Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

some security improvements #13

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev
repeat gnutls_handshake() call in case of warnings
that's what the semantics of this call require
  • Loading branch information
Malte Kraus committed Aug 13, 2019
commit 92742544a56bcbcd9ec99ca15f898b31797e39e2
71 changes: 39 additions & 32 deletions conn.c
Expand Up @@ -276,6 +276,7 @@ int conn_activate_ssl(int server_role)
char *ssl_keyfile;
char *ssl_certfile;
int err;
int handshake_repeat = 0;

if (csync_conn_usessl)
return 0;
Expand Down Expand Up @@ -333,40 +334,46 @@ int conn_activate_ssl(int server_role)
(gnutls_transport_ptr_t)(long)conn_fd_out
);

err = gnutls_handshake(conn_tls_session);
switch(err) {
case GNUTLS_E_SUCCESS:
break;

case GNUTLS_E_WARNING_ALERT_RECEIVED:
alrt = gnutls_alert_get(conn_tls_session);
fprintf(
csync_debug_out,
"SSL: warning alert received from peer: %d (%s).\n",
alrt, gnutls_alert_get_name(alrt)
);
break;

case GNUTLS_E_FATAL_ALERT_RECEIVED:
alrt = gnutls_alert_get(conn_tls_session);
fprintf(
csync_debug_out,
"SSL: fatal alert received from peer: %d (%s).\n",
alrt, gnutls_alert_get_name(alrt)
);

default:
gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
gnutls_deinit(conn_tls_session);
gnutls_certificate_free_credentials(conn_x509_cred);
gnutls_global_deinit();
do {
handshake_repeat = 0;
err = gnutls_handshake(conn_tls_session);
switch(err) {
case GNUTLS_E_SUCCESS:
break;

csync_fatal(
"SSL: handshake failed: %s (%s)\n",
gnutls_strerror(err),
gnutls_strerror_name(err)
);
}
case GNUTLS_E_WARNING_ALERT_RECEIVED:
alrt = gnutls_alert_get(conn_tls_session);
fprintf(
csync_debug_out,
"SSL: warning alert received from peer: %d (%s).\n",
alrt, gnutls_alert_get_name(alrt)
);
handshake_repeat = 1;
break;

case GNUTLS_E_FATAL_ALERT_RECEIVED:
alrt = gnutls_alert_get(conn_tls_session);
fprintf(
csync_debug_out,
"SSL: fatal alert received from peer: %d (%s).\n",
alrt, gnutls_alert_get_name(alrt)
);
// fall-through!

default:
gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
gnutls_deinit(conn_tls_session);
gnutls_certificate_free_credentials(conn_x509_cred);
gnutls_global_deinit();

csync_fatal(
"SSL: handshake failed: %s (%s)\n",
gnutls_strerror(err),
gnutls_strerror_name(err)
);
}
} while (handshake_repeat);

csync_conn_usessl = 1;

Expand Down