diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-11-21 20:55:35 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-12-22 12:25:14 +0100 |
commit | e0314df5f21dd537602d4ea8d9272a21aac66356 (patch) | |
tree | 8ff2bd6fd3fcdb90061b1369a3eb97e4d49593ff /apps | |
parent | fbadef597c906711d82d8bfd9c4d5276ea981db7 (diff) |
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17318)
(cherry picked from commit cdaf072f90399efb9e8e19ee4f387d1425f12274)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/lib/apps.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c index e01633c5b5..6a762b7668 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2442,7 +2442,7 @@ static const char *tls_error_hint(void) } /* HTTP callback function that supports TLS connection also via HTTPS proxy */ -BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) +BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) { if (connect && detail) { /* connecting with TLS */ APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg; @@ -2451,7 +2451,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) BIO *sbio = NULL; if ((info->use_proxy - && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port, + && !OSSL_HTTP_proxy_connect(bio, info->server, info->port, NULL, NULL, /* no proxy credentials */ info->timeout, bio_err, opt_getprog())) || (sbio = BIO_new(BIO_f_ssl())) == NULL) { @@ -2467,18 +2467,25 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) SSL_set_connect_state(ssl); BIO_set_ssl(sbio, ssl, BIO_CLOSE); - hbio = BIO_push(sbio, hbio); - } else if (!connect && !detail) { /* disconnecting after error */ - const char *hint = tls_error_hint(); - - if (hint != NULL) - ERR_add_error_data(2, " : ", hint); - /* - * If we pop sbio and BIO_free() it this may lead to libssl double free. - * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c - */ + bio = BIO_push(sbio, bio); } - return hbio; + if (!connect) { + const char *hint; + BIO *cbio; + + if (!detail) { /* disconnecting after error */ + hint = tls_error_hint(); + if (hint != NULL) + ERR_add_error_data(2, " : ", hint); + } + (void)ERR_set_mark(); + BIO_ssl_shutdown(bio); + cbio = BIO_pop(bio); /* connect+HTTP BIO */ + BIO_free(bio); /* SSL BIO */ + (void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */ + bio = cbio; + } + return bio; } void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info) |