diff --git a/CMakeLists.txt b/CMakeLists.txt index 54602dfdc..2de6b036b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -862,6 +862,7 @@ set(SOURCES lib/core/service.c lib/misc/base64-decode.c lib/misc/lws-ring.c + lib/core/adopt.c lib/roles/pipe/ops-pipe.c) if (LWS_WITH_THREADPOOL AND UNIX AND LWS_HAVE_PTHREAD_H) @@ -960,7 +961,6 @@ endif() if (NOT LWS_WITHOUT_SERVER) list(APPEND SOURCES - lib/core/adopt.c lib/roles/listen/ops-listen.c) endif() @@ -1095,7 +1095,8 @@ else() if (LWS_PLAT_OPTEE) list(APPEND SOURCES - lib/plat/optee/lws-plat-optee.c) + lib/plat/optee/lws-plat-optee.c + ) else() if (LWS_WITH_ESP32) list(APPEND SOURCES diff --git a/lib/core/adopt.c b/lib/core/adopt.c index ac37063d9..c21e196d9 100644 --- a/lib/core/adopt.c +++ b/lib/core/adopt.c @@ -174,7 +174,7 @@ lws_adopt_descriptor_vhost(struct lws_vhost *vh, lws_adoption_type type, type &= ~LWS_ADOPT_ALLOW_SSL; if (lws_role_call_adoption_bind(new_wsi, type, vh_prot_name)) { - lwsl_err("Unable to find a role that can adopt descriptor\n"); + lwsl_err("Unable to find a role that can adopt descriptor type 0x%x\n", type); goto bail; } @@ -202,11 +202,14 @@ lws_adopt_descriptor_vhost(struct lws_vhost *vh, lws_adoption_type type, goto fail; } lws_pt_unlock(pt); - } else + } +#if !defined(LWS_WITHOUT_SERVER) + else if (lws_server_socket_service_ssl(new_wsi, fd.sockfd)) { lwsl_info("%s: fail ssl negotiation\n", __func__); goto fail; } +#endif /* * by deferring callback to this point, after insertion to fds, diff --git a/lib/core/context.c b/lib/core/context.c index 6c8d16ef8..ed7d82632 100644 --- a/lib/core/context.c +++ b/lib/core/context.c @@ -109,7 +109,7 @@ lws_role_call_alpn_negotiated(struct lws *wsi, const char *alpn) return 0; } -#if !defined(LWS_WITHOUT_SERVER) +//#if !defined(LWS_WITHOUT_SERVER) int lws_role_call_adoption_bind(struct lws *wsi, int type, const char *prot) { @@ -176,7 +176,7 @@ lws_role_call_adoption_bind(struct lws *wsi, int type, const char *prot) return 1; } -#endif +//#endif #if !defined(LWS_WITHOUT_CLIENT) int diff --git a/lib/roles/raw-file/ops-raw-file.c b/lib/roles/raw-file/ops-raw-file.c index b45422ca4..4c9e43a75 100644 --- a/lib/roles/raw-file/ops-raw-file.c +++ b/lib/roles/raw-file/ops-raw-file.c @@ -52,7 +52,7 @@ rops_handle_POLLIN_raw_file(struct lws_context_per_thread *pt, struct lws *wsi, return LWS_HPI_RET_HANDLED; } -#if !defined(LWS_NO_SERVER) +//#if !defined(LWS_NO_SERVER) static int rops_adoption_bind_raw_file(struct lws *wsi, int type, const char *vh_prot_name) { @@ -69,7 +69,7 @@ rops_adoption_bind_raw_file(struct lws *wsi, int type, const char *vh_prot_name) return 1; /* bound */ } -#endif +//#endif struct lws_role_ops role_ops_raw_file = { /* role name */ "raw-file", @@ -92,11 +92,11 @@ struct lws_role_ops role_ops_raw_file = { /* close_role */ NULL, /* close_kill_connection */ NULL, /* destroy_role */ NULL, -#if !defined(LWS_NO_SERVER) +//#if !defined(LWS_NO_SERVER) /* adoption_bind */ rops_adoption_bind_raw_file, -#else - NULL, -#endif +//#else +// NULL, +//#endif /* client_bind */ NULL, /* adoption_cb clnt, srv */ { LWS_CALLBACK_RAW_ADOPT_FILE, LWS_CALLBACK_RAW_ADOPT_FILE }, diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c index 719885ead..a5b103c00 100644 --- a/lib/tls/mbedtls/mbedtls-client.c +++ b/lib/tls/mbedtls/mbedtls-client.c @@ -55,8 +55,10 @@ lws_ssl_client_bio_create(struct lws *wsi) } wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx); - if (!wsi->tls.ssl) + if (!wsi->tls.ssl) { + lwsl_info("%s: SSL_new() failed\n", __func__); return -1; + } if (wsi->vhost->tls.ssl_info_event_mask) SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback); @@ -190,6 +192,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, const void *ca_mem, unsigned int ca_mem_len, const char *cert_filepath, + const void *cert_mem, + unsigned int cert_mem_len, const char *private_key_filepath) { X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len); @@ -197,6 +201,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, unsigned long error; lws_filepos_t len; uint8_t *buf; + int n; if (!method) { error = ERR_get_error(); @@ -225,8 +230,11 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, } vh->tls.x509_client_CA = d2i_X509(NULL, buf, len); free(buf); + lwsl_notice("Loading client CA for verification %s\n", ca_filepath); } else { vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len); + lwsl_notice("%s: using mem client CA cert %d\n", + __func__, ca_mem_len); } if (!vh->tls.x509_client_CA) { @@ -239,7 +247,53 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, else SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA); - lwsl_notice("client loaded CA for verification %s\n", ca_filepath); + /* support for client-side certificate authentication */ + if (cert_filepath) { + uint8_t *buf; + lws_filepos_t amount; + + if (lws_tls_use_any_upgrade_check_extant(cert_filepath) != + LWS_TLS_EXTANT_YES && + (info->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT)) + return 0; + + lwsl_notice("%s: doing cert filepath %s\n", __func__, + cert_filepath); + + if (alloc_file(vh->context, cert_filepath, &buf, &amount)) + return 1; + + buf[amount++] = '\0'; + + SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx, + buf, amount); + + n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx, + amount, buf); + lws_free(buf); + if (n < 1) { + lwsl_err("problem %d getting cert '%s'\n", n, + cert_filepath); + lws_tls_err_describe(); + return 1; + } + + lwsl_notice("Loaded client cert %s\n", cert_filepath); + } else if (cert_mem && cert_mem_len) { + // lwsl_hexdump_notice(cert_mem, cert_mem_len - 1); + SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx, + cert_mem, cert_mem_len - 1); + n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx, + cert_mem_len, cert_mem); + if (n < 1) { + lwsl_err("%s: problem interpreting client cert\n", + __func__); + lws_tls_err_describe(); + return 1; + } + lwsl_notice("%s: using mem client cert %d\n", + __func__, cert_mem_len); + } return 0; }