kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 38d7a5f88d31335687e62c6872c55cbd4ed3795d
parent 5bfd61d13630fa89d795ea94c05bfc336ab907c5
Author: Joris Vink <joris@coders.se>
Date:   Mon, 21 Mar 2022 12:23:38 +0100

Fix handling kore_tls_connection_accept() return codes.

When this code was moved from src/connection.c into src/tls_openssl.c
a return wouldn't break us out from kore_connection_handle() as
previously expected.

This ment that Kore would move the connection into established state
immediately even if SSL_accept() needed to read more.

This broke TLS client authentication as Kore its belts and suspenders
kept throwing a 403 due to the code not properly obtaining the client
certificate when expected.

Diffstat:
src/connection.c | 8+++++++-
src/tls_openssl.c | 4++--
2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/connection.c b/src/connection.c @@ -259,8 +259,14 @@ kore_connection_handle(struct connection *c) switch (c->state) { case CONN_STATE_TLS_SHAKE: - if (!kore_tls_connection_accept(c)) + switch (kore_tls_connection_accept(c)) { + case KORE_RESULT_OK: + break; + case KORE_RESULT_RETRY: + return (KORE_RESULT_OK); + default: return (KORE_RESULT_ERROR); + } if (c->owner != NULL) { listener = (struct listener *)c->owner; diff --git a/src/tls_openssl.c b/src/tls_openssl.c @@ -453,7 +453,7 @@ kore_tls_connection_accept(struct connection *c) case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: kore_connection_start_idletimer(c); - return (KORE_RESULT_OK); + return (KORE_RESULT_RETRY); default: if (c->flags & CONN_LOG_TLS_FAILURE) { kore_log(LOG_NOTICE, @@ -467,7 +467,7 @@ kore_tls_connection_accept(struct connection *c) if (c->proto == CONN_PROTO_ACME_ALPN) { kore_log(LOG_INFO, "disconnecting acme client"); kore_connection_disconnect(c); - return (KORE_RESULT_OK); + return (KORE_RESULT_ERROR); } #endif