libwebsockets/lib/client/ssl-client.c

/*
 * libwebsockets - client-related ssl code independent of backend
 *
 * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
 *
 *  This library is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU Lesser General Public
 *  License as published by the Free Software Foundation:
 *  version 2.1 of the License.
 *
 *  This library is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public
 *  License along with this library; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *  MA  02110-1301  USA
 */

#include "private-libwebsockets.h"

int
lws_ssl_client_connect1(struct lws *wsi)
{
	struct lws_context *context = wsi->context;
	int n = 0;

	lws_latency_pre(context, wsi);
	n = lws_tls_client_connect(wsi);
	lws_latency(context, wsi,
	  "SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0);

	switch (n) {
	case LWS_SSL_CAPABLE_ERROR:
		return -1;
	case LWS_SSL_CAPABLE_DONE:
		return 1; /* connected */
	case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
		lws_callback_on_writable(wsi);
		/* fallthru */
	case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
		wsi->mode = LWSCM_WSCL_WAITING_SSL;
		break;
	case LWS_SSL_CAPABLE_MORE_SERVICE:
		break;
	}

	return 0; /* retry */
}

int
lws_ssl_client_connect2(struct lws *wsi)
{
	int n = 0;

	if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {
		lws_latency_pre(wsi->context, wsi);

		n = lws_tls_client_connect(wsi);
		lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
		lws_latency(wsi->context, wsi,
			    "SSL_connect LWSCM_WSCL_WAITING_SSL", n, n > 0);

		switch (n) {
		case LWS_SSL_CAPABLE_ERROR:
			return -1;
		case LWS_SSL_CAPABLE_DONE:
			break; /* connected */
		case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
			lws_callback_on_writable(wsi);
			/* fallthru */
		case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
			wsi->mode = LWSCM_WSCL_WAITING_SSL;
			/* fallthru */
		case LWS_SSL_CAPABLE_MORE_SERVICE:
			return 0;
		}
	}

	if (lws_tls_client_confirm_peer_cert(wsi))
		return -1;

	return 1;
}


int lws_context_init_client_ssl(struct lws_context_creation_info *info,
				struct lws_vhost *vhost)
{
	const char *ca_filepath = info->ssl_ca_filepath;
	const char *cipher_list = info->ssl_cipher_list;
	const char *private_key_filepath = info->ssl_private_key_filepath;
	const char *cert_filepath = info->ssl_cert_filepath;
	struct lws wsi;

	if (vhost->options & LWS_SERVER_OPTION_ONLY_RAW)
		return 0;

	/*
	 *  for backwards-compatibility default to using ssl_... members, but
	 * if the newer client-specific ones are given, use those
	 */
	if (info->client_ssl_cipher_list)
		cipher_list = info->client_ssl_cipher_list;
	if (info->client_ssl_cert_filepath)
		cert_filepath = info->client_ssl_cert_filepath;
	if (info->client_ssl_private_key_filepath)
		private_key_filepath = info->client_ssl_private_key_filepath;

	if (info->client_ssl_ca_filepath)
		ca_filepath = info->client_ssl_ca_filepath;

	if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
		return 0;

	if (vhost->ssl_client_ctx)
		return 0;

	if (info->provided_client_ssl_ctx) {
		/* use the provided OpenSSL context if given one */
		vhost->ssl_client_ctx = info->provided_client_ssl_ctx;
		/* nothing for lib to delete */
		vhost->user_supplied_ssl_ctx = 1;

		return 0;
	}

	if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
						ca_filepath, cert_filepath,
						private_key_filepath))
		return 1;

	lwsl_notice("created client ssl context for %s\n", vhost->name);

	/*
	 * give him a fake wsi with context set, so he can use
	 * lws_get_context() in the callback
	 */
	memset(&wsi, 0, sizeof(wsi));
	wsi.vhost = vhost;
	wsi.context = vhost->context;

	vhost->protocols[0].callback(&wsi,
			LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
				       vhost->ssl_client_ctx, NULL, 0);

	return 0;
}
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`/*`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`* libwebsockets - client-related ssl code independent of backend`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`*`
clean 2017-09-23 12:55:21 +08:00			`* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU Lesser General Public`
			`* License as published by the Free Software Foundation:`
			`* version 2.1 of the License.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public`
			`* License along with this library; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,`
			`* MA 02110-1301 USA`
			`*/`

