openssl: client certs: use info.client_ssl_private_key_password

https://github.com/warmcat/libwebsockets/issues/1599
2025-03-09 00:00:04 +01:00 · 2019-06-21 07:18:48 +01:00 · 2019-06-21 07:18:48 +01:00 · 805c033b6b
commit 805c033b6b
parent d7ddd494ea
4 changed files with 26 additions and 8 deletions
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@ -637,7 +637,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 	}
 	if (private_key_filepath) {
 		lwsl_notice("%s: doing private key filepath\n", __func__);
-		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, info);
+		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, 1, info);
 		/* set the private key from KeyFile */
 		if (SSL_CTX_use_PrivateKey_file(vh->tls.ssl_client_ctx,
 		    private_key_filepath, SSL_FILETYPE_PEM) != 1) {
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@ -534,7 +534,7 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
 	    (!info->ssl_cert_filepath && !info->server_ssl_cert_mem))
 		return 0;

-	lws_ssl_bind_passphrase(vhost->tls.ssl_ctx, info);
+	lws_ssl_bind_passphrase(vhost->tls.ssl_ctx, 0, info);

 	return lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
 					 info->ssl_private_key_filepath,
--- a/lib/tls/openssl/ssl.c
+++ b/lib/tls/openssl/ssl.c
@ -60,9 +60,8 @@ int lws_ssl_get_error(struct lws *wsi, int n)
 	return m;
 }

-
 static int
-lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag,
+lws_context_init_ssl_pem_passwd_cb(char *buf, int size, int rwflag,
 				   void *userdata)
 {
 	struct lws_context_creation_info * info =
@ -74,11 +73,29 @@ lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag,
 	return (int)strlen(buf);
 }

+static int
+lws_context_init_ssl_pem_passwd_client_cb(char *buf, int size, int rwflag,
+					  void *userdata)
+{
+	struct lws_context_creation_info * info =
+			(struct lws_context_creation_info *)userdata;
+	const char *p = info->ssl_private_key_password;
+
+	if (info->client_ssl_private_key_password)
+		p = info->client_ssl_private_key_password;
+
+	strncpy(buf, p, size);
+	buf[size - 1] = '\0';
+
+	return (int)strlen(buf);
+}
+
 void
-lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx,
+lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, int is_client,
 			const struct lws_context_creation_info *info)
 {
-	if (!info->ssl_private_key_password)
+	if (!info->ssl_private_key_password &&
+	    !info->client_ssl_private_key_password)
 		return;
 	/*
 	 * password provided, set ssl callback and user data
@ -86,7 +103,8 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx,
 	 * SSL_CTX_use_PrivateKey_file function
 	 */
 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info);
-	SSL_CTX_set_default_passwd_cb(ssl_ctx,
+	SSL_CTX_set_default_passwd_cb(ssl_ctx, is_client ?
+				      lws_context_init_ssl_pem_passwd_client_cb:
 				      lws_context_init_ssl_pem_passwd_cb);
 }

--- a/lib/tls/private-network.h
+++ b/lib/tls/private-network.h
@ -107,7 +107,7 @@ lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt);
 LWS_EXTERN int
 lws_gate_accepts(struct lws_context *context, int on);
 LWS_EXTERN void
-lws_ssl_bind_passphrase(lws_tls_ctx *ssl_ctx,
+lws_ssl_bind_passphrase(lws_tls_ctx *ssl_ctx, int is_client,
 			const struct lws_context_creation_info *info);
 LWS_EXTERN void
 lws_ssl_info_callback(const lws_tls_conn *ssl, int where, int ret);