commit 38d7a5f88d31335687e62c6872c55cbd4ed3795d
parent 5bfd61d13630fa89d795ea94c05bfc336ab907c5
Author: Joris Vink <joris@coders.se>
Date: Mon, 21 Mar 2022 12:23:38 +0100
Fix handling kore_tls_connection_accept() return codes.
When this code was moved from src/connection.c into src/tls_openssl.c
a return wouldn't break us out from kore_connection_handle() as
previously expected.
This ment that Kore would move the connection into established state
immediately even if SSL_accept() needed to read more.
This broke TLS client authentication as Kore its belts and suspenders
kept throwing a 403 due to the code not properly obtaining the client
certificate when expected.
Diffstat:
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/connection.c b/src/connection.c
@@ -259,8 +259,14 @@ kore_connection_handle(struct connection *c)
switch (c->state) {
case CONN_STATE_TLS_SHAKE:
- if (!kore_tls_connection_accept(c))
+ switch (kore_tls_connection_accept(c)) {
+ case KORE_RESULT_OK:
+ break;
+ case KORE_RESULT_RETRY:
+ return (KORE_RESULT_OK);
+ default:
return (KORE_RESULT_ERROR);
+ }
if (c->owner != NULL) {
listener = (struct listener *)c->owner;
diff --git a/src/tls_openssl.c b/src/tls_openssl.c
@@ -453,7 +453,7 @@ kore_tls_connection_accept(struct connection *c)
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
kore_connection_start_idletimer(c);
- return (KORE_RESULT_OK);
+ return (KORE_RESULT_RETRY);
default:
if (c->flags & CONN_LOG_TLS_FAILURE) {
kore_log(LOG_NOTICE,
@@ -467,7 +467,7 @@ kore_tls_connection_accept(struct connection *c)
if (c->proto == CONN_PROTO_ACME_ALPN) {
kore_log(LOG_INFO, "disconnecting acme client");
kore_connection_disconnect(c);
- return (KORE_RESULT_OK);
+ return (KORE_RESULT_ERROR);
}
#endif
