diff options
| author | varmojfekoj <theinric@redhat.com> | 2008-07-15 09:02:37 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-07-15 09:02:37 +0200 |
| commit | 38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8 (patch) | |
| tree | ccf08154d338553997527590d0a2bcbf0f1c6e92 /runtime | |
| parent | 3f6dc12596367d7e754ffc37efe8ba2d9833969b (diff) | |
| download | rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.tar.gz rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.tar.xz rsyslog-38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8.zip | |
bugfix (cosmetical): authorization was not checked when gtls handshake completed immediately.
While this sounds scary, the situation can not
happen in practice. We use non-blocking IO only for server-based gtls
session setup. As TLS requires the exchange of multiple frames before
the handshake completes, it simply is impossible to do this in one
step. However, it is useful to have the code path correct even for
this case - otherwise, we may run into problems if the code is changed
some time later (e.g. to use blocking sockets).
Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
Diffstat (limited to 'runtime')
| -rw-r--r-- | runtime/nsd_gtls.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 3f2817f7..08623da8 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -1394,7 +1394,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { pNew->rtryCall = gtlsRtry_handshake; dbgprintf("GnuTLS handshake does not complete immediately - setting to retry (this is OK and normal)\n"); - } else if(gnuRet != 0) { + } else if(gnuRet == 0) { + /* we got a handshake, now check authorization */ + CHKiRet(gtlsChkPeerAuth(pNew)); + } else { ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } |