GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

cleaned up the fatal error checking in TLS/DTLS sessions

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2016-01-19 13:19:10 +01:00
parent 507e725189
commit 9b6c4f3a26
3 changed files with 17 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/tlslib.c
View File

@@ -124,7 +124,7 @@ int ret;
while ( (len = read( fd, buf, sizeof(buf))) > 0 ||
(len == -1 && (errno == EINTR || errno == EAGAIN))) {
ret = cstp_send(ws, buf, len);
FATAL_ERR(ws, ret);
CSTP_FATAL_ERR(ws, ret);
total += ret;
}

23
src/tlslib.h
View File

@@ -69,7 +69,9 @@ void tls_load_certs(struct main_server_st* s, struct tls_st *creds);
size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac_algorithm_t);
#define GNUTLS_FATAL_ERR_CMD(x, CMD) \
#define GNUTLS_FATAL_ERR DTLS_FATAL_ERR
#define DTLS_FATAL_ERR_CMD(x, CMD) \
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
if (syslog_open) \
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
@@ -78,9 +80,9 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
CMD; \
}
#define GNUTLS_FATAL_ERR(x) GNUTLS_FATAL_ERR_CMD(x, exit(1))
#define DTLS_FATAL_ERR(x) DTLS_FATAL_ERR_CMD(x, exit(1))
#define FATAL_ERR_CMD(ws, x, CMD) \
#define CSTP_FATAL_ERR_CMD(ws, x, CMD) \
if (ws->session != NULL) { \
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
oclog(ws, LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
@@ -93,20 +95,7 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
} \
}
#define FATAL_ERR(ws, x) FATAL_ERR_CMD(ws, x, exit(1))
#define GNUTLS_S_FATAL_ERR(session, x) \
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
if (syslog_open) { \
if (ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { \
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s: %s", __FILE__, __LINE__, gnutls_strerror(x), gnutls_alert_get_name(gnutls_alert_get(session))); \
} else { \
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
} \
} else \
fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \
exit(1); \
}
#define CSTP_FATAL_ERR(ws, x) CSTP_FATAL_ERR_CMD(ws, x, exit(1))
void tls_close(gnutls_session_t session);

20
src/worker-vpn.c
View File

@@ -463,7 +463,7 @@ void vpn_server(struct worker_st *ws)
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
GNUTLS_S_FATAL_ERR(session, ret);
GNUTLS_FATAL_ERR(ret);
oclog(ws, LOG_DEBUG, "TLS handshake completed");
} else {
@@ -542,7 +542,7 @@ void vpn_server(struct worker_st *ws)
oclog(ws, LOG_HTTP_DEBUG, "HTTP POST %s", ws->req.url);
while (ws->req.message_complete == 0) {
nrecvd = tls_recv(ws, ws->buffer, sizeof(ws->buffer));
FATAL_ERR(ws, nrecvd);
CSTP_FATAL_ERR(ws, nrecvd);
if (nrecvd == 0) {
oclog(ws, LOG_HTTP_DEBUG,
@@ -823,7 +823,7 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow,
ws->buffer[0] = AC_PKT_DPD_OUT;
ret = dtls_send(ws, ws->buffer, 1);
GNUTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
DTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
if (now - ws->last_msg_udp > DPD_MAX_TRIES * dpd) {
oclog(ws, LOG_ERR,
@@ -845,7 +845,7 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow,
ws->buffer[7] = 0;
ret = cstp_send(ws, ws->buffer, 8);
FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
CSTP_FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
if (now - ws->last_msg_tcp > DPD_MAX_TRIES * dpd) {
oclog(ws, LOG_ERR,
@@ -950,7 +950,7 @@ static int dtls_mainloop(worker_st * ws, struct timespec *tnow)
oclog(ws, LOG_TRANSFER_DEBUG,
"received %d byte(s) (DTLS)", ret);
GNUTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
DTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
if (ret == GNUTLS_E_REHANDSHAKE) {
@@ -974,7 +974,7 @@ static int dtls_mainloop(worker_st * ws, struct timespec *tnow)
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
GNUTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
DTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
oclog(ws, LOG_DEBUG, "DTLS rehandshake completed");
ws->last_dtls_rehandshake = tnow->tv_sec;
@@ -1092,7 +1092,7 @@ static int tls_mainloop(struct worker_st *ws, struct timespec *tnow)
data.data = ws->buffer;
data.size = ret;
#endif
FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
CSTP_FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
if (ret == 0) { /* disconnect */
oclog(ws, LOG_DEBUG, "client disconnected");
@@ -1132,7 +1132,7 @@ static int tls_mainloop(struct worker_st *ws, struct timespec *tnow)
do {
ret = gnutls_handshake(ws->session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
GNUTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
DTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
ws->last_tls_rehandshake = tnow->tv_sec;
oclog(ws, LOG_INFO, "TLS rehandshake completed");
@@ -1223,7 +1223,7 @@ static int tun_mainloop(struct worker_st *ws, struct timespec *tnow)
dtls_to_send.data[7] = dtls_type;
ret = dtls_send(ws, dtls_to_send.data + 7, dtls_to_send.size + 1);
GNUTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
DTLS_FATAL_ERR_CMD(ret, exit_worker_reason(ws, REASON_ERROR));
if (ret == GNUTLS_E_LARGE_PACKET) {
mtu_not_ok(ws);
@@ -1250,7 +1250,7 @@ static int tun_mainloop(struct worker_st *ws, struct timespec *tnow)
ws->tun_bytes_out += cstp_to_send.size;
ret = cstp_send(ws, cstp_to_send.data, cstp_to_send.size + 8);
FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
CSTP_FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
}
ws->last_nc_msg = tnow->tv_sec;
}