			`#include "private-libwebsockets.h"`

			`int`
			`lws_ssl_client_connect1(struct lws *wsi)`
			`{`
			`struct lws_context *context = wsi->context;`
polarssl implementation Signed-off-by: Andy Green <andy@warmcat.com> 2016-04-17 11:28:43 +08:00			`int n = 0;`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00
			`lws_latency_pre(context, wsi);`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`n = lws_tls_client_connect(wsi);`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`lws_latency(context, wsi,`
			`"SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0);`

tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`switch (n) {`
			`case LWS_SSL_CAPABLE_ERROR:`
			`return -1;`
			`case LWS_SSL_CAPABLE_DONE:`
			`return 1; /* connected */`
			`case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:`
			`lws_callback_on_writable(wsi);`
			`/* fallthru */`
			`case LWS_SSL_CAPABLE_MORE_SERVICE_READ:`
			`wsi->mode = LWSCM_WSCL_WAITING_SSL;`
			`break;`
			`case LWS_SSL_CAPABLE_MORE_SERVICE:`
			`break;`
			`}`

			`return 0; /* retry */`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`}`

			`int`
			`lws_ssl_client_connect2(struct lws *wsi)`
			`{`
polarssl implementation Signed-off-by: Andy Green <andy@warmcat.com> 2016-04-17 11:28:43 +08:00			`int n = 0;`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00
			`if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`lws_latency_pre(wsi->context, wsi);`
plat-optee and boringssl adaptations 2017-01-17 07:01:02 +08:00
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`n = lws_tls_client_connect(wsi);`
			`lwsl_debug("%s: SSL_connect says %d\n", __func__, n);`
			`lws_latency(wsi->context, wsi,`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`"SSL_connect LWSCM_WSCL_WAITING_SSL", n, n > 0);`

tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`switch (n) {`
			`case LWS_SSL_CAPABLE_ERROR:`
client fix reaction to tls failure https://github.com/warmcat/libwebsockets/issues/508 Signed-off-by: Andy Green <andy@warmcat.com> 2016-05-03 07:26:10 +08:00			`return -1;`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`case LWS_SSL_CAPABLE_DONE:`
			`break; /* connected */`
			`case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:`
			`lws_callback_on_writable(wsi);`
			`/* fallthru */`
			`case LWS_SSL_CAPABLE_MORE_SERVICE_READ:`
			`wsi->mode = LWSCM_WSCL_WAITING_SSL;`
			`/* fallthru */`
			`case LWS_SSL_CAPABLE_MORE_SERVICE:`
			`return 0;`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`}`
			`}`
ssl: add LWS_CALLBACK_OPENSSL_PERFORM_SERVER_CERT_VERIFICATION 2017-01-10 09:31:23 +08:00
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`if (lws_tls_client_confirm_peer_cert(wsi))`
			`return -1;`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00
			`return 1;`
			`}`


			`int lws_context_init_client_ssl(struct lws_context_creation_info *info,`
add lws_init_vhost_client_ssl api to allow client ssl use on a vhost Also add lwsws "enable-client-ssl": "1" vhost option to match. Client cert iclient ssl is not supported in lwsws, if someone wants it, it can be added. Signed-off-by: Andy Green <andy@warmcat.com> 2016-05-12 19:39:29 +08:00			`struct lws_vhost *vhost)`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`{`
mbedtls: client provide CA WIP https://github.com/warmcat/libwebsockets/issues/1011 2017-09-02 10:50:54 +08:00			`const char *ca_filepath = info->ssl_ca_filepath;`
client: allow setting client ssl certs from lwsws and connection info separate from server ssl certs 2017-02-22 07:28:13 +08:00			`const char *cipher_list = info->ssl_cipher_list;`
			`const char *private_key_filepath = info->ssl_private_key_filepath;`
esp32: separate factory setup 2017-03-16 10:46:31 +08:00			`const char *cert_filepath = info->ssl_cert_filepath;`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`struct lws wsi;`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00
Plugins: add ssh-base ssh server plugin 2017-10-16 16:59:57 +08:00			`if (vhost->options & LWS_SERVER_OPTION_ONLY_RAW)`
			`return 0;`

