From 0929ae07074c03926ab438be732e91ea52a37e04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Deuc=D0=B5?= <shurd@sasktel.net>
Date: Tue, 19 Dec 2023 14:54:04 -0500
Subject: [PATCH] Fix locking for JS TLS connections

Also, expand the lock in websrvr to the correct scope.
---
 src/sbbs3/js_socket.c | 7 +++++--
 src/sbbs3/websrvr.c   | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/sbbs3/js_socket.c b/src/sbbs3/js_socket.c
index 4d7a209f8d..b3cbf07c61 100644
--- a/src/sbbs3/js_socket.c
+++ b/src/sbbs3/js_socket.c
@@ -2369,8 +2369,10 @@ static JSBool js_socket_set(JSContext *cx, JSObject *obj, jsid id, JSBool strict
 											}
 										}
 										lock_ssl_cert();
-										if (scfg->tls_certificate == -1)
+										if (scfg->tls_certificate == -1) {
+											unlock_ssl_cert();
 											ret = CRYPT_ERROR_NOTAVAIL;
+										}
 										else {
 											ret = cryptSetAttribute(p->session, CRYPT_SESSINFO_PRIVATEKEY, scfg->tls_certificate);
 											if (ret != CRYPT_OK) {
@@ -2384,7 +2386,8 @@ static JSBool js_socket_set(JSContext *cx, JSObject *obj, jsid id, JSBool strict
 									if((ret=do_cryptAttribute(p->session, CRYPT_SESSINFO_ACTIVE, 1))!=CRYPT_OK) {
 										GCES(ret, p, estr, "setting session active");
 									}
-									unlock_ssl_cert();
+									if (tiny != SOCK_PROP_SSL_SESSION)
+										unlock_ssl_cert();
 								}
 							}
 						}
diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index a325e31800..4c96b544e7 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -7243,10 +7243,10 @@ void web_server(void* arg)
 			do_cryptInit(); // Must be called by someone before lock_ssl_cert()
 			lock_ssl_cert();
 			if(scfg.tls_certificate != -1) {
-				unlock_ssl_cert();
 				// Init was already called or tls_certificate would be -1...
 				if(do_cryptInit())
 					xpms_add_list(ws_set, PF_UNSPEC, SOCK_STREAM, 0, startup->tls_interfaces, startup->tls_port, "Secure Web Server", open_socket, startup->seteuid, "TLS");
+				unlock_ssl_cert();
 			}
 			else {
 				unlock_ssl_cert();
-- 
GitLab