From 38cdfcfbe1c1ed6aa4a22623afc43d199bc5f7a8 Mon Sep 17 00:00:00 2001 From: varmojfekoj Date: Tue, 15 Jul 2008 09:02:37 +0200 Subject: bugfix (cosmetical): authorization was not checked when gtls handshake completed immediately. While this sounds scary, the situation can not happen in practice. We use non-blocking IO only for server-based gtls session setup. As TLS requires the exchange of multiple frames before the handshake completes, it simply is impossible to do this in one step. However, it is useful to have the code path correct even for this case - otherwise, we may run into problems if the code is changed some time later (e.g. to use blocking sockets). Signed-off-by: Rainer Gerhards --- ChangeLog | 9 +++++++++ runtime/nsd_gtls.c | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4b3ff203..32594af7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,15 @@ Version 3.19.10 (rgerhards), 2008-07-?? is just a simple addition of faciltity and severity). I have changed this to use own, consistent, code for PRI calculation. Thank to HKS for reporting this bug. +- bugfix (cosmetical): authorization was not checked when gtls handshake + completed immediately. While this sounds scary, the situation can not + happen in practice. We use non-blocking IO only for server-based gtls + session setup. As TLS requires the exchange of multiple frames before + the handshake completes, it simply is impossible to do this in one + step. However, it is useful to have the code path correct even for + this case - otherwise, we may run into problems if the code is changed + some time later (e.g. to use blocking sockets). Thanks to varmojfekoj + for providing the patch. - important queue bugfix from 3.18.1 imported (see below) - cleanup of some debug messages --------------------------------------------------------------------------- diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 3f2817f7..08623da8 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -1394,7 +1394,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { pNew->rtryCall = gtlsRtry_handshake; dbgprintf("GnuTLS handshake does not complete immediately - setting to retry (this is OK and normal)\n"); - } else if(gnuRet != 0) { + } else if(gnuRet == 0) { + /* we got a handshake, now check authorization */ + CHKiRet(gtlsChkPeerAuth(pNew)); + } else { ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } -- cgit