From fd6fe82606e84a9b9174bbc02425b27e2ed58001 Mon Sep 17 00:00:00 2001 From: Gunnar Beutner Date: Thu, 16 Oct 2014 09:58:01 +0200 Subject: [PATCH] Fix unauthenticated TLS connections refs #7244 --- lib/base/tlsstream.cpp | 5 +++-- lib/cli/pkisigncsrcommand.cpp | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp index 9082a0f05..b70e18cd6 100644 --- a/lib/base/tlsstream.cpp +++ b/lib/base/tlsstream.cpp @@ -36,7 +36,7 @@ bool I2_EXPORT TlsStream::m_SSLIndexInitialized = false; * @param sslContext The SSL context for the client. */ TlsStream::TlsStream(const Socket::Ptr& socket, ConnectionRole role, const shared_ptr& sslContext) - : m_Eof(false), m_Socket(socket), m_Role(role), m_VerifyOK(false) + : m_Eof(false), m_Socket(socket), m_Role(role), m_VerifyOK(true) { std::ostringstream msgbuf; char errbuf[120]; @@ -75,7 +75,8 @@ int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx) { SSL *ssl = static_cast(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); TlsStream *stream = static_cast(SSL_get_ex_data(ssl, m_SSLIndex)); - stream->m_VerifyOK = preverify_ok; + if (!preverify_ok) + stream->m_VerifyOK = false; return 1; } diff --git a/lib/cli/pkisigncsrcommand.cpp b/lib/cli/pkisigncsrcommand.cpp index f18d79dd8..2019c9828 100644 --- a/lib/cli/pkisigncsrcommand.cpp +++ b/lib/cli/pkisigncsrcommand.cpp @@ -119,16 +119,21 @@ int PKISignCSRCommand::Run(const boost::program_options::variables_map& vm, cons X509 *cert = CreateCert(pubkey, X509_REQ_get_subject_name(req), X509_get_subject_name(cacert), privkey, false); + EVP_PKEY_free(pubkey); X509_free(cacert); BIO *certbio = BIO_new_fp(stdout, BIO_NOCLOSE); if (!PEM_write_bio_X509(certbio, cert)) { + BIO_free(certbio); + msgbuf << "Could not write X509 certificate: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; Log(LogCritical, "SSL", msgbuf.str()); return 1; } + X509_free(cert); + BIO_free(certbio); return 0; -- 2.40.0