From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Mon, 26 Nov 2018 16:32:16 +0000 (+0100)
Subject: daemon/tls, daemon/worker: fix rehandshake processing
X-Git-Tag: v3.2.0~22^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20e8fe26a8dc5f26ab918a29f69d38af3e60144a;p=thirdparty%2Fknot-resolver.git

daemon/tls, daemon/worker: fix rehandshake processing
---

diff --git a/NEWS b/NEWS
index b1ac30248..dcd94a168 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ Bugfixes
 --------
 - http module: only run prometheus in parent process if using --forks=N,
   as the submodule collects metrics from all sub-processes as well.
+- policy.TLS_FORWARD fixes (!714)
 - fix build with -DNOVERBOSELOG (#424)
 
 Improvements
diff --git a/daemon/tls.c b/daemon/tls.c
index 008eb0427..3a3863981 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -482,6 +482,9 @@ ssize_t tls_process_input_data(struct session *s, const uint8_t *buf, ssize_t nr
 			continue;
 		} else if (count == GNUTLS_E_REHANDSHAKE) {
 			/* See https://www.gnutls.org/manual/html_node/Re_002dauthentication.html */
+			struct sockaddr *peer = session_get_peer(s);
+			kr_log_verbose("[%s] TLS rehandshake with %s has started\n",
+				       logstring,  kr_straddr(peer));
 			tls_set_hs_state(tls_p, TLS_HS_IN_PROGRESS);
 			while (tls_p->handshake_state <= TLS_HS_IN_PROGRESS) {
 				int err = tls_handshake(tls_p, tls_p->handshake_cb);
diff --git a/daemon/worker.c b/daemon/worker.c
index cc7f9b07c..aafcf9027 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -713,8 +713,19 @@ static int session_tls_hs_cb(struct session *session, int status)
 		}
 	}
 
-	ret = worker_add_tcp_connected(worker, peer, session);
-	if (deletion_res == kr_ok() && ret == kr_ok()) {
+	ret = kr_ok();
+	if (deletion_res == kr_ok()) {
+		/* peer was in the waiting list, add to the connected list. */
+		ret = worker_add_tcp_connected(worker, peer, session);
+	} else {
+		/* peer wasn't in the waiting list.
+		 * In this case it must be successful rehandshake.
+		 * Peer must be already in the connected list. */
+		const char *key = tcpsess_key(peer);
+		assert(key);
+		assert(map_contains(&worker->tcp_connected, key) != 0);
+	}
+	if (ret == kr_ok()) {
 		while (!session_waitinglist_is_empty(session)) {
 			struct qr_task *t = session_waitinglist_get(session);
 			ret = qr_task_send(t, session, NULL, NULL);