From 14d21d7b445107873166b528c66881bf736285f8 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Thu, 10 Jun 2021 16:40:28 +0200 Subject: [PATCH] Handle GnuTLS shutdown on dead session The session might have died, or failed to initialise properly, so be prepared for gnutls_bye() to be unable to do its job. --- common/rfb/CSecurityTLS.cxx | 16 ++++++++++------ common/rfb/CSecurityTLS.h | 2 +- common/rfb/SSecurityTLS.cxx | 9 +++++---- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index b32725f0..d33a76e2 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -3,6 +3,7 @@ * Copyright (C) 2005 Martin Koegler * Copyright (C) 2010 TigerVNC Team * Copyright (C) 2010 m-privacy GmbH + * Copyright (C) 2012-2021 Pierre Ossman for Cendio AB * * This is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -99,11 +100,14 @@ void CSecurityTLS::setDefaults() X509CRL.setDefaultStr(crlDefault.buf); } -void CSecurityTLS::shutdown(bool needbye) +void CSecurityTLS::shutdown() { - if (session && needbye) - if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) - vlog.error("gnutls_bye failed"); + if (session) { + int ret; + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + if ((ret != GNUTLS_E_SUCCESS) && (ret != GNUTLS_E_INVALID_SESSION)) + vlog.error("TLS shutdown failed: %s", gnutls_strerror(ret)); + } if (anon_cred) { gnutls_anon_free_client_credentials(anon_cred); @@ -139,7 +143,7 @@ void CSecurityTLS::shutdown(bool needbye) CSecurityTLS::~CSecurityTLS() { - shutdown(true); + shutdown(); delete[] cafile; delete[] crlfile; @@ -186,7 +190,7 @@ bool CSecurityTLS::processMsg() } vlog.error("TLS Handshake failed: %s\n", gnutls_strerror (err)); - shutdown(false); + shutdown(); throw AuthFailureException("TLS Handshake failed"); } diff --git a/common/rfb/CSecurityTLS.h b/common/rfb/CSecurityTLS.h index 476d0ef8..0dcf2ad3 100644 --- a/common/rfb/CSecurityTLS.h +++ b/common/rfb/CSecurityTLS.h @@ -55,7 +55,7 @@ namespace rfb { static UserMsgBox *msg; protected: - void shutdown(bool needbye); + void shutdown(); void freeResources(); void setParam(); void checkSession(); diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index d5ef47e6..72262b9a 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -2,6 +2,7 @@ * Copyright (C) 2004 Red Hat Inc. * Copyright (C) 2005 Martin Koegler * Copyright (C) 2010 TigerVNC Team + * Copyright (C) 2012-2021 Pierre Ossman for Cendio AB * * This is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -64,10 +65,10 @@ SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon) void SSecurityTLS::shutdown() { if (session) { - if (gnutls_bye(session, GNUTLS_SHUT_RDWR) != GNUTLS_E_SUCCESS) { - /* FIXME: Treat as non-fatal error */ - vlog.error("TLS session wasn't terminated gracefully"); - } + int ret; + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + if ((ret != GNUTLS_E_SUCCESS) && (ret != GNUTLS_E_INVALID_SESSION)) + vlog.error("TLS shutdown failed: %s", gnutls_strerror(ret)); } if (dh_params) { -- 2.39.5