diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | runtime/nsd_gtls.c | 5 |
2 files changed, 13 insertions, 1 deletions
@@ -10,6 +10,15 @@ Version 3.19.10 (rgerhards), 2008-07-?? is just a simple addition of faciltity and severity). I have changed this to use own, consistent, code for PRI calculation. Thank to HKS for reporting this bug. +- bugfix (cosmetical): authorization was not checked when gtls handshake + completed immediately. While this sounds scary, the situation can not + happen in practice. We use non-blocking IO only for server-based gtls + session setup. As TLS requires the exchange of multiple frames before + the handshake completes, it simply is impossible to do this in one + step. However, it is useful to have the code path correct even for + this case - otherwise, we may run into problems if the code is changed + some time later (e.g. to use blocking sockets). Thanks to varmojfekoj + for providing the patch. - important queue bugfix from 3.18.1 imported (see below) - cleanup of some debug messages --------------------------------------------------------------------------- diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 3f2817f7..08623da8 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -1394,7 +1394,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { pNew->rtryCall = gtlsRtry_handshake; dbgprintf("GnuTLS handshake does not complete immediately - setting to retry (this is OK and normal)\n"); - } else if(gnuRet != 0) { + } else if(gnuRet == 0) { + /* we got a handshake, now check authorization */ + CHKiRet(gtlsChkPeerAuth(pNew)); + } else { ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } |