aports/community/csync2/CVE-2019-15523.patch

From 92742544a56bcbcd9ec99ca15f898b31797e39e2 Mon Sep 17 00:00:00 2001
From: Malte Kraus <malte.kraus@suse.com>
Date: Tue, 13 Aug 2019 13:36:26 +0200
Subject: [PATCH] repeat gnutls_handshake() call in case of warnings

that's what the semantics of this call require
---
 conn.c | 71 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 39 insertions(+), 32 deletions(-)

diff --git a/conn.c b/conn.c
index be26f72..c013860 100644
--- a/conn.c
+++ b/conn.c
@@ -276,6 +276,7 @@ int conn_activate_ssl(int server_role)
 	char *ssl_keyfile;
 	char *ssl_certfile;
 	int err;
+	int handshake_repeat = 0;
 
 	if (csync_conn_usessl)
 		return 0;
@@ -333,40 +334,46 @@ int conn_activate_ssl(int server_role)
 		(gnutls_transport_ptr_t)(long)conn_fd_out
 	);
 
-	err = gnutls_handshake(conn_tls_session);
-	switch(err) {
-	case GNUTLS_E_SUCCESS:
-		break;
-
-	case GNUTLS_E_WARNING_ALERT_RECEIVED:
-		alrt = gnutls_alert_get(conn_tls_session);
-		fprintf(
-			csync_debug_out,
-			"SSL: warning alert received from peer: %d (%s).\n",
-			alrt, gnutls_alert_get_name(alrt)
-		);
-		break;
-
-	case GNUTLS_E_FATAL_ALERT_RECEIVED:
-		alrt = gnutls_alert_get(conn_tls_session);
-		fprintf(
-			csync_debug_out,
-			"SSL: fatal alert received from peer: %d (%s).\n",
-			alrt, gnutls_alert_get_name(alrt)
-		);
 
-	default:
-		gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
-		gnutls_deinit(conn_tls_session);
-		gnutls_certificate_free_credentials(conn_x509_cred);
-		gnutls_global_deinit();
+	do {
+		handshake_repeat = 0;
+		err = gnutls_handshake(conn_tls_session);
+		switch(err) {
+		case GNUTLS_E_SUCCESS:
+			break;
 
-		csync_fatal(
-			"SSL: handshake failed: %s (%s)\n",
-			gnutls_strerror(err),
-			gnutls_strerror_name(err)
-		);
-	}
+		case GNUTLS_E_WARNING_ALERT_RECEIVED:
+			alrt = gnutls_alert_get(conn_tls_session);
+			fprintf(
+				csync_debug_out,
+				"SSL: warning alert received from peer: %d (%s).\n",
+				alrt, gnutls_alert_get_name(alrt)
+			);
+			handshake_repeat = 1;
+			break;
+
+		case GNUTLS_E_FATAL_ALERT_RECEIVED:
+			alrt = gnutls_alert_get(conn_tls_session);
+			fprintf(
+				csync_debug_out,
+				"SSL: fatal alert received from peer: %d (%s).\n",
+				alrt, gnutls_alert_get_name(alrt)
+			);
+			// fall-through!
+
+		default:
+			gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
+			gnutls_deinit(conn_tls_session);
+			gnutls_certificate_free_credentials(conn_x509_cred);
+			gnutls_global_deinit();
+
+			csync_fatal(
+				"SSL: handshake failed: %s (%s)\n",
+				gnutls_strerror(err),
+				gnutls_strerror_name(err)
+			);
+		}
+	} while (handshake_repeat);
 
 	csync_conn_usessl = 1;