1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: Benjamin Coddington <bcodding@redhat.com>
Date: Tue, 20 May 2025 09:06:19 -0400
Subject: tlshd: fix a regression for certificate verification
Origin: https://github.com/oracle/ktls-utils/commit/2f609c509e8c9087c584be96fe07a53e929a0746
Bug: https://github.com/oracle/ktls-utils/issues/98
Commit b010190cfed2 left session_status unset for
GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR. Fix this by always setting
EACCESS in the error handling switch statement.
Fixes: b010190cfed2 ("tlshd: Pass ETIMEDOUT from gnutls to kernel")
Closes: #98
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
---
src/tlshd/handshake.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
index 53c91e2..b9de6b3 100644
--- a/src/tlshd/handshake.c
+++ b/src/tlshd/handshake.c
@@ -90,6 +90,8 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
} while (ret < 0 && !gnutls_error_is_fatal(ret));
tlshd_set_nagle(session, saved);
if (ret < 0) {
+ /* Any errors here should default to blocking access: */
+ parms->session_status = EACCES;
switch (ret) {
case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
tlshd_log_cert_verification_error(session);
@@ -100,7 +102,6 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
break;
default:
tlshd_log_notice("tlshd_start_tls_handshake unhandled error %d, returning EACCES\n", ret);
- parms->session_status = EACCES;
}
return;
}
|
