diff options
author | varmojfekoj <theinric@redhat.com> | 2008-07-15 09:02:37 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-07-15 09:02:37 +0200 |
commit | 38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8 (patch) | |
tree | ccf08154d338553997527590d0a2bcbf0f1c6e92 | |
parent | 3f6dc12596367d7e754ffc37efe8ba2d9833969b (diff) | |
download | rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.tar.gz rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.tar.xz rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.zip |
bugfix (cosmetical): authorization was not checked when gtls handshake completed immediately.
While this sounds scary, the situation can not
happen in practice. We use non-blocking IO only for server-based gtls
session setup. As TLS requires the exchange of multiple frames before
the handshake completes, it simply is impossible to do this in one
step. However, it is useful to have the code path correct even for
this case - otherwise, we may run into problems if the code is changed
some time later (e.g. to use blocking sockets).
Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | runtime/nsd_gtls.c | 5 |
2 files changed, 13 insertions, 1 deletions
@@ -10,6 +10,15 @@ Version 3.19.10 (rgerhards), 2008-07-?? is just a simple addition of faciltity and severity). I have changed this to use own, consistent, code for PRI calculation. Thank to HKS for reporting this bug. +- bugfix (cosmetical): authorization was not checked when gtls handshake + completed immediately. While this sounds scary, the situation can not + happen in practice. We use non-blocking IO only for server-based gtls + session setup. As TLS requires the exchange of multiple frames before + the handshake completes, it simply is impossible to do this in one + step. However, it is useful to have the code path correct even for + this case - otherwise, we may run into problems if the code is changed + some time later (e.g. to use blocking sockets). Thanks to varmojfekoj + for providing the patch. - important queue bugfix from 3.18.1 imported (see below) - cleanup of some debug messages --------------------------------------------------------------------------- diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 3f2817f7..08623da8 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -1394,7 +1394,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { pNew->rtryCall = gtlsRtry_handshake; dbgprintf("GnuTLS handshake does not complete immediately - setting to retry (this is OK and normal)\n"); - } else if(gnuRet != 0) { + } else if(gnuRet == 0) { + /* we got a handshake, now check authorization */ + CHKiRet(gtlsChkPeerAuth(pNew)); + } else { ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } |