adopt: keep most of adopt.c even with WITHOUT_SERVER

CMakeLists.txt

@@ -862,6 +862,7 @@ set(SOURCES
 	lib/core/service.c
 	lib/misc/base64-decode.c
 	lib/misc/lws-ring.c
+	lib/core/adopt.c
 	lib/roles/pipe/ops-pipe.c)
 	
 if (LWS_WITH_THREADPOOL AND UNIX AND LWS_HAVE_PTHREAD_H)
@@ -960,7 +961,6 @@ endif()
 
 if (NOT LWS_WITHOUT_SERVER)
 	list(APPEND SOURCES
-		lib/core/adopt.c
 		lib/roles/listen/ops-listen.c)
 endif()
 
@@ -1095,7 +1095,8 @@ else()
 
 	if (LWS_PLAT_OPTEE)
 		list(APPEND SOURCES
-			lib/plat/optee/lws-plat-optee.c)
+			lib/plat/optee/lws-plat-optee.c
+		)
 	else()
 		if (LWS_WITH_ESP32)
 			list(APPEND SOURCES

lib/core/adopt.c

@@ -174,7 +174,7 @@ lws_adopt_descriptor_vhost(struct lws_vhost *vh, lws_adoption_type type,
 		type &= ~LWS_ADOPT_ALLOW_SSL;
 
 	if (lws_role_call_adoption_bind(new_wsi, type, vh_prot_name)) {
-		lwsl_err("Unable to find a role that can adopt descriptor\n");
+		lwsl_err("Unable to find a role that can adopt descriptor type 0x%x\n", type);
 		goto bail;
 	}
 
@@ -202,11 +202,14 @@ lws_adopt_descriptor_vhost(struct lws_vhost *vh, lws_adoption_type type,
 			goto fail;
 		}
 		lws_pt_unlock(pt);
-	} else
+	}
+#if !defined(LWS_WITHOUT_SERVER)
+	 else
 		if (lws_server_socket_service_ssl(new_wsi, fd.sockfd)) {
 			lwsl_info("%s: fail ssl negotiation\n", __func__);
 			goto fail;
 		}
+#endif
 
 	/*
 	 *  by deferring callback to this point, after insertion to fds,

lib/core/context.c

@@ -109,7 +109,7 @@ lws_role_call_alpn_negotiated(struct lws *wsi, const char *alpn)
 	return 0;
 }
 
-#if !defined(LWS_WITHOUT_SERVER)
+//#if !defined(LWS_WITHOUT_SERVER)
 int
 lws_role_call_adoption_bind(struct lws *wsi, int type, const char *prot)
 {
@@ -176,7 +176,7 @@ lws_role_call_adoption_bind(struct lws *wsi, int type, const char *prot)
 
 	return 1;
 }
-#endif
+//#endif
 
 #if !defined(LWS_WITHOUT_CLIENT)
 int

lib/roles/raw-file/ops-raw-file.c

@@ -52,7 +52,7 @@ rops_handle_POLLIN_raw_file(struct lws_context_per_thread *pt, struct lws *wsi,
 	return LWS_HPI_RET_HANDLED;
 }
 
-#if !defined(LWS_NO_SERVER)
+//#if !defined(LWS_NO_SERVER)
 static int
 rops_adoption_bind_raw_file(struct lws *wsi, int type, const char *vh_prot_name)
 {
@@ -69,7 +69,7 @@ rops_adoption_bind_raw_file(struct lws *wsi, int type, const char *vh_prot_name)
 
 	return 1; /* bound */
 }
-#endif
+//#endif
 
 struct lws_role_ops role_ops_raw_file = {
 	/* role name */			"raw-file",
@@ -92,11 +92,11 @@ struct lws_role_ops role_ops_raw_file = {
 	/* close_role */		NULL,
 	/* close_kill_connection */	NULL,
 	/* destroy_role */		NULL,
-#if !defined(LWS_NO_SERVER)
+//#if !defined(LWS_NO_SERVER)
 	/* adoption_bind */		rops_adoption_bind_raw_file,
-#else
-					NULL,
-#endif
+//#else
+//					NULL,
+//#endif
 	/* client_bind */		NULL,
 	/* adoption_cb clnt, srv */	{ LWS_CALLBACK_RAW_ADOPT_FILE,
 					  LWS_CALLBACK_RAW_ADOPT_FILE },

lib/tls/mbedtls/mbedtls-client.c

@@ -55,8 +55,10 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	}
 
 	wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx);
-	if (!wsi->tls.ssl)
+	if (!wsi->tls.ssl) {
+		lwsl_info("%s: SSL_new() failed\n", __func__);
 		return -1;
+	}
 
 	if (wsi->vhost->tls.ssl_info_event_mask)
 		SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
@@ -190,6 +192,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    const void *ca_mem,
 				    unsigned int ca_mem_len,
 				    const char *cert_filepath,
+				    const void *cert_mem,
+				    unsigned int cert_mem_len,
 				    const char *private_key_filepath)
 {
 	X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
@@ -197,6 +201,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 	unsigned long error;
 	lws_filepos_t len;
 	uint8_t *buf;
+	int n;
 
 	if (!method) {
 		error = ERR_get_error();
@@ -225,8 +230,11 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 		}
 		vh->tls.x509_client_CA = d2i_X509(NULL, buf, len);
 		free(buf);
+		lwsl_notice("Loading client CA for verification %s\n", ca_filepath);
 	} else {
 		vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len);
+		lwsl_notice("%s: using mem client CA cert %d\n",
+			    __func__, ca_mem_len);
 	}
 
 	if (!vh->tls.x509_client_CA) {
@@ -239,7 +247,53 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 	else
 		SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
 
-	lwsl_notice("client loaded CA for verification %s\n", ca_filepath);
+	/* support for client-side certificate authentication */
+	if (cert_filepath) {
+		uint8_t *buf;
+		lws_filepos_t amount;
+
+		if (lws_tls_use_any_upgrade_check_extant(cert_filepath) !=
+				LWS_TLS_EXTANT_YES &&
+		    (info->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT))
+			return 0;
+
+		lwsl_notice("%s: doing cert filepath %s\n", __func__,
+				cert_filepath);
+
+		if (alloc_file(vh->context, cert_filepath, &buf, &amount))
+			return 1;
+
+		buf[amount++] = '\0';
+
+		SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
+				buf, amount);
+
+		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
+				amount, buf);
+		lws_free(buf);
+		if (n < 1) {
+			lwsl_err("problem %d getting cert '%s'\n", n,
+				 cert_filepath);
+			lws_tls_err_describe();
+			return 1;
+		}
+
+		lwsl_notice("Loaded client cert %s\n", cert_filepath);
+	} else if (cert_mem && cert_mem_len) {
+		// lwsl_hexdump_notice(cert_mem, cert_mem_len - 1);
+		SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
+				cert_mem, cert_mem_len - 1);
+		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
+						 cert_mem_len, cert_mem);
+		if (n < 1) {
+			lwsl_err("%s: problem interpreting client cert\n",
+				 __func__);
+			lws_tls_err_describe();
+			return 1;
+		}
+		lwsl_notice("%s: using mem client cert %d\n",
+			    __func__, cert_mem_len);
+	}
 
 	return 0;
 }