For non-blocking sockets tls_connect_fds() could fail with EAGAIN.

Use the same logic from the read, write, accept functions to inform the caller wether a readable or writable socket is needed. After that event, the connect function must be called again. All the checks before connecting are done only once. OK tedu@
author: bluhm <> 2015-01-13 17:35:35 +0000
committer: bluhm <> 2015-01-13 17:35:35 +0000
commit: 3fd2d1d95424716eaf5c4ecf17d6bf0be444a372 (patch)
tree: 675defc54ce1d8f4c3d5203592fb373c717de34d
parent: dda895dbd2777a18c7cdf12a3ec6dd1c0c433b46 (diff)
download: openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.tar.gz
openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.tar.bz2
openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.zip
2 files changed, 22 insertions, 7 deletions
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 79b1baf648..c6117c3292 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.7 2015/01/02 16:38:07 bluhm Exp $ */
+/* $OpenBSD: tls_client.c,v 1.8 2015/01/13 17:35:35 bluhm Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -135,7 +135,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 {
        union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
        X509 *cert = NULL;
-        int ret;
+        int ret, ssl_err;
+        if (ctx->flags & TLS_CONNECTING)
+                goto connecting;
        if ((ctx->flags & TLS_CLIENT) == 0) {
                tls_set_error(ctx, "not a client context");
@@ -198,11 +201,22 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                }
        }
+ connecting:
        if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
-                tls_set_error(ctx, "SSL connect failed: %i",
+                ssl_err = SSL_get_error(ctx->ssl_conn, ret);
-                    SSL_get_error(ctx->ssl_conn, ret));
+                switch (ssl_err) {
-                goto err;
+                case SSL_ERROR_WANT_READ:
+                        ctx->flags |= TLS_CONNECTING;
+                        return (TLS_READ_AGAIN);
+                case SSL_ERROR_WANT_WRITE:
+                        ctx->flags |= TLS_CONNECTING;
+                        return (TLS_WRITE_AGAIN);
+                default:
+                        tls_set_error(ctx, "SSL connect failed: %i", ssl_err);
+                        goto err;
+                }
        }
+        ctx->flags &= ~TLS_CONNECTING;
        if (ctx->config->verify_host) {
                cert = SSL_get_peer_certificate(ctx->ssl_conn);
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 4b250574ef..1a2bd388b7 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.5 2014/12/17 17:51:33 doug Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.6 2015/01/13 17:35:35 bluhm Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -44,7 +44,8 @@ struct tls_config {
 #define TLS_CLIENT              (1 << 0)
 #define TLS_SERVER              (1 << 1)
-#define TLS_SERVER_CONN (1 << 2)
+#define TLS_SERVER_CONN         (1 << 2)
+#define TLS_CONNECTING          (1 << 3)
 struct tls {
        struct tls_config *config;
author	bluhm <>	2015-01-13 17:35:35 +0000
committer	bluhm <>	2015-01-13 17:35:35 +0000
commit	3fd2d1d95424716eaf5c4ecf17d6bf0be444a372 (patch)
tree	675defc54ce1d8f4c3d5203592fb373c717de34d
parent	dda895dbd2777a18c7cdf12a3ec6dd1c0c433b46 (diff)
download	openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.tar.gz openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.tar.bz2 openbsd-3fd2d1d95424716eaf5c4ecf17d6bf0be444a372.zip