diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-07-28 19:53:44 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-22 18:02:08 +0200 |
| commit | c94eff3c2fe2f1ae85159294ce89f80d676f8c36 (patch) | |
| tree | 0f16d21ba9a4f4cf9e6a2cb5e2771e8f01f38149 | |
| parent | 62242ed28d4cb3adec4edd6c39c6ed3f1c50cb37 (diff) | |
| download | openvpn-c94eff3c2fe2f1ae85159294ce89f80d676f8c36.tar.gz openvpn-c94eff3c2fe2f1ae85159294ce89f80d676f8c36.tar.xz openvpn-c94eff3c2fe2f1ae85159294ce89f80d676f8c36.zip | |
Added back checks for ks->authenticated in verify_user_pass
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | ssl_verify.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index 8a9dc74..0ce5dda 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -1183,12 +1183,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) { + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + /* While it shouldn't really happen, don't allow the common name to be NULL */ if (!session->common_name) set_common_name (session, ""); /* Don't allow the CN to change once it's been locked */ - if (multi->locked_cn) + if (ks->authenticated && multi->locked_cn) { const char *cn = session->common_name; if (cn && strcmp (cn, multi->locked_cn)) @@ -1204,7 +1206,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the cert hashes to change once they have been locked */ - if (multi->locked_cert_hash_set) + if (ks->authenticated && multi->locked_cert_hash_set) { const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare (chs, multi->locked_cert_hash_set)) @@ -1218,9 +1220,8 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* verify --client-config-dir based authentication */ - if (session->opt->client_config_dir_exclusive) + if (ks->authenticated && session->opt->client_config_dir_exclusive) { - struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct gc_arena gc = gc_new (); const char *cn = session->common_name; |