From 1cf08f0a268eacc345b6cc48921ee25748ded175 Mon Sep 17 00:00:00 2001
From: Andre lorbach <alorbach@adiscon.com>
Date: Tue, 6 Oct 2020 14:24:51 +0200
Subject: [PATCH 68/73] gnutls: Added handshake error handling into doRetry
 handler.

If the tls handshake does not immediatelly finish, gnutls_handShake is called in
doRetry handler again. However the error handling was not
complete in the doRetry handler. A failed gnutls_handShake call
did not abort the connection and properly caused unexpected
problems like in issues:

https://github.com/rsyslog/rsyslog/issues/4270
https://github.com/rsyslog/rsyslog/issues/4288
---
 runtime/nsdsel_gtls.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
index 195431514..6ed7187e5 100644
--- a/runtime/nsdsel_gtls.c
+++ b/runtime/nsdsel_gtls.c
@@ -150,10 +150,20 @@ doRetry(nsd_gtls_t *pNsd)
 	switch(pNsd->rtryCall) {
 		case gtlsRtry_handshake:
 			gnuRet = gnutls_handshake(pNsd->sess);
-			if(gnuRet == 0) {
+			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
+				dbgprintf("GnuTLS handshake retry did not finish - "
+					"setting to retry (this is OK and can happen)\n");
+				FINALIZE;
+			} else if(gnuRet == 0) {
 				pNsd->rtryCall = gtlsRtry_None; /* we are done */
 				/* we got a handshake, now check authorization */
 				CHKiRet(gtlsChkPeerAuth(pNsd));
+			} else {
+				uchar *pGnuErr = gtlsStrerror(gnuRet);
+				LogError(0, RS_RET_TLS_HANDSHAKE_ERR,
+					"GnuTLS handshake retry returned error: %s\n", pGnuErr);
+				free(pGnuErr);
+				ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR);
 			}
 			break;
 		case gtlsRtry_recv:
-- 
2.23.0