[Libwebsockets] Creating a second (SSL capable) lws context will break SSL ext_data access

Andy Green andy at warmcat.com
Mon Jun 27 15:28:56 CEST 2016


On Mon, 2016-06-27 at 12:38 +0000, Wenzel, Alexander wrote:
> Hi,
> 
> we're using libwebsockets v2.0.2, but the following problem is also
> present
> in the current master. But first let me describe our setup.
> 
> We want to use the lib in the following way. The first lws context is
> used as

Well, sometimes there is a clash between what you think you want and,
eg, how the library was designed to be used.

> a server in a thread. The second lws context will be a client in
> another

Lws is designed to have one context... everything is nicely allocated
to the context, so in theory you could have more than one.  But openssl
library does not bind to an lws context, it binds to a process.  There
are other messes waiting from that eg

https://github.com/warmcat/libwebsockets/issues/569

> thread. Both context objects will have SSL enabled to provide a SSL
> server or
> rather connect to one.
> 
> To reproduce or describe the problem, you need to start the server
> thread
> first. In the init phase, the global SSL external data index
> variables [1]
> will be setup here [2]. If a client connects to the server, the index
> (= 0)
> is used here [3] to get the lws context out of the SSL object.
> 
> If you now start the client, it will also init the SSL library and
> also
> get the next free set of index (= 1) numbers to store user external
> data.
> But here is no link to the lws context which is the root of the
> problem.
> 
> When now somebody connects again to the server thread, it will again
> try to
> retrieve the context out of the SSL object [3]. But this time, the
> global
> index variable is set to 1 and so we won't get back our requested
> server
> object, which was stored at index 0. Finally this will result in a
> SEGFAULT.
> 
> A first dirty hack [4] would be to only set theses globals once.
> Which would
> be ok for a single lws server context (which may uses multiple
> vhosts) and
> one single client lws context.
> 
> I'm still not so familiar with the library to propose a more suitable
> patch.

How about you just rearrange things on your side to use one lws
context, as does every piece of example code we provide?  Then there
will be no problem.

-Andy

> I just began to use and understand it ;) But at least I want to
> create some
> awareness of this issue.
> 
> Best regards,
> Alexander
> 
> [1] https://github.com/warmcat/libwebsockets/blob/v2.0.2/lib/ssl.c#L5
> 6
> [2] https://github.com/warmcat/libwebsockets/blob/v2.0.2/lib/ssl.c#L1
> 71
> [3] https://github.com/warmcat/libwebsockets/blob/v2.0.2/lib/ssl-serv
> er.c#L164
> [4] Patch SSL ext_data lws index to be set only once
> diff --git a/lib/ssl.c b/lib/ssl.c
> index 6b2e575..e28dc06 100644
> --- a/lib/ssl.c
> +++ b/lib/ssl.c
> @@ -53,8 +53,8 @@ static void pssl_debug(void *ctx, int level, const
> char *str)
>  
>  #endif
>  
> -int openssl_websocket_private_data_index,
> -    openssl_SSL_CTX_private_data_index;
> +int openssl_websocket_private_data_index = -1;
> +int openssl_SSL_CTX_private_data_index = -1;
>  
>  int lws_ssl_get_error(struct lws *wsi, int n)
>  {
> @@ -165,11 +165,15 @@ lws_context_init_ssl_library(struct
> lws_context_creation_info *info)
>         OpenSSL_add_all_algorithms();
>         SSL_load_error_strings();
>  
> -       openssl_websocket_private_data_index =
> -               SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL);
> +       if (openssl_websocket_private_data_index < 0) {
> +               openssl_websocket_private_data_index =
> +                       SSL_get_ex_new_index(0, "lws", NULL, NULL,
> NULL);
> +       }
>  
> -       openssl_SSL_CTX_private_data_index =
> SSL_CTX_get_ex_new_index(0,
> -                       NULL, NULL, NULL, NULL);
> +       if (openssl_SSL_CTX_private_data_index < 0) {
> +               openssl_SSL_CTX_private_data_index =
> +                       SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
> NULL);
> +       }
>  #endif
>  #endif
>  
> 
> 
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://libwebsockets.org/mailman/listinfo/libwebsockets



More information about the Libwebsockets mailing list