pppd: Fix SIGSEGV in EAP-TLS code when TLS verify method is not specified

Make sure the tls_verify_method variable has a default value. Also, fix up the
README.eap-tls documentation for the new options.

Fixes github issue #268.

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>

diff --git a/README.eap-tls b/README.eap-tls
index bc1066ed0436db585c5561b8efab9a51437afc40..7895b2b2eaa15c53f70aeca06f52f7dd9c92d4b6 100644 (file)
--- a/README.eap-tls
+++ b/README.eap-tls
@@ -147,7 +147,9 @@ EAP-TLS authentication support for PPP
       max-tls-version <1.0|1.1|1.2 (default)|1.3>
         Specify the maximum TLS protocol version to negotiate with peers. Defaults
         to TLSv1.2 as the TLSv1.3 code is experimental.
-      verify-tls-peer <none|subject|name|suffix>
+      tls-verify-key-usage
+        Validate certificate purpose and extended key usage
+      tls-verify-method <none|subject|name|suffix>
         Compare the remotename against the subject, certificate name, or
         match by suffix. Default is 'name'.
 

diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
index 4759764ff206d0ca56312758d807c159d180bec0..5ac0efb473eedbe1c7bbecc5ee8d1c0d1a77362a 100644 (file)
--- a/pppd/eap-tls.c
+++ b/pppd/eap-tls.c
@@ -1206,7 +1206,10 @@ int ssl_verify_callback(int ok, X509_STORE_CTX * ctx)
          * If acting as client and the name of the server wasn't specified
          * explicitely, we can't verify the server authenticity 
          */
-        if (!ets->peer[0] || !strcmp(tls_verify_method, TLS_VERIFY_NONE)) {
+        if (!tls_verify_method)
+            tls_verify_method = TLS_VERIFY_NONE;
+
+        if (!ets->peer[0] || !strcmp(TLS_VERIFY_NONE, tls_verify_method)) {
             warn("Certificate verication disabled or no peer name was specified");
             return ok;
         }