tls restriction: check before doing bio

2025-03-09 00:00:04 +01:00 · 2021-06-25 07:43:09 +01:00 · 2021-06-25 07:43:09 +01:00 · d5475807b0
commit d5475807b0
parent 576bed631f
3 changed files with 23 additions and 15 deletions
--- a/lib/core-net/client/connect.c
+++ b/lib/core-net/client/connect.c
@ -537,7 +537,7 @@ bail2:
 #endif

 #if defined(LWS_WITH_TLS)
-	if (i->ssl_connection & LCCSCF_USE_SSL)
+	if (wsi->tls.ssl)
 		lws_tls_restrict_return(i->context);
 #endif

--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@ -182,10 +182,6 @@ lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
 		int n;

 		if (!wsi->tls.ssl) {
-			if (lws_ssl_client_bio_create(wsi) < 0) {
-				*pcce = "bio_create failed";
-				return CCTLS_RETURN_ERROR;
-			}

 #if defined(LWS_WITH_TLS)
 			if (!wsi->transaction_from_pipeline_queue &&
@ -194,6 +190,11 @@ lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
 				return CCTLS_RETURN_ERROR;
 			}
 #endif
+
+			if (lws_ssl_client_bio_create(wsi) < 0) {
+				*pcce = "bio_create failed";
+				return CCTLS_RETURN_ERROR;
+			}
 		}

 		if (!do_c1)
--- a/lib/tls/tls.c
+++ b/lib/tls/tls.c
@ -58,16 +58,20 @@ lws_tls_restrict_borrow(struct lws_context *context)
 	}

 	context->simultaneous_ssl++;
+
+	lwsl_info("%s: %d -> %d\n", __func__,
+		  context->simultaneous_ssl - 1,
+		  context->simultaneous_ssl);
+
+	assert(context->simultaneous_ssl <=
+	       context->simultaneous_ssl_restriction);
+
 #if defined(LWS_WITH_SERVER)
 	if (context->simultaneous_ssl == context->simultaneous_ssl_restriction)
 		/* that was the last allowed SSL connection */
 		lws_gate_accepts(context, 0);
 #endif

-	lwsl_info("%s: %d -> %d\n", __func__,
-		  context->simultaneous_ssl - 1,
-		  context->simultaneous_ssl);
-
 	return 0;
 }

@ -77,14 +81,16 @@ lws_tls_restrict_return(struct lws_context *context)
 	if (context->simultaneous_ssl_restriction) {
 		int n = context->simultaneous_ssl--;

+		lwsl_info("%s: %d -> %d\n", __func__, n,
+			  context->simultaneous_ssl);
+
+		assert(context->simultaneous_ssl >= 0);
+
 #if defined(LWS_WITH_SERVER)
 		if (n == context->simultaneous_ssl_restriction)
 			/* we made space and can do an accept */
 			lws_gate_accepts(context, 1);
 #endif
-
-		lwsl_info("%s: %d -> %d\n", __func__, n,
-			  context->simultaneous_ssl);
 	}
 }

@ -100,6 +106,7 @@ lws_context_init_alpn(struct lws_vhost *vhost)

 	lwsl_info(" Server '%s' advertising ALPN: %s\n",
 		    vhost->name, alpn_comma);
+
 	vhost->tls.alpn_ctx.len = (uint8_t)lws_alpn_comma_to_openssl(alpn_comma,
 					vhost->tls.alpn_ctx.data,
 					sizeof(vhost->tls.alpn_ctx.data) - 1);
@ -107,9 +114,9 @@ lws_context_init_alpn(struct lws_vhost *vhost)
 	SSL_CTX_set_alpn_select_cb(vhost->tls.ssl_ctx, alpn_cb,
 				   &vhost->tls.alpn_ctx);
 #else
-	lwsl_err(
-		" HTTP2 / ALPN configured but not supported by OpenSSL 0x%lx\n",
-		    OPENSSL_VERSION_NUMBER);
+	lwsl_err(" HTTP2 / ALPN configured "
+		 "but not supported by OpenSSL 0x%lx\n",
+		 OPENSSL_VERSION_NUMBER);
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 }