ssl allow externally managed SSL_CTX

Signed-off-by: joseph.urciuoli <trac90@UNKNOWN.org>

ssl allow externally managed SSL_CTX
4d9c8fc0 · joseph.urciuoli · Andy Green · 1e49918a · 4d9c8fc0 · 4d9c8fc0
Commit 4d9c8fc0 authored 10 years ago by joseph.urciuoli Committed by Andy Green 10 years ago
--- a/changelog
+++ b/changelog
@@ -98,6 +98,12 @@ If you are providing other headers, they must be generated using the new
 HTTP-version-agnostic APIs, and you must provide the length of them using this
 additional parameter.

+struct lws_context_creation_info now has an additional member
+SSL_CTX *provided_client_ssl_ctx you may set to an externally-initialized
+SSL_CTX managed outside lws.  Defaulting to zero keeps the existing behaviour of
+lws managing the context, if you memset the struct to 0 or have as a filescope
+initialized struct in bss, no need to change anything.
+

 v1.3-chrome37-firefox30
 =======================

--- a/lib/context.c
+++ b/lib/context.c
@@ -214,15 +214,24 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 				sizeof(struct libwebsocket),
 					      sizeof(struct allocated_headers));

-	if (lws_context_init_server_ssl(info, context))
-		goto bail;

-	if (lws_context_init_client_ssl(info, context))
+#ifdef LWS_OPENSSL_SUPPORT
+    if (info->provided_client_ssl_ctx){
+        //use the provided OpenSSL context if given one
+        context->ssl_client_ctx = info->provided_client_ssl_ctx;
+        context->user_supplied_ssl_ctx = 1; //mark to not delet the context on cleanup
+    }
+#endif
+    if (lws_context_init_server_ssl(info, context))
+		goto bail;
+	if (!context->ssl_client_ctx && lws_context_init_client_ssl(info, context))
 		goto bail;

 	if (lws_context_init_server(info, context))
 		goto bail;

+	lwsl_debug(" client SSL ctx %p\n", context->ssl_client_ctx);
+	lwsl_debug(" server SSL ctx %p\n", context->ssl_ctx);
 	/*
 	 * drop any root privs for this process
 	 * to listen on port < 1023 we would have needed root, but now we are

--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -86,6 +86,14 @@ extern "C" {
 #include <unistd.h>
 #endif

+#ifdef LWS_OPENSSL_SUPPORT
+#ifdef USE_CYASSL
+#include <cyassl/openssl/ssl.h>
+#else
+#include <openssl/ssl.h>
+#endif /* not USE_CYASSL */
+#endif
+
 #define CONTEXT_PORT_NO_LISTEN -1
 #define MAX_MUX_RECURSION 2

@@ -995,6 +1003,10 @@ struct libwebsocket_extension {
 *		and killing the connection
 * @ka_interval: if ka_time was nonzero, how long to wait before each ka_probes
 *		attempt
+ * @provided_client_ssl_ctx: If non-null, swap out libwebsockets ssl
+ *		implementation for the one provided by provided_ssl_ctx.
+ *		Libwebsockets no longer is responsible for freeing the context
+ *		if this option is selected.
 */

 struct lws_context_creation_info {
@@ -1017,7 +1029,11 @@ struct lws_context_creation_info {
 	int ka_time;
 	int ka_probes;
 	int ka_interval;
-
+#ifdef LWS_OPENSSL_SUPPORT
+	SSL_CTX *provided_client_ssl_ctx;
+#else /* maintain structure layout either way */
+    	void *provided_client_ssl_ctx;
+#endif
 };

 LWS_VISIBLE LWS_EXTERN

--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -462,6 +462,7 @@ struct libwebsocket_context {
 #ifdef LWS_OPENSSL_SUPPORT
 	int use_ssl;
 	int allow_non_ssl_on_ssl_port;
+	unsigned int user_supplied_ssl_ctx:1;
 	SSL_CTX *ssl_ctx;
 	SSL_CTX *ssl_client_ctx;
 	unsigned int ssl_flag_buffered_reads:1;

--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -192,7 +192,7 @@ lws_ssl_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);

 	ERR_remove_state(0);
@@ -593,7 +593,7 @@ lws_ssl_context_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);

 	ERR_remove_state(0);