mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-16 00:00:07 +01:00
6ed3d8a9dd
Client connection items for protocols other than http ones will never get into an ah. Allow use of the values from the client stash allocation instead if present.
321 lines
8.7 KiB
C
321 lines
8.7 KiB
C
/*
|
|
* libwebsockets - small server side websockets and web server implementation
|
|
*
|
|
* Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to
|
|
* deal in the Software without restriction, including without limitation the
|
|
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
|
* sell copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
* IN THE SOFTWARE.
|
|
*/
|
|
|
|
#include "private-lib-core.h"
|
|
|
|
static int
|
|
OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
lws_ssl_client_bio_create(struct lws *wsi)
|
|
{
|
|
char hostname[128], *p;
|
|
const char *alpn_comma = wsi->context->tls.alpn_default;
|
|
struct alpn_ctx protos;
|
|
|
|
if (wsi->stash)
|
|
lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
|
|
else
|
|
if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
|
|
_WSI_TOKEN_CLIENT_HOST) <= 0) {
|
|
lwsl_err("%s: Unable to get hostname\n", __func__);
|
|
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
* remove any :port part on the hostname... necessary for network
|
|
* connection but typical certificates do not contain it
|
|
*/
|
|
p = hostname;
|
|
while (*p) {
|
|
if (*p == ':') {
|
|
*p = '\0';
|
|
break;
|
|
}
|
|
p++;
|
|
}
|
|
|
|
wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx);
|
|
if (!wsi->tls.ssl) {
|
|
lwsl_info("%s: SSL_new() failed\n", __func__);
|
|
return -1;
|
|
}
|
|
|
|
if (wsi->vhost->tls.ssl_info_event_mask)
|
|
SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
|
|
|
|
if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
|
|
X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
|
|
/* Enable automatic hostname checks */
|
|
// X509_VERIFY_PARAM_set_hostflags(param,
|
|
// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
|
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
|
|
}
|
|
|
|
if (wsi->vhost->tls.alpn)
|
|
alpn_comma = wsi->vhost->tls.alpn;
|
|
|
|
if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
|
|
_WSI_TOKEN_CLIENT_ALPN) > 0)
|
|
alpn_comma = hostname;
|
|
|
|
lwsl_info("%s: %p: client conn sending ALPN list '%s'\n",
|
|
__func__, wsi, alpn_comma);
|
|
|
|
protos.len = lws_alpn_comma_to_openssl(alpn_comma, protos.data,
|
|
sizeof(protos.data) - 1);
|
|
|
|
/* with mbedtls, protos is not pointed to after exit from this call */
|
|
SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
|
|
|
|
/*
|
|
* use server name indication (SNI), if supported,
|
|
* when establishing connection
|
|
*/
|
|
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
|
|
OpenSSL_client_verify_callback);
|
|
|
|
SSL_set_fd(wsi->tls.ssl, wsi->desc.sockfd);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int ERR_get_error(void)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
enum lws_ssl_capable_status
|
|
lws_tls_client_connect(struct lws *wsi)
|
|
{
|
|
int m, n = SSL_connect(wsi->tls.ssl);
|
|
const unsigned char *prot;
|
|
unsigned int len;
|
|
|
|
if (n == 1) {
|
|
SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
|
|
lws_role_call_alpn_negotiated(wsi, (const char *)prot);
|
|
lwsl_info("client connect OK\n");
|
|
return LWS_SSL_CAPABLE_DONE;
|
|
}
|
|
|
|
m = SSL_get_error(wsi->tls.ssl, n);
|
|
|
|
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
|
|
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
|
|
|
|
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
|
|
return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
|
|
|
|
if (!n) /* we don't know what he wants, but he says to retry */
|
|
return LWS_SSL_CAPABLE_MORE_SERVICE;
|
|
|
|
return LWS_SSL_CAPABLE_ERROR;
|
|
}
|
|
|
|
int
|
|
lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)
|
|
{
|
|
int n;
|
|
X509 *peer = SSL_get_peer_certificate(wsi->tls.ssl);
|
|
struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
|
|
char *sb = (char *)&pt->serv_buf[0];
|
|
|
|
if (!peer) {
|
|
lwsl_info("peer did not provide cert\n");
|
|
lws_snprintf(ebuf, ebuf_len, "no peer cert");
|
|
|
|
return -1;
|
|
}
|
|
lwsl_info("peer provided cert\n");
|
|
|
|
n = SSL_get_verify_result(wsi->tls.ssl);
|
|
lwsl_debug("get_verify says %d\n", n);
|
|
|
|
if (n == X509_V_OK)
|
|
return 0;
|
|
|
|
