From: Stefan Eissing Date: Wed, 22 Oct 2025 08:39:58 +0000 (+0200) Subject: gnutls: fix re-handshake comments X-Git-Tag: rc-8_17_0-3~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fcae0733a7c55e712955b0f6df24fc8412023e2d;p=thirdparty%2Fcurl.git gnutls: fix re-handshake comments With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a key update in TLSv1.3. This had been made non-blocking in a1850ad7debe33fded6367e34d5c06be4d51f58e but the comment warning about a blocking call was not updated. Closes #19187 --- diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 1c0a6fb2d6..19c2ce893f 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -239,8 +239,8 @@ static void unload_file(gnutls_datum_t data) /* this function does an SSL/TLS (re-)handshake */ -static CURLcode handshake(struct Curl_cfilter *cf, - struct Curl_easy *data) +static CURLcode cf_gtls_handshake(struct Curl_cfilter *cf, + struct Curl_easy *data) { struct ssl_connect_data *connssl = cf->ctx; struct gtls_ssl_backend_data *backend = @@ -2005,7 +2005,7 @@ static CURLcode gtls_connect_common(struct Curl_cfilter *cf, DEBUGASSERT((connssl->earlydata_state == ssl_earlydata_none) || (connssl->earlydata_state == ssl_earlydata_sent)); #endif - result = handshake(cf, data); + result = cf_gtls_handshake(cf, data); if(result) goto out; connssl->connecting_state = ssl_connect_3; @@ -2265,11 +2265,10 @@ static CURLcode gtls_recv(struct Curl_cfilter *cf, goto out; } else if(nread == GNUTLS_E_REHANDSHAKE) { - /* BLOCKING call, this is bad but a work-around for now. Fixing this "the - proper way" takes a whole lot of work. */ - result = handshake(cf, data); + /* Either TLSv1.2 renegotiate or a TLSv1.3 session key update. */ + result = cf_gtls_handshake(cf, data); if(!result) - result = CURLE_AGAIN; /* then return as if this was a wouldblock */ + result = CURLE_AGAIN; /* make us get called again. */ goto out; } else {