[openvpn] Fix OpenSSL private key passphrase notices. Fixes JB#47348

sailfishos · Nov 1, 2019 · 112cace · 112cace
1 parent cc2dca3
commit 112cace
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/rpm/openvpn.spec b/rpm/openvpn.spec
@@ -7,6 +7,7 @@ License:    GPLv2
 URL:        http://openvpn.net/
 Source0:    http://swupdate.openvpn.org/community/releases/%{name}-%{version}.tar.xz
 Patch1:     tls-verify-command-disable.diff
+Patch2:     privatekey-passphrase-handling.diff
 Requires:   iproute
 Requires:   net-tools
 Requires(pre): /usr/sbin/useradd
@@ -39,6 +40,7 @@ Man page for %{name}.
 %prep
 %setup -q -n %{name}-%{version}/%{name}
 %patch1 -p1
+%patch2 -p1
 
 %build
 

diff --git a/rpm/privatekey-passphrase-handling.diff b/rpm/privatekey-passphrase-handling.diff
@@ -0,0 +1,46 @@
+commit 174c85fb469384f1c28b77cdd5a81946c0f19202
+Author: Santtu Lakkala <santtu.lakkala@jolla.com>
+Date:   Thu Oct 17 10:42:41 2019 +0300
+
+    Fix OpenSSL private key passphrase notices
+
+    Clear error stack on successful certificate loading in
+    tls_ctx_load_cert_file_and_copy() and handle errors also for
+    PEM_read_bio_PrivateKey() call in tls_ctx_load_priv_file().
+
+    Due to certificate loading possibly leaking non-fatal errors on OpenSSL
+    error stack, and some slight oversights in error handling, the
+
+    >PASSWORD:Verification Failed: 'Private Key'
+
+    line was never produced on the management channel for PEM formatted keys.
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index f23d2461..c8973992 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -857,6 +857,10 @@ end:
+             crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file);
+         }
+     }
++    else
++    {
++        crypto_print_openssl_errors(M_DEBUG);
++    }
+
+     if (in != NULL)
+     {
+@@ -910,12 +914,7 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
+     pkey = PEM_read_bio_PrivateKey(in, NULL,
+                                    SSL_CTX_get_default_passwd_cb(ctx->ctx),
+                                    SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
+-    if (!pkey)
+-    {
+-        goto end;
+-    }
+-
+-    if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
++    if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
+     {
+ #ifdef ENABLE_MANAGEMENT
+         if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))