Review fixes #1

tempesta-tech · May 18, 2023 · e344d62 · e344d62
1 parent 9205d4e
commit e344d62
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 14 deletions.
diff --git a/fw/http_limits.c b/fw/http_limits.c
@@ -4,7 +4,7 @@
  * Interface to classification modules.
  *
  * Copyright (C) 2014 NatSys Lab. (info@natsys-lab.com).
- * Copyright (C) 2015-2022 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2023 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by
@@ -749,22 +749,24 @@ frang_http_domain_fronting_check(const TfwHttpReq *req, FrangAcc *ra)
 	tctx = tfw_tls_context(req->conn);
 
 	if (tctx->vhost != req->vhost) {
+		TfwVhost *tls_vhost = tctx->vhost;
 		BasicStr tls_name, req_name;
 		static BasicStr null_name = {"NULL", 4};
 
+		/* An exotic case where TLS connection hasn't assigned
+		 * any vhost to the TlsCtx */
+		if (unlikely(tls_vhost == NULL))
+			return TFW_PASS;
 		/* Special case of default vhosts */
 		if (req->vhost == NULL
-		    && tfw_vhost_is_default(tctx->vhost))
+		    && tfw_vhost_is_default(tls_vhost))
 			return TFW_PASS;
 
-		tls_name = tctx->vhost ? tctx->vhost->name : null_name;
+		tls_name = tctx->vhost ? tls_vhost->name : null_name;
 		req_name = req->vhost ? req->vhost->name : null_name;
-		frang_msg("vhost by SNI doesn't match vhost"
-		          " by authority",
-		          &FRANG_ACC2CLI(ra)->addr,
-		          " ('%.*s' vs '%.*s')\n",
-		          PR_TFW_STR(&tls_name),
-		          PR_TFW_STR(&req_name));
+		frang_msg("vhost by SNI doesn't match vhost by authority",
+		          &FRANG_ACC2CLI(ra)->addr, " ('%.*s' vs '%.*s')\n",
+		          PR_TFW_STR(&tls_name), PR_TFW_STR(&req_name));
 		return TFW_BLOCK;
 	}
 	return TFW_PASS;

diff --git a/fw/http_limits.h b/fw/http_limits.h
@@ -2,7 +2,7 @@
  *		Tempesta FW
  *
  * Copyright (C) 2014 NatSys Lab. (info@natsys-lab.com).
- * Copyright (C) 2015-2022 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2023 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by

diff --git a/tls/ttls.h b/tls/ttls.h
@@ -4,7 +4,7 @@
  * Based on mbed TLS, https://tls.mbed.org.
  *
  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * Copyright (C) 2015-2022 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2023 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -37,7 +37,6 @@
 #include "x509_crl.h"
 #include "dhm.h"
 #include "ecdh.h"
-#include "fw/http_types.h"
 
 /* The requested feature is not available. */
 #define TTLS_ERR_FEATURE_UNAVAILABLE		-0x7080
@@ -541,7 +540,7 @@ typedef struct tls_handshake_t TlsHandshake;
  * @nb_zero	-  # of 0-length encrypted messages;
  * @client_auth	- flag for client authentication (client side only);
  * @hostname	- expected peer CN for verification (and SNI if available);
- * @vhost	- vhost selected by SNI
+ * @vhost	- vhost selected by SNI (TfwVhost)
  */
 typedef struct ttls_context {
 	struct sock		*sk;
@@ -562,7 +561,7 @@ typedef struct ttls_context {
 	unsigned int		nb_zero;
 	int			client_auth;
 	char			*hostname;
-	TfwVhost		*vhost;
+	void			*vhost;
 } TlsCtx;
 
 typedef int ttls_send_cb_t(TlsCtx *tls, struct sg_table *sgt);