Don't use assert() for error handling
It is excessively harsh in its output, and it can be completely compiled out which will give an incorrect behaviour.
This commit is contained in:
Pierre Ossman
parent
aa5164ede4
commit
e7bc37918c
49
tcp.c
49
tcp.c
@ -40,9 +40,6 @@
|
||||
#include "ssl.h"
|
||||
#include "asn.h"
|
||||
|
||||
|
||||
#define CHECK(x) assert((x)>=0)
|
||||
|
||||
#ifdef _WIN32
|
||||
#define socklen_t int
|
||||
#define TCP_CLOSE(_sck) closesocket(_sck)
|
||||
@ -328,6 +325,17 @@ cert_verify_callback(gnutls_session_t session)
|
||||
return utils_cert_handle_exception(session, status, hostname_mismatch, g_last_server_name);
|
||||
}
|
||||
|
||||
static void
|
||||
gnutls_fatal(const char *text, int status)
|
||||
{
|
||||
logger(Core, Error, "%s: %s", text, gnutls_strerror(status));
|
||||
/* TODO: Lookup if exit(1) is just plain wrong, its used here to breakout of
|
||||
fallback code path for connection, eg. if TLS fails, a retry with plain
|
||||
RDP is made.
|
||||
*/
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Establish a SSL/TLS 1.0 connection */
|
||||
RD_BOOL
|
||||
tcp_tls_connect(void)
|
||||
@ -340,18 +348,33 @@ tcp_tls_connect(void)
|
||||
if (!g_ssl_initialized)
|
||||
{
|
||||
gnutls_global_init();
|
||||
CHECK(gnutls_init(&g_tls_session, GNUTLS_CLIENT));
|
||||
err = gnutls_init(&g_tls_session, GNUTLS_CLIENT);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not initialize GnuTLS", err);
|
||||
}
|
||||
g_ssl_initialized = True;
|
||||
}
|
||||
|
||||
/* It is recommended to use the default priorities */
|
||||
//CHECK(gnutls_set_default_priority(g_tls_session));
|
||||
//err = gnutls_set_default_priority(g_tls_session);
|
||||
// Use compatible priority to overcome key validation error
|
||||
// THIS IS TEMPORARY
|
||||
CHECK(gnutls_priority_set_direct(g_tls_session, "NORMAL:%COMPAT", NULL));
|
||||
CHECK(gnutls_certificate_allocate_credentials(&xcred));
|
||||
CHECK(gnutls_credentials_set(g_tls_session, GNUTLS_CRD_CERTIFICATE, xcred));
|
||||
CHECK(gnutls_certificate_set_x509_system_trust(xcred));
|
||||
err = gnutls_priority_set_direct(g_tls_session, "NORMAL:%COMPAT", NULL);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not set GnuTLS priority setting", err);
|
||||
}
|
||||
err = gnutls_certificate_allocate_credentials(&xcred);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not allocate TLS certificate structure", err);
|
||||
}
|
||||
err = gnutls_credentials_set(g_tls_session, GNUTLS_CRD_CERTIFICATE, xcred);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not set TLS certificate structure", err);
|
||||
}
|
||||
err = gnutls_certificate_set_x509_system_trust(xcred);
|
||||
if (err < 0) {
|
||||
gnutls_fatal("Could not load system trust database", err);
|
||||
}
|
||||
gnutls_certificate_set_verify_function(xcred, cert_verify_callback);
|
||||
gnutls_transport_set_int(g_tls_session, g_sock);
|
||||
gnutls_handshake_set_timeout(g_tls_session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
||||
@ -366,13 +389,7 @@ tcp_tls_connect(void)
|
||||
|
||||
if (err == GNUTLS_E_CERTIFICATE_ERROR)
|
||||
{
|
||||
logger(Core, Error, "%s(): Certificate error during TLS handshake", __func__);
|
||||
|
||||
/* TODO: Lookup if exit(1) is just plain wrong, its used here to breakout of
|
||||
fallback code path for connection, eg. if TLS fails, a retry with plain
|
||||
RDP is made.
|
||||
*/
|
||||
exit(1);
|
||||
gnutls_fatal("Certificate error during TLS handshake", err);
|
||||
}
|
||||
|
||||
/* Handshake failed with unknown error, lets log */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user