From f1a34da3b2f5336e4993a729e5ac2130d0e0595a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Eivind=20N=C3=A6ss?= Date: Sun, 11 Apr 2021 16:31:02 -0700 Subject: [PATCH] pppd: Fix SIGSEGV in EAP-TLS code when TLS verify method is not specified Make sure the tls_verify_method variable has a default value. Also, fix up the README.eap-tls documentation for the new options. Fixes github issue #268. Signed-off-by: Eivind Naess --- README.eap-tls | 4 +++- pppd/eap-tls.c | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.eap-tls b/README.eap-tls index bc1066e..7895b2b 100644 --- a/README.eap-tls +++ b/README.eap-tls @@ -147,7 +147,9 @@ EAP-TLS authentication support for PPP max-tls-version <1.0|1.1|1.2 (default)|1.3> Specify the maximum TLS protocol version to negotiate with peers. Defaults to TLSv1.2 as the TLSv1.3 code is experimental. - verify-tls-peer + tls-verify-key-usage + Validate certificate purpose and extended key usage + tls-verify-method Compare the remotename against the subject, certificate name, or match by suffix. Default is 'name'. diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c index 4759764..5ac0efb 100644 --- a/pppd/eap-tls.c +++ b/pppd/eap-tls.c @@ -1206,7 +1206,10 @@ int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) * If acting as client and the name of the server wasn't specified * explicitely, we can't verify the server authenticity */ - if (!ets->peer[0] || !strcmp(tls_verify_method, TLS_VERIFY_NONE)) { + if (!tls_verify_method) + tls_verify_method = TLS_VERIFY_NONE; + + if (!ets->peer[0] || !strcmp(TLS_VERIFY_NONE, tls_verify_method)) { warn("Certificate verication disabled or no peer name was specified"); return ok; } -- 2.39.2