commit 5315425aa239090655439634651c4ea28c9fdb8a
parent ddd2d667d09868b94ff8c4e20848f3f07c6dfcd2
Author: Evgeny Grin (Karlson2k) <k2k@drgrin.dev>
Date: Thu, 18 Dec 2025 11:25:40 +0100
tls_open_funcs.c: implemented resetting partially initialised lib CTX
This is needed to ensure that partially applied configuration will not
be combined with the next tried configuration.
Diffstat:
1 file changed, 125 insertions(+), 13 deletions(-)
diff --git a/src/mhd2/tls_open_funcs.c b/src/mhd2/tls_open_funcs.c
@@ -208,6 +208,58 @@ null_passwd_cb (char *buf,
/**
+ * Create new empty OpenSSL library context
+ * @param d the daemon handle
+ * @param d_tls the daemon TLS settings
+ * @return 'true' on success,
+ * 'false' otherwise
+ */
+static MHD_FN_PAR_NONNULL_ALL_ MHD_FN_MUST_CHECK_RESULT_ bool
+create_lib_ctx (struct MHD_Daemon *restrict d,
+ struct mhd_TlsOpenDaemonData *restrict d_tls)
+{
+#ifndef MHD_SUPPORT_LOG_FUNCTIONALITY
+ (void) d; /* Used for logging only */
+#endif /* MHD_SUPPORT_LOG_FUNCTIONALITY */
+ mhd_assert (NULL == d_tls->libctx);
+
+ d_tls->libctx = OSSL_LIB_CTX_new ();
+
+ if (NULL == d_tls->libctx)
+ {
+ mhd_DBG_PRINT_TLS_ERRS ();
+ mhd_LOG_MSG (d, MHD_SC_TLS_DAEMON_INIT_FAILED, \
+ "Failed to create TLS library context");
+ return false;
+ }
+ return true;
+}
+
+
+/**
+ * Reset OpenSSL library context.
+ *
+ * This function must not be called if library context is being used.
+ * @param d the daemon handle
+ * @param d_tls the daemon TLS settings
+ * @return 'true' on success,
+ * 'false' otherwise
+ */
+static MHD_FN_PAR_NONNULL_ALL_ MHD_FN_MUST_CHECK_RESULT_ bool
+reset_lib_ctx (struct MHD_Daemon *restrict d,
+ struct mhd_TlsOpenDaemonData *restrict d_tls)
+{
+ mhd_assert (NULL != d_tls->libctx);
+
+ OSSL_LIB_CTX_free (d_tls->libctx);
+ d_tls->libctx = NULL;
+
+ return create_lib_ctx (d,
+ d_tls);
+}
+
+
+/**
* Get non-default pathname for OpenSSL configuration file
* @param s the application-provided settings
* @param[out] conf_pathname set to the pathname on success
@@ -359,6 +411,56 @@ daemon_load_conf_from_cfg (struct MHD_Daemon *restrict d,
}
+static MHD_FN_PAR_NONNULL_ALL_
+MHD_FN_PAR_INOUT_ (2) MHD_FN_PAR_INOUT_ (4) bool
+cfg_reset_and_reload (struct MHD_Daemon *restrict d,
+ struct mhd_TlsOpenDaemonData *restrict d_tls,
+ const char *restrict filename,
+ CONF **restrict cfg_ptr)
+{
+#ifndef MHD_SUPPORT_LOG_FUNCTIONALITY
+ (void) d; /* Used for logging only */
+#endif /* MHD_SUPPORT_LOG_FUNCTIONALITY */
+ mhd_assert (NULL != *cfg_ptr);
+
+ mhd_DBG_PRINT_TLS_INFO_MSG ("Resetting library CTX, CONF and reloading "
+ "configuration file");
+
+ /* Destroy old cfg, which is connected to the library CTX */
+ NCONF_free (*cfg_ptr);