client: allow setting client ssl certs from lwsws and connection info separate from server ssl certs 2017-02-22 07:28:13 +08:00			`/*`
			`* for backwards-compatibility default to using ssl_... members, but`
			`* if the newer client-specific ones are given, use those`
			`*/`
			`if (info->client_ssl_cipher_list)`
			`cipher_list = info->client_ssl_cipher_list;`
			`if (info->client_ssl_cert_filepath)`
			`cert_filepath = info->client_ssl_cert_filepath;`
			`if (info->client_ssl_private_key_filepath)`
			`private_key_filepath = info->client_ssl_private_key_filepath;`
tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00
mbedtls: client provide CA WIP https://github.com/warmcat/libwebsockets/issues/1011 2017-09-02 10:50:54 +08:00			`if (info->client_ssl_ca_filepath)`
			`ca_filepath = info->client_ssl_ca_filepath;`
client: allow setting client ssl certs from lwsws and connection info separate from server ssl certs 2017-02-22 07:28:13 +08:00
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))`
			`return 0;`

client: reject init_client_ssl more than once 2017-07-08 16:01:34 +08:00			`if (vhost->ssl_client_ctx)`
			`return 0;`

ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`if (info->provided_client_ssl_ctx) {`
			`/* use the provided OpenSSL context if given one */`
			`vhost->ssl_client_ctx = info->provided_client_ssl_ctx;`
			`/* nothing for lib to delete */`
			`vhost->user_supplied_ssl_ctx = 1;`
add lws_init_vhost_client_ssl api to allow client ssl use on a vhost Also add lwsws "enable-client-ssl": "1" vhost option to match. Client cert iclient ssl is not supported in lwsws, if someone wants it, it can be added. Signed-off-by: Andy Green <andy@warmcat.com> 2016-05-12 19:39:29 +08:00
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`return 0;`
			`}`

tls: split out common, openssl and mbedtls code - introduce lib/tls/mbedtls lib/tls/openssl - move wrapper into lib/tls/mbedtls/wrapper - introduce private helpers to hide backend This patch doesn't replace or remove the wrapper, it moves it to lib/tls/mbedtls/wrapper. But it should be now that the ONLY functions directly consuming wrapper apis are isolated in - lib/tls/mbedtls/client.c (180 lines) - lib/tls/mbedtls/server.c (317 lines) - lib/tls/mbedtls/ssl.c (325 lines) In particular there are no uses of openssl or mbedtls-related constants outside of ./lib/tls any more. 2017-10-18 09:41:44 +08:00			`if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,`
			`ca_filepath, cert_filepath,`
			`private_key_filepath))`
ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`return 1;`

mbedtls: client provide CA WIP https://github.com/warmcat/libwebsockets/issues/1011 2017-09-02 10:50:54 +08:00			`lwsl_notice("created client ssl context for %s\n", vhost->name);`

ssl split out common server and client ssl sources Most of ssl.c is under a #ifdef for client or server disabled... let's get rid of it and have CMake just build the appropriate files Signed-off-by: Andy Green <andy@warmcat.com> 2016-03-29 08:51:42 +08:00			`/*`
			`* give him a fake wsi with context set, so he can use`
			`* lws_get_context() in the callback`
			`*/`
			`memset(&wsi, 0, sizeof(wsi));`
			`wsi.vhost = vhost;`
			`wsi.context = vhost->context;`

			`vhost->protocols[0].callback(&wsi,`
			`LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,`
			`vhost->ssl_client_ctx, NULL, 0);`

			`return 0;`
			`}`