ss: server: make sure failures after adopt invalidate ss copy of wsi

For server, if the adoption of the incoming connection proceeds but then
fails early on, eg, tls alert due to hostname mismatch with cert, the
wsi close happens but it doesn't clean up the invalidated reference to
itself in the server ss object... if it became established, that's handled
by the ss protocol callback.

This patch helps the close path to understand there is a related ss object
and to clean up after itself.

lib/core-net/adopt.c

@@ -270,6 +270,7 @@ lws_adopt_ss_server_accept(struct lws *new_wsi)
 	h->wsi = new_wsi;
 	new_wsi->a.opaque_user_data = h;
 	h->info.flags |= LWSSSINFLAGS_ACCEPTED;
+	new_wsi->for_ss = 1; /* indicate wsi should invalidate any ss link to it on close */
 
 	// lwsl_notice("%s: opaq %p, role %s\n", __func__,
 	//		new_wsi->a.opaque_user_data, new_wsi->role_ops->name);

lib/core-net/close.c

@@ -483,6 +483,23 @@ just_kill_connection:
 		wsi->protocol_bind_balance = 0;
 	}
 
+#if defined(LWS_WITH_SECURE_STREAMS) && defined(LWS_WITH_SERVER)
+	if (wsi->for_ss) {
+		/*
+		 * We were adopted for a particular ss, but, eg, we may not
+		 * have succeeded with the connection... we are closing which is
+		 * good, but we have to invalidate any pointer the related ss
+		 * handle may be holding on us
+		 */
+		lws_ss_handle_t *h = (lws_ss_handle_t *)wsi->a.opaque_user_data;
+
+		if (h) {
+			h->wsi = NULL;
+			wsi->a.opaque_user_data = NULL;
+		}
+	}
+#endif
+
 #if defined(LWS_WITH_CLIENT)
 	if ((lwsi_state(wsi) == LRS_WAITING_SERVER_REPLY ||
 	     lwsi_state(wsi) == LRS_WAITING_DNS ||

lib/core-net/private-lib-core-net.h

@@ -837,6 +837,9 @@ struct lws {
 	unsigned int			could_have_pending:1; /* detect back-to-back writes */
 	unsigned int			outer_will_close:1;
 	unsigned int			shadow:1; /* we do not control fd lifecycle at all */
+#if defined(LWS_WITH_SECURE_STREAMS)
+	unsigned int			for_ss:1;
+#endif
 
 #ifdef LWS_WITH_ACCESS_LOG
 	unsigned int			access_log_pending:1;