Commit f7846901 authored by Vladimír Čunát's avatar Vladimír Čunát

Merge !714: daemon: fix TLS rehandshake processing

parents c2978348 dd7d70b4
......@@ -18,6 +18,7 @@ Bugfixes
--------
- http module: only run prometheus in parent process if using --forks=N,
as the submodule collects metrics from all sub-processes as well.
- policy.TLS_FORWARD fixes (!714)
- fix build with -DNOVERBOSELOG (#424)
Improvements
......
......@@ -222,6 +222,9 @@ static void tcp_recv(uv_stream_t *handle, ssize_t nread, const uv_buf_t *buf)
/* buf->base points to start of the tls receive buffer.
Decode data free space in session wire buffer. */
consumed = tls_process_input_data(s, (const uint8_t *)buf->base, nread);
if (consumed <= 0) {
return;
}
data = session_wirebuf_get_free_start(s);
data_len = consumed;
}
......
......@@ -496,6 +496,11 @@ ssize_t session_wirebuf_consume(struct session *session, const uint8_t *data, ss
return kr_error(EINVAL);
}
if (len < 0) {
/* shouldn't happen */
return kr_error(EINVAL);
}
if (session->wire_buf_end_idx + len > session->wire_buf_size) {
/* shouldn't happen */
return kr_error(EINVAL);
......
......@@ -482,6 +482,9 @@ ssize_t tls_process_input_data(struct session *s, const uint8_t *buf, ssize_t nr
continue;
} else if (count == GNUTLS_E_REHANDSHAKE) {
/* See https://www.gnutls.org/manual/html_node/Re_002dauthentication.html */
struct sockaddr *peer = session_get_peer(s);
kr_log_verbose("[%s] TLS rehandshake with %s has started\n",
logstring, kr_straddr(peer));
tls_set_hs_state(tls_p, TLS_HS_IN_PROGRESS);
while (tls_p->handshake_state <= TLS_HS_IN_PROGRESS) {
int err = tls_handshake(tls_p, tls_p->handshake_cb);
......
......@@ -713,8 +713,19 @@ static int session_tls_hs_cb(struct session *session, int status)
}
}
ret = worker_add_tcp_connected(worker, peer, session);
if (deletion_res == kr_ok() && ret == kr_ok()) {
ret = kr_ok();
if (deletion_res == kr_ok()) {
/* peer was in the waiting list, add to the connected list. */
ret = worker_add_tcp_connected(worker, peer, session);
} else {
/* peer wasn't in the waiting list.
* In this case it must be successful rehandshake.
* Peer must be already in the connected list. */
const char *key = tcpsess_key(peer);
assert(key);
assert(map_contains(&worker->tcp_connected, key) != 0);
}
if (ret == kr_ok()) {
while (!session_waitinglist_is_empty(session)) {
struct qr_task *t = session_waitinglist_get(session);
ret = qr_task_send(t, session, NULL, NULL);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment