Hi,
On Sun, Feb 28, 2010 at 02:59:42PM +0100, David Sommerseth wrote:
> It should be nice to enhance tls-verify check possibilities against peer
> cert during a pending TLS connection like :
> - OCSP verification
> - check any X509 extensions of the peer certificate
> - delta CRL verification
> - ...
semi-ACK.
In general, I think this is useful.
Most of the code is fine, but I spotted a potential issue:
> @@ -896,6 +950,12 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
> argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command");
> ret = openvpn_execve (&argv, opt->es, S_SCRIPT);
>
> + if (opt->verify_export_cert)
> + {
> + delete_file(tmp_file);
> + gc_free(&gc);
> + }
> +
> if (system_ok (ret))
> {
> msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
tmp_file *could* be NULL here (unlikely, but possible).
So maybe this should read:
> @@ -896,6 +950,12 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
> argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command");
> ret = openvpn_execve (&argv, opt->es, S_SCRIPT);
>
> + if (opt->verify_export_cert)
> + {
> + if (tmp_file != NULL) delete_file(tmp_file);
> + gc_free(&gc);
> + }
> +
> if (system_ok (ret))
> {
> msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
... instead. "delete_file()" is one of the few functions that do not
check their argument for "is not NULL", so it's passed unchanged to
unlink(), which might cause issues on some platforms.
(Don't put the tmp_file condition into the surrounding if(), as it
would then skip the call to gc_free() as well).
With that change, and a manpage documentation of the new option, ACK.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
