[or-cvs] Fix "JAP-client" hideous ASN1 bug, twice. (Fix1: check more...

Nick Mathewson nickm at seul.org
Sat Apr 23 14:26:05 UTC 2005 

Update of /home/or/cvsroot/tor/src/or
In directory moria.mit.edu:/tmp/cvs-serv24340/src/or

Modified Files:
	buffers.c connection_or.c 
Log Message:
Fix "JAP-client" hideous ASN1 bug, twice. (Fix1: check more thoroughly for TLS errors when handling certs. Fix2: stop assert(0)ing on uncaught TLS errors.)

Index: buffers.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/buffers.c,v
retrieving revision 1.132
retrieving revision 1.133
diff -u -d -r1.132 -r1.133
--- buffers.c	7 Apr 2005 22:13:16 -0000	1.132
+++ buffers.c	23 Apr 2005 14:26:02 -0000	1.133
@@ -224,7 +224,7 @@
          (int)buf_datalen(buf), (int)tor_tls_get_pending_bytes(tls),
          (int)at_most);
 
-  assert_no_tls_errors();
+  check_no_tls_errors();
   r = tor_tls_read(tls, buf->mem+buf->datalen, at_most);
   if (r<0)
     return r;
@@ -281,6 +281,7 @@
 
   /* we want to let tls write even if flushlen is zero, because it might
    * have a partial record pending */
+  check_no_tls_errors();
   r = tor_tls_write(tls, buf->mem, *buf_flushlen);
   if (r < 0) {
     return r;

Index: connection_or.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/connection_or.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -u -d -r1.168 -r1.169
--- connection_or.c	6 Apr 2005 21:09:47 -0000	1.168
+++ connection_or.c	23 Apr 2005 14:26:02 -0000	1.169
@@ -378,6 +378,7 @@
  * Return -1 if <b>conn</b> is broken, else return 0.
  */
 int connection_tls_continue_handshake(connection_t *conn) {
+  check_no_tls_errors();
   switch (tor_tls_handshake(conn->tls)) {
     case TOR_TLS_ERROR:
     case TOR_TLS_CLOSE:
@@ -442,16 +443,19 @@
   conn->state = OR_CONN_STATE_OPEN;
   connection_watch_events(conn, EV_READ);
   log_fn(LOG_DEBUG,"tls handshake done. verifying.");
+  check_no_tls_errors();
   if (! tor_tls_peer_has_cert(conn->tls)) {
     log_fn(LOG_INFO,"Peer didn't send a cert! Closing.");
     /* XXX we should handle this case rather than just closing. */
     return -1;
   }
+  check_no_tls_errors();
   if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, sizeof(nickname))) {
     log_fn(LOG_WARN,"Other side (%s:%d) has a cert without a valid nickname. Closing.",
            conn->address, conn->port);
     return -1;
   }
+  check_no_tls_errors();
   log_fn(LOG_DEBUG, "Other side (%s:%d) claims to be router '%s'",
          conn->address, conn->port, nickname);
 
@@ -460,6 +464,7 @@
            nickname, conn->address, conn->port);
     return -1;
   }
+  check_no_tls_errors();
 #if 0
   if (tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
     log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate.  Closing.",

More information about the tor-commits mailing list