+ *cfg_ptr = NULL;
+
+ /* Reset OpenSSL library CTX, which may have partially applied configuration */
+ if (! reset_lib_ctx (d,
+ d_tls))
+ return false;
+
+ /* Create a new cfg connected to the new CTX */
+ *cfg_ptr = NCONF_new_ex (d_tls->libctx,
+ NULL);
+ if (NULL == *cfg_ptr)
+ {
+ mhd_DBG_PRINT_TLS_ERRS ();
+
+ mhd_DBG_PRINT_TLS_INFO_MSG ("Failed to create a new OpenSSL CONF");
+ return false;
+ }
+
+ if (0 >= NCONF_load (*cfg_ptr,
+ filename,
+ NULL))
+ {
+ mhd_DBG_PRINT_TLS_ERRS ();
+
+ mhd_DBG_PRINT_TLS_INFO_PARAM1 ("Failed to reload configuration file '%s'",
+ filename);
+ return false;
+ }
+
+ return true;
+}
+
+
static inline MHD_FN_PAR_NONNULL_ALL_ bool
is_conf_file_fallback_allowed (
const struct mhd_TlsOpenDaemonData *restrict d_tls,
@@ -542,10 +644,17 @@ daemon_load_lib_conf (struct MHD_Daemon *restrict d,
s->tls_app_name.v_disable_fallback ||
mhd_LIBCTX_FORBIDS_FALLBACKS (d_tls));
- if (! conf_loaded &&
- (s->tls_app_name.v_disable_fallback ||
- mhd_LIBCTX_FORBIDS_FALLBACKS (d_tls)))
- ret = MHD_SC_TLS_DAEMON_INIT_FAILED;
+ if (! conf_loaded)
+ {
+ if (s->tls_app_name.v_disable_fallback ||
+ mhd_LIBCTX_FORBIDS_FALLBACKS (d_tls))
+ ret = MHD_SC_TLS_DAEMON_INIT_FAILED;
+ else if (! cfg_reset_and_reload (d,
+ d_tls,
+ conf_pathname,
+ &conf))
+ ret = MHD_SC_TLS_DAEMON_INIT_FAILED;
+ }
}
if (! conf_loaded &&
@@ -562,6 +671,12 @@ daemon_load_lib_conf (struct MHD_Daemon *restrict d,
conf,
flags,
false);
+ if ((! conf_loaded) &&
+ (! cfg_reset_and_reload (d,
+ d_tls,
+ conf_pathname,
+ &conf)))
+ ret = MHD_SC_TLS_DAEMON_INIT_FAILED;
}
if (! conf_loaded &&
@@ -584,7 +699,7 @@ daemon_load_lib_conf (struct MHD_Daemon *restrict d,
ret = MHD_SC_TLS_LIB_CONF_WARNING;
}
- NCONF_free (conf);
+ NCONF_free (conf); /* Explicitly safe with NULL */
}
OPENSSL_free (conf_pathname);
@@ -608,15 +723,12 @@ daemon_init_lib_ctx (struct MHD_Daemon *restrict d,
{
enum MHD_StatusCode ret;
- d_tls->libctx = OSSL_LIB_CTX_new ();
+#ifndef HAVE_NULL_PTR_ALL_ZEROS
+ d_tls->libctx = NULL;
+#endif /* HAVE_NULL_PTR_ALL_ZEROS */
- if (NULL == d_tls->libctx)
- {
- mhd_DBG_PRINT_TLS_ERRS ();
- mhd_LOG_MSG (d, MHD_SC_TLS_DAEMON_INIT_FAILED, \
- "Failed to create TLS library context");
+ if (! create_lib_ctx (d, d_tls))
return MHD_SC_TLS_DAEMON_INIT_FAILED;
- }
if (NULL != s->tls_openssl_def_file.v_pathname)
{
@@ -662,7 +774,7 @@ daemon_init_lib_ctx (struct MHD_Daemon *restrict d,
mhd_assert (MHD_SC_TLS_LIB_CONF_WARNING != ret);
- OSSL_LIB_CTX_free (d_tls->libctx);
+ OSSL_LIB_CTX_free (d_tls->libctx); /* Explicitly safe with NULL */
mhd_LOG_MSG (d, MHD_SC_TLS_DAEMON_INIT_FAILED, \
"Failed to initialise TLS library context");
return MHD_SC_TLS_DAEMON_INIT_FAILED;
