ssl allow externally managed SSL_CTX

Signed-off-by: joseph.urciuoli <trac90@UNKNOWN.org>
2014-10-16 08:53:19 +08:00 · 2014-10-16 08:53:19 +08:00 · 4d9c8fc01a
commit 4d9c8fc01a
parent 1e49918a4f
5 changed files with 38 additions and 6 deletions
--- a/6
+++ b/6
@ -98,6 +98,12 @@ If you are providing other headers, they must be generated using the new
 HTTP-version-agnostic APIs, and you must provide the length of them using this
 additional parameter.
 struct lws_context_creation_info now has an additional member
 SSL_CTX *provided_client_ssl_ctx you may set to an externally-initialized
 SSL_CTX managed outside lws.  Defaulting to zero keeps the existing behaviour of
 lws managing the context, if you memset the struct to 0 or have as a filescope
 initialized struct in bss, no need to change anything.
 v1.3-chrome37-firefox30
 =======================
--- a/lib/context.c
+++ b/lib/context.c
@ -214,15 +214,24 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 				sizeof(struct libwebsocket),
 					      sizeof(struct allocated_headers));
 #ifdef LWS_OPENSSL_SUPPORT
    if (info->provided_client_ssl_ctx){
        //use the provided OpenSSL context if given one
        context->ssl_client_ctx = info->provided_client_ssl_ctx;
        context->user_supplied_ssl_ctx = 1; //mark to not delet the context on cleanup
    }
 #endif
    if (lws_context_init_server_ssl(info, context))
 		goto bail;
-
+	if (!context->ssl_client_ctx && lws_context_init_client_ssl(info, context))
 	if (lws_context_init_client_ssl(info, context))
 		goto bail;
 	if (lws_context_init_server(info, context))
 		goto bail;
 	lwsl_debug(" client SSL ctx %p\n", context->ssl_client_ctx);
 	lwsl_debug(" server SSL ctx %p\n", context->ssl_ctx);
 	/*
 	 * drop any root privs for this process
 	 * to listen on port < 1023 we would have needed root, but now we are
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -86,6 +86,14 @@ extern "C" {
 #include <unistd.h>
 #endif
 #ifdef LWS_OPENSSL_SUPPORT
 #ifdef USE_CYASSL
 #include <cyassl/openssl/ssl.h>
 #else
 #include <openssl/ssl.h>
 #endif /* not USE_CYASSL */
 #endif
 #define CONTEXT_PORT_NO_LISTEN -1
 #define MAX_MUX_RECURSION 2
@ -995,6 +1003,10 @@ struct libwebsocket_extension {
 *		and killing the connection
 * @ka_interval: if ka_time was nonzero, how long to wait before each ka_probes
 *		attempt
 * @provided_client_ssl_ctx: If non-null, swap out libwebsockets ssl
 *		implementation for the one provided by provided_ssl_ctx.
 *		Libwebsockets no longer is responsible for freeing the context
 *		if this option is selected.
 */
 struct lws_context_creation_info {
@ -1017,7 +1029,11 @@ struct lws_context_creation_info {
 	int ka_time;
 	int ka_probes;
 	int ka_interval;
-
+#ifdef LWS_OPENSSL_SUPPORT
 	SSL_CTX *provided_client_ssl_ctx;
 #else /* maintain structure layout either way */
    	void *provided_client_ssl_ctx;
 #endif
 };
 LWS_VISIBLE LWS_EXTERN
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@ -462,6 +462,7 @@ struct libwebsocket_context {
 #ifdef LWS_OPENSSL_SUPPORT
 	int use_ssl;
 	int allow_non_ssl_on_ssl_port;
 	unsigned int user_supplied_ssl_ctx:1;
 	SSL_CTX *ssl_ctx;
 	SSL_CTX *ssl_client_ctx;
 	unsigned int ssl_flag_buffered_reads:1;
--- a/lib/ssl.c
+++ b/lib/ssl.c
@ -192,7 +192,7 @@ lws_ssl_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);
 	ERR_remove_state(0);
@ -593,7 +593,7 @@ lws_ssl_context_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);
 	ERR_remove_state(0);