From patchwork Mon Oct 21 00:35:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Santtu Lakkala X-Patchwork-Id: 870 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.8]) by backend30.mail.ord1d.rsapps.net with LMTP id SLOmIV6crV0SDwAAIUCqbw for ; Mon, 21 Oct 2019 07:54:06 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.8]) by director10.mail.ord1d.rsapps.net with LMTP id gI0eH16crV0yCwAApN4f7A ; Mon, 21 Oct 2019 07:54:06 -0400 Received: from smtp9.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTP id mPJvGV6crV17DwAAGuSQww ; Mon, 21 Oct 2019 07:54:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=jolla.com X-Suspicious-Flag: YES X-Classification-ID: 7b6ff71c-f3f9-11e9-bf90-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:34076] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 31/65-13393-D5C9DAD5; Mon, 21 Oct 2019 07:54:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1iMWEC-00064G-7M; Mon, 21 Oct 2019 11:52:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1iMWEB-000649-7O for openvpn-devel@lists.sourceforge.net; Mon, 21 Oct 2019 11:51:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EXsEOQ8y3+PPqdCS81q6A/l7ENMArj7uYyvPr5LGiLw=; b=f3L4c8hLfcejC7OMZ3fCK+cTQE tSvxy/vDcqnIhEIdocQ8KhG08zkQzhTzprIQqM0SpQKoLdFIiZJR9itXtXkq2p/bFul9WvwsW9wgg lE2mFAiG4/02p7tpHleBm/U2Y0t2NM/X5/hvvtVcp004FoB5+t+WqKMr0Rua6hJy5pGg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=EXsEOQ8y3+PPqdCS81q6A/l7ENMArj7uYyvPr5LGiLw=; b=n P8EnmO9tNLNc2arm1UUUSm1O97jdZpFas/rIMiECHlFMOM74WHcXciLIr4RBHgF0NwAjrkrxrNvLk 3jt2NhaVnNNZZetPjyN+NxoxpYGMWBcqn+gGsmN9UgNrX46lQKFJ2PjQ5B5xjMFC0s/w1GaQRBjeu a6D+HtVFREUHdP0w=; Received: from smtp94.iad3b.emailsrvr.com ([146.20.161.94]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1iMWE8-00Fw0U-W7 for openvpn-devel@lists.sourceforge.net; Mon, 21 Oct 2019 11:51:58 +0000 X-Auth-ID: santtu.lakkala@jollamobile.com Received: by smtp20.relay.iad3b.emailsrvr.com (Authenticated sender: santtu.lakkala-AT-jollamobile.com) with ESMTPSA id BC7F7A0172 for ; Mon, 21 Oct 2019 07:35:12 -0400 (EDT) X-Sender-Id: santtu.lakkala@jollamobile.com Received: from localhost.localdomain (mobile-access-6df026-104.dhcp.inet.fi [109.240.38.104]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256) by 0.0.0.0:25 (trex/5.7.12); Mon, 21 Oct 2019 07:35:13 -0400 From: Santtu Lakkala To: openvpn-devel@lists.sourceforge.net Date: Mon, 21 Oct 2019 14:35:06 +0300 Message-Id: <20191021113506.30377-1-santtu.lakkala@jolla.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: jolla.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [146.20.161.94 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1iMWE8-00Fw0U-W7 Subject: [Openvpn-devel] [PATCH] Fix OpenSSL private key passphrase notices X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Clear error stack on successful certificate loading in tls_ctx_load_cert_file_and_copy() and handle errors also for PEM_read_bio_PrivateKey() call in tls_ctx_load_priv_file(). Due to certificate loading possibly leaking non-fatal errors on OpenSSL error stack, and some slight oversights in error handling, the >PASSWORD:Verification Failed: 'Private Key' line was never produced on the management channel for PEM formatted keys. Signed-off-by: Santtu Lakkala Acked-by: Steffan Karger --- src/openvpn/ssl_openssl.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 07916c3c..74c8fa65 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -921,6 +921,10 @@ end: crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file); } } + else + { + crypto_print_openssl_errors(M_DEBUG); + } if (in != NULL) { @@ -963,12 +967,7 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); - if (!pkey) - { - goto end; - } - - if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) + if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) { #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))