Fix handling kore_tls_connection_accept() return codes.

When this code was moved from src/connection.c into src/tls_openssl.c a return wouldn't break us out from kore_connection_handle() as previously expected. This ment that Kore would move the connection into established state immediately even if SSL_accept() needed to read more. This broke TLS client authentication as Kore its belts and suspenders kept throwing a 403 due to the code not properly obtaining the client certificate when expected.
2025-03-09 04:29:02 -04:00 · 2022-03-21 12:23:38 +01:00 · 2022-03-21 12:23:38 +01:00 · 38d7a5f88d
commit 38d7a5f88d
parent 5bfd61d136
2 changed files with 9 additions and 3 deletions
--- a/src/connection.c
+++ b/src/connection.c
@ -259,8 +259,14 @@ kore_connection_handle(struct connection *c)

 	switch (c->state) {
 	case CONN_STATE_TLS_SHAKE:
-		if (!kore_tls_connection_accept(c))
+		switch (kore_tls_connection_accept(c)) {
+		case KORE_RESULT_OK:
+			break;
+		case KORE_RESULT_RETRY:
+			return (KORE_RESULT_OK);
+		default:
 			return (KORE_RESULT_ERROR);
+		}

 		if (c->owner != NULL) {
 			listener = (struct listener *)c->owner;
--- a/src/tls_openssl.c
+++ b/src/tls_openssl.c
@ -453,7 +453,7 @@ kore_tls_connection_accept(struct connection *c)
 		case SSL_ERROR_WANT_READ:
 		case SSL_ERROR_WANT_WRITE:
 			kore_connection_start_idletimer(c);
-			return (KORE_RESULT_OK);
+			return (KORE_RESULT_RETRY);
 		default:
 			if (c->flags & CONN_LOG_TLS_FAILURE) {
 				kore_log(LOG_NOTICE,
@ -467,7 +467,7 @@ kore_tls_connection_accept(struct connection *c)
 	if (c->proto == CONN_PROTO_ACME_ALPN) {
 		kore_log(LOG_INFO, "disconnecting acme client");
 		kore_connection_disconnect(c);
-		return (KORE_RESULT_OK);
+		return (KORE_RESULT_ERROR);
 	}
 #endif