WL#15154 patch #5 Establish TLS

zmur · zmur · commit 55fae716c5ca · 2023-10-19T15:35:20.000+02:00
Post push fix. Add missing calls to close to avoid socket leaks.

Had Change-Id: I4bfc2209e6f976aa5642a3c7fa6f12395e9fdc60

Change-Id: Idbe81f0f70bbf827b673d5842b65a74f79a455f9
diff --git a/storage/ndb/src/common/transporter/Transporter.cpp b/storage/ndb/src/common/transporter/Transporter.cpp
@@ -47,7 +47,7 @@
 #define DEBUG_FPRINTF(a)
 #endif
 
-//#define DEBUG_MULTI_TRP 1
+// #define DEBUG_MULTI_TRP 1
 
 #ifdef DEBUG_MULTI_TRP
 #define DEB_MULTI_TRP(arglist)   \
@@ -324,15 +324,18 @@ bool Transporter::connect_client() {
       struct ssl_st *ssl = NdbSocket::get_client_ssl(ctx);
       if (ssl == nullptr) {
         tls_error(TlsKeyError::no_local_cert);
+        secureSocket.close();
         DBUG_RETURN(false);
       }
       if (!secureSocket.associate(ssl)) {
         tls_error(TlsKeyError::openssl_error);
         NdbSocket::free_ssl(ssl);
+        secureSocket.close();
         DBUG_RETURN(false);
       }
       if (!secureSocket.do_tls_handshake()) {
         tls_error(TlsKeyError::authentication_failure);
+        // secureSocket closed by do_tls_handshake
         DBUG_RETURN(false);
       }
 
@@ -341,6 +344,7 @@ bool Transporter::connect_client() {
           TlsKeyManager::check_server_host_auth(secureSocket, remoteHostName);
       if (auth) {
         tls_error(auth);
+        secureSocket.close();
         DBUG_RETURN(false);
       }
     }
diff --git a/storage/ndb/src/common/transporter/TransporterRegistry.cpp b/storage/ndb/src/common/transporter/TransporterRegistry.cpp
@@ -129,13 +129,22 @@ SocketServer::Session *TransporterService::newSession(
       struct ssl_ctx_st *ctx = m_transporter_registry->m_tls_keys.ctx();
       struct ssl_st *ssl = NdbSocket::get_server_ssl(ctx);
       if (ssl == nullptr) {
+        DEBUG_FPRINTF((stderr,
+                       "Failed to authenticate new session, no server "
+                       "cerificate\n"));
+        secureSocket.close_with_reset();
         DBUG_RETURN(nullptr);
       }
       if (!secureSocket.associate(ssl)) {
+        DEBUG_FPRINTF((stderr,
+                       "Failed to authenticate new session, fail to "
+                       "associate certificate with connection\n"));
         NdbSocket::free_ssl(ssl);
+        secureSocket.close_with_reset();
         DBUG_RETURN(nullptr);
       }
       if (!secureSocket.do_tls_handshake()) {
+        // secureSocket closed by do_tls_handshake
         DBUG_RETURN(nullptr);
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -129,13 +129,22 @@ SocketServer::Session *TransporterService::newSession(`
`129`	`129`	`struct ssl_ctx_st *ctx = m_transporter_registry->m_tls_keys.ctx();`
`130`	`130`	`struct ssl_st *ssl = NdbSocket::get_server_ssl(ctx);`
`131`	`131`	`if (ssl == nullptr) {`
	`132`	`+ DEBUG_FPRINTF((stderr,`
	`133`	`+ "Failed to authenticate new session, no server "`
	`134`	`+ "cerificate\n"));`
	`135`	`+ secureSocket.close_with_reset();`
`132`	`136`	`DBUG_RETURN(nullptr);`
`133`	`137`	`}`
`134`	`138`	`if (!secureSocket.associate(ssl)) {`
	`139`	`+ DEBUG_FPRINTF((stderr,`
	`140`	`+ "Failed to authenticate new session, fail to "`
	`141`	`+ "associate certificate with connection\n"));`
`135`	`142`	`NdbSocket::free_ssl(ssl);`
	`143`	`+ secureSocket.close_with_reset();`
`136`	`144`	`DBUG_RETURN(nullptr);`
`137`	`145`	`}`
`138`	`146`	`if (!secureSocket.do_tls_handshake()) {`
	`147`	`+ // secureSocket closed by do_tls_handshake`
`139`	`148`	`DBUG_RETURN(nullptr);`
`140`	`149`	`}`
`141`	`150`	`}`