prevent ssl errors or reference count errors when copying around ssl objects

2018-03-08 11:04:39 +01:00 · 2018-03-08 11:04:39 +01:00 · 25df834e74
parent cea5a54487
commit 25df834e74
6 changed files with 24 additions and 42 deletions
--- a/src/linux_tcp/openssl.h
+++ b/src/linux_tcp/openssl.h
@ -43,7 +43,6 @@ int      SSL_shutdown(SSL *ssl);
 int      SSL_set_fd(SSL *ssl, int fd);
 int      SSL_get_shutdown(const SSL *ssl);
 int      SSL_get_error(const SSL *ssl, int ret);
-int      SSL_up_ref(SSL *ssl);
 void     SSL_set_connect_state(SSL *ssl);
 void     SSL_CTX_free(SSL_CTX *ctx);
 void     SSL_free(SSL *ssl);
--- a/src/linux_tcp/sslconnected.h
+++ b/src/linux_tcp/sslconnected.h
@ -125,7 +125,7 @@ private:
            _handler = nullptr;
            
            // start the state that closes the connection
-            return new SslShutdown(_connection, _socket, _ssl, _handler);
+            return new SslShutdown(_connection, _socket, std::move(_ssl), _handler);
        }
        else
        {
@ -245,9 +245,9 @@ public:
     *  @param  buffer      The buffer that was already built
     *  @param  handler     User-supplied handler object
     */
-    SslConnected(TcpConnection *connection, int socket, const SslWrapper &ssl, TcpOutBuffer &&buffer, TcpHandler *handler) : 
+    SslConnected(TcpConnection *connection, int socket, SslWrapper &&ssl, TcpOutBuffer &&buffer, TcpHandler *handler) : 
        TcpState(connection, handler),
-        _ssl(ssl),
+        _ssl(std::move(ssl)),
        _socket(socket),
        _out(std::move(buffer)),
        _in(4096),
--- a/src/linux_tcp/sslcontext.h
+++ b/src/linux_tcp/sslcontext.h
@ -42,26 +42,11 @@ public:
    }
    
    /**
-     *  Constructor that wraps around an existing context
-     *  @param  context
-     */
-    SslContext(SSL_CTX *context) : _ctx(context)
-    {
-        // increment refcount
-        // @todo fix this
-        //SSL_ctx_up_ref(context);
-    }
-    
-    /**
-     *  Copy constructor
+     *  Copy constructor is delete because the object is refcounted,
+     *  and we do not have a decent way to update the refcount in openssl 1.0
     *  @param  that
     */
-    SslContext(SslContext &that) : _ctx(that._ctx)
-    {
-        // increment refcount
-        // @todo fix this
-        //SSL_ctx_up_ref(context);
-    }
+    SslContext(SslContext &that) = delete;
    
    /**
     *  Destructor
--- a/src/linux_tcp/sslhandshake.h
+++ b/src/linux_tcp/sslhandshake.h
@ -162,7 +162,7 @@ public:
        int result = OpenSSL::SSL_do_handshake(_ssl);
                
        // if the connection succeeds, we can move to the ssl-connected state
-        if (result == 1) return nextstate(new SslConnected(_connection, _socket, _ssl, std::move(_out), _handler));
+        if (result == 1) return nextstate(new SslConnected(_connection, _socket, std::move(_ssl), std::move(_out), _handler));
        
        // error was returned, so we must investigate what is going on
        auto error = OpenSSL::SSL_get_error(_ssl, result);
@ -203,7 +203,7 @@ public:
            int result = OpenSSL::SSL_do_handshake(_ssl);
        
            // if the connection succeeds, we can move to the ssl-connected state
-            if (result == 1) return nextstate(new SslConnected(_connection, _socket, _ssl, std::move(_out), _handler));
+            if (result == 1) return nextstate(new SslConnected(_connection, _socket, std::move(_ssl), std::move(_out), _handler));
        
            // error was returned, so we must investigate what is going on
            auto error = OpenSSL::SSL_get_error(_ssl, result);
--- a/src/linux_tcp/sslshutdown.h
+++ b/src/linux_tcp/sslshutdown.h
@ -100,9 +100,9 @@ public:
     *  @param  ssl         The SSL structure
     *  @param  handler     User-supplied handler object
     */
-    SslShutdown(TcpConnection *connection, int socket, const SslWrapper &ssl, TcpHandler *handler) : 
+    SslShutdown(TcpConnection *connection, int socket, SslWrapper &&ssl, TcpHandler *handler) : 
        TcpState(connection, handler),
-        _ssl(ssl),
+        _ssl(std::move(ssl)),
        _socket(socket)
    {
        // tell the handler to monitor the socket if there is an out
--- a/src/linux_tcp/sslwrapper.h
+++ b/src/linux_tcp/sslwrapper.h
@ -41,25 +41,20 @@ public:
    }
    
    /**
-     *  Wrapper constructor
-     *  @param  ssl
-     */
-    SslWrapper(SSL *ssl) : _ssl(ssl)
-    {
-        // one more reference
-        // @todo fix this
-        //CRYPTO_add(_ssl);
-    }
-    
-    /**
-     *  Copy constructor
+     *  Copy constructor is removed because openssl 1.0 has no way to up refcount 
+     *  (otherwise we could be safely copying objects around)
     *  @param  that
     */
-    SslWrapper(const SslWrapper &that) : _ssl(that._ssl)
+    SslWrapper(const SslWrapper &that) = delete;
+    
+    /**
+     *  Move constructor
+     *  @param  that
+     */
+    SslWrapper(SslWrapper &&that) : _ssl(that._ssl)
    {
-        // one more reference
-        // @todo fix this
-        //SSL_up_ref(_ssl);
+        // invalidate other object
+        that._ssl = nullptr;
    }
    
    /**
@ -67,6 +62,9 @@ public:
     */
    virtual ~SslWrapper()
    {
+        // do nothing if already moved away
+        if (_ssl == nullptr) return;
+        
        // destruct object
        OpenSSL::SSL_free(_ssl);
    }