed to write peer certificate in PEM format"); return FAILURE; } return SUCCESS;