matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

TLSGuard fix

Browse Source
master
dma 7 years ago
parent 81dc903f7a
commit 571f43158a
1 changed files with 22 additions and 19 deletions
Show Stats Download Patch File Download Diff File

25
sgfw/tlsguard.go
Unescape View File

@ -1,4 +1,3 @@
package sgfw package sgfw
import ( import (
@ -335,12 +334,15 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha
ntimeouts = 0 ntimeouts = 0
} else if stage == 2 { } else if stage == 2 {
remainder := make([]byte, mlen) remainder := make([]byte, mlen)
conn.SetReadDeadline(time.Now().Add(1 * time.Second)) conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err := io.ReadFull(conn, remainder) numRead, err := io.ReadFull(conn, remainder)
conn.SetReadDeadline(time.Time{}) conn.SetReadDeadline(time.Time{})
if err != nil { if err != nil {
if err, ok := err.(net.Error); ok && err.Timeout() { if err, ok := err.(net.Error); ok && err.Timeout() {
ret_error = err ret_error = err
if numRead > 0 {
buffered = append(buffered, remainder[:numRead]...)
}
} else { } else {
ntimeouts++ ntimeouts++
if ntimeouts == TLSGUARD_READ_TIMEOUT { if ntimeouts == TLSGUARD_READ_TIMEOUT {
@ -348,9 +350,9 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha
} }
} }
continue continue
} } else {
buffered = append(buffered, remainder...) buffered = append(buffered, remainder...)
}
//fmt.Printf("------- CHUNK READ: client: %v, err = %v, bytes = %v\n", is_client, err, len(buffered)) //fmt.Printf("------- CHUNK READ: client: %v, err = %v, bytes = %v\n", is_client, err, len(buffered))
cr := connReader{client: is_client, data: buffered, rtype: rtype, err: err} cr := connReader{client: is_client, data: buffered, rtype: rtype, err: err}
c <- cr c <- cr
@ -456,7 +458,7 @@ select_loop:
} }
alert_desc := int(int(cr.data[5])<<8 | int(cr.data[6])) alert_desc := int(int(cr.data[5])<<8 | int(cr.data[6]))
//fmt.Println("ALERT DESCRIPTION: ", alert_desc) fmt.Println("ALERT DESCRIPTION: ", alert_desc)
if cr.data[TLS_RECORD_HDR_LEN] == SSL3_AL_FATAL { if cr.data[TLS_RECORD_HDR_LEN] == SSL3_AL_FATAL {
return errors.New(fmt.Sprintf("TLSGuard dropped connection after fatal error alert detected")) return errors.New(fmt.Sprintf("TLSGuard dropped connection after fatal error alert detected"))
@ -479,14 +481,14 @@ select_loop:
if (client_sess || server_sess) && (client_change_cipher || server_change_cipher) { if (client_sess || server_sess) && (client_change_cipher || server_change_cipher) {
if handshakeMessageLenInt > len(cr.data)+9 { //if handshakeMessageLenInt > len(cr.data)+9 {
// log.Notice("TLSGuard saw what looks like a resumed encrypted session... passing connection through") log.Notice("TLSGuard saw what looks like a resumed encrypted session... passing connection through")
other.Write(cr.data) other.Write(cr.data)
dChan <- true dChan <- true
dChan2 <- true dChan2 <- true
x509Valid = true x509Valid = true
break select_loop break select_loop
} //}
} }
@ -503,6 +505,9 @@ select_loop:
if s != SSL3_MT_CLIENT_HELLO { if s != SSL3_MT_CLIENT_HELLO {
server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST} server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST}
//SRC = "CLIENT"
} else {
//SRC = "SERVER"
} }
hello_offset := 4 hello_offset := 4
@ -685,13 +690,11 @@ select_loop:
// fmt.Printf("Sending chunk of type %d to client.\n", s) // fmt.Printf("Sending chunk of type %d to client.\n", s)
} else if cr.err != nil { } else if cr.err != nil {
ndone++ ndone++
if cr.client { if cr.client {
fmt.Println("Client read error: ", cr.err) fmt.Println("Client read error: ", cr.err)
} else { } else {
fmt.Println("Server read error: ", cr.err) fmt.Println("Server read error: ", cr.err)
} }
return cr.err return cr.err
} }

Write Preview
Loading…
Cancel
Save