diff options
author | Yossi Gottlieb <yossigo@gmail.com> | 2020-07-28 11:32:47 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-28 11:32:47 +0300 |
commit | 784ceeb90d84bbc49fc2f2e2e6c7b9fae2524bd5 (patch) | |
tree | 71afc0aec88a311e3720dcc9074fea2b77f23592 /src/tls.c | |
parent | 109b5ccdcd6e6b8cecdaeb13a246bc49ce7a61f4 (diff) | |
download | redis-784ceeb90d84bbc49fc2f2e2e6c7b9fae2524bd5.tar.gz |
TLS: Propagate and handle SSL_new() failures. (#7576)
The connection API may create an accepted connection object in an error
state, and callers are expected to check it before attempting to use it.
Co-authored-by: mrpre <mrpre@163.com>
Diffstat (limited to 'src/tls.c')
-rw-r--r-- | src/tls.c | 28 |
1 files changed, 24 insertions, 4 deletions
@@ -337,11 +337,34 @@ connection *connCreateTLS(void) { return (connection *) conn; } +/* Fetch the latest OpenSSL error and store it in the connection */ +static void updateTLSError(tls_connection *conn) { + conn->c.last_errno = 0; + if (conn->ssl_error) zfree(conn->ssl_error); + conn->ssl_error = zmalloc(512); + ERR_error_string_n(ERR_get_error(), conn->ssl_error, 512); +} + +/* Create a new TLS connection that is already associated with + * an accepted underlying file descriptor. + * + * The socket is not ready for I/O until connAccept() was called and + * invoked the connection-level accept handler. + * + * Callers should use connGetState() and verify the created connection + * is not in an error state. + */ connection *connCreateAcceptedTLS(int fd, int require_auth) { tls_connection *conn = (tls_connection *) connCreateTLS(); conn->c.fd = fd; conn->c.state = CONN_STATE_ACCEPTING; + if (!conn->ssl) { + updateTLSError(conn); + conn->c.state = CONN_STATE_ERROR; + return (connection *) conn; + } + switch (require_auth) { case TLS_CLIENT_AUTH_NO: SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); @@ -384,10 +407,7 @@ static int handleSSLReturnCode(tls_connection *conn, int ret_value, WantIOType * break; default: /* Error! */ - conn->c.last_errno = 0; - if (conn->ssl_error) zfree(conn->ssl_error); - conn->ssl_error = zmalloc(512); - ERR_error_string_n(ERR_get_error(), conn->ssl_error, 512); + updateTLSError(conn); break; } |