gvsafronov/futriix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix certificate leak during connection when tls-allowlists are used

Browse Source
This commit is contained in:
John Sully 2022-07-14 04:36:51 +00:00
parent 93ea66ece5
commit e3f186e698
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/cluster.cpp
View File

@ -1525,7 +1525,9 @@ void clusterProcessGossipSection(clusterMsg *hdr, clusterLink *link) {
* it's greater than our view but is not in the future * it's greater than our view but is not in the future
* (with 500 milliseconds tolerance) from the POV of our * (with 500 milliseconds tolerance) from the POV of our
* clock. */ * clock. */
if (pongtime <= (g_pserver->mstime+500) && mstime_t mstime;
__atomic_load(&g_pserver->mstime, &mstime, __ATOMIC_RELAXED);
if (pongtime <= (mstime+500) &&
pongtime > node->pong_received) pongtime > node->pong_received)
{ {
node->pong_received = pongtime; node->pong_received = pongtime;

15
src/tls.cpp
View File

@ -503,11 +503,26 @@ bool tlsCheckAgainstAllowlist(const char * client){
#define ASN1_STRING_get0_data ASN1_STRING_data #define ASN1_STRING_get0_data ASN1_STRING_data
#endif #endif
class TCleanup {
std::function<void()> fn;
public:
TCleanup(std::function<void()> fn)
: fn(fn)
{}
~TCleanup() {
fn();
}
};
bool tlsValidateCertificateName(tls_connection* conn){ bool tlsValidateCertificateName(tls_connection* conn){
if (g_pserver->tls_allowlist.empty()) if (g_pserver->tls_allowlist.empty())
return true; // Empty list implies acceptance of all return true; // Empty list implies acceptance of all
X509 * cert = SSL_get_peer_certificate(conn->ssl); X509 * cert = SSL_get_peer_certificate(conn->ssl);
TCleanup certClen([cert]{X509_free(cert);});
/* Check the common name (CN) of the certificate first */ /* Check the common name (CN) of the certificate first */
X509_NAME_ENTRY * ne = X509_NAME_get_entry(X509_get_subject_name(cert), X509_NAME_get_index_by_NID(X509_get_subject_name(cert), NID_commonName, -1)); X509_NAME_ENTRY * ne = X509_NAME_get_entry(X509_get_subject_name(cert), X509_NAME_get_index_by_NID(X509_get_subject_name(cert), NID_commonName, -1));
const char * commonName = reinterpret_cast<const char*>(ASN1_STRING_get0_data(X509_NAME_ENTRY_get_data(ne))); const char * commonName = reinterpret_cast<const char*>(ASN1_STRING_get0_data(X509_NAME_ENTRY_get_data(ne)));