Remove duplicate X509 env variables

Commit 13b585e added support for multiple X509 env variables with the
same name, but as a side effect caused these variables to pile up for
each renegotiation.  The old code would simply overwrite the old variables
(as long as an equally-long chain was used for the new session).

To stop the variables from piling up, this commit removes any old X509
env variables if we start negotiating a new TLS session.

Trac: #854

Signed-off-by: Steffan Karger <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg14237.html
Signed-off-by: Gert Doering <[email protected]>

src/openvpn/ssl.c

@@ -2822,6 +2822,9 @@ tls_process(struct tls_multi *multi,
                                    session->opt->crl_file, session->opt->crl_file_inline);
             }
 
+            /* New connection, remove any old X509 env variables */
+            tls_x509_clear_env(session->opt->es);
+
             dmsg(D_TLS_DEBUG_MED, "STATE S_START");
         }
 

src/openvpn/ssl_verify.c

@@ -1486,4 +1486,21 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
         gc_free(&gc);
     }
 }
+
+void
+tls_x509_clear_env(struct env_set *es)
+{
+    struct env_item *item = es->list;
+    while (item)
+    {
+        struct env_item *next = item->next;
+        if (item->string
+            && 0 == strncmp("X509_", item->string, strlen("X509_")))
+        {
+            env_set_del(es, item->string);
+        }
+        item = next;
+    }
+}
+
 #endif /* ENABLE_CRYPTO */

src/openvpn/ssl_verify.h

@@ -238,6 +238,9 @@ tls_client_reason(struct tls_multi *multi)
 #endif
 }
 
+/** Remove any X509_ env variables from env_set es */
+void tls_x509_clear_env(struct env_set *es);
+
 #endif /* ENABLE_CRYPTO */
 
 #endif /* SSL_VERIFY_H_ */