if (n == X509_V_ERR_HOSTNAME_MISMATCH &&
|
|
(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
|
|
lwsl_info("accepting certificate for invalid hostname\n");
|
|
return 0;
|
|
}
|
|
|
|
if (n == X509_V_ERR_INVALID_CA &&
|
|
(wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)) {
|
|
lwsl_info("accepting certificate from untrusted CA\n");
|
|
return 0;
|
|
}
|
|
|
|
if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
|
|
n == X509_V_ERR_CERT_HAS_EXPIRED) &&
|
|
(wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED)) {
|
|
lwsl_info("accepting expired or not yet valid certificate\n");
|
|
|
|
return 0;
|
|
}
|
|
lws_snprintf(ebuf, ebuf_len,
|
|
"server's cert didn't look good, (use_ssl 0x%x) X509_V_ERR = %d: %s\n",
|
|
(unsigned int)wsi->tls.use_ssl, n, ERR_error_string(n, sb));
|
|
lwsl_info("%s\n", ebuf);
|
|
lws_tls_err_describe_clear();
|
|
|
|
return -1;
|
|
}
|
|
|
|
int
|
|
lws_tls_client_create_vhost_context(struct lws_vhost *vh,
|
|
const struct lws_context_creation_info *info,
|
|
const char *cipher_list,
|
|
const char *ca_filepath,
|
|
const void *ca_mem,
|
|
unsigned int ca_mem_len,
|
|
const char *cert_filepath,
|
|
const void *cert_mem,
|
|
unsigned int cert_mem_len,
|
|
const char *private_key_filepath)
|
|
{
|
|
X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
|
|
SSL_METHOD *method = (SSL_METHOD *)TLS_client_method();
|
|
unsigned long error;
|
|
int n;
|
|
|
|
if (!method) {
|
|
error = ERR_get_error();
|
|
lwsl_err("problem creating ssl method %lu: %s\n",
|
|
error, ERR_error_string(error,
|
|
(char *)vh->context->pt[0].serv_buf));
|
|
return 1;
|
|
}
|
|
/* create context */
|
|
vh->tls.ssl_client_ctx = SSL_CTX_new(method);
|
|
if (!vh->tls.ssl_client_ctx) {
|
|
error = ERR_get_error();
|
|
lwsl_err("problem creating ssl context %lu: %s\n",
|
|
error, ERR_error_string(error,
|
|
(char *)vh->context->pt[0].serv_buf));
|
|
return 1;
|
|
}
|
|
|
|
if (!ca_filepath && (!ca_mem || !ca_mem_len))
|
|
return 0;
|
|
|
|
if (ca_filepath) {
|
|
#if !defined(LWS_PLAT_OPTEE)
|
|
uint8_t *buf;
|
|
lws_filepos_t len;
|
|
|
|
if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
|
|
lwsl_err("Load CA cert file %s failed\n", ca_filepath);
|
|
return 1;
|
|
}
|
|
vh->tls.x509_client_CA = d2i_X509(NULL, buf, len);
|
|
free(buf);
|
|
lwsl_notice("Loading client CA for verification %s\n", ca_filepath);
|
|
#endif
|
|
} else {
|
|
vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len);
|
|
lwsl_notice("%s: using mem client CA cert %d\n",
|
|
__func__, ca_mem_len);
|
|
}
|
|
|
|
if (!vh->tls.x509_client_CA) {
|
|
lwsl_err("client CA: x509 parse failed\n");
|
|
return 1;
|
|
}
|
|
|
|
if (!vh->tls.ssl_ctx)
|
|
SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
|
|
else
|
|
SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
|
|
|
|
/* support for client-side certificate authentication */
|
|
if (cert_filepath) {
|
|
#if !defined(LWS_PLAT_OPTEE)
|
|
uint8_t *buf;
|
|
lws_filepos_t amount;
|
|
|
|
if (lws_tls_use_any_upgrade_check_extant(cert_filepath) !=
|
|
LWS_TLS_EXTANT_YES &&
|
|
(info->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT))
|
|
return 0;
|
|
|
|
lwsl_notice("%s: doing cert filepath %s\n", __func__,
|
|
cert_filepath);
|
|
|
|
if (alloc_file(vh->context, cert_filepath, &buf, &amount))
|
|
return 1;
|
|
|
|
buf[amount++] = '\0';
|
|
|
|
SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
|
|
buf, amount);
|
|
|
|
n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
|
|
amount, buf);
|
|
lws_free(buf);
|
|
if (n < 1) {
|
|
lwsl_err("problem %d getting cert '%s'\n", n,
|
|
cert_filepath);
|
|
lws_tls_err_describe_clear();
|
|
return 1;
|
|
}
|
|
|
|
lwsl_notice("Loaded client cert %s\n", cert_filepath);
|
|
#endif
|
|
} else if (cert_mem && cert_mem_len) {
|
|
// lwsl_hexdump_notice(cert_mem, cert_mem_len - 1);
|
|
SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
|
|
cert_mem, cert_mem_len - 1);
|
|
n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
|
|
cert_mem_len, cert_mem);
|
|
if (n < 1) {
|
|
lwsl_err("%s: problem interpreting client cert\n",
|
|
__func__);
|
|
lws_tls_err_describe_clear();
|
|
return 1;
|
|
}
|
|
lwsl_notice("%s: using mem client cert %d\n",
|
|
__func__, cert_mem_len);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
lws_tls_client_vhost_extra_cert_mem(struct lws_vhost *vh,
|
|
const uint8_t *der, size_t der_len)
|
|
{
|
|
if (SSL_CTX_add_client_CA_ASN1(vh->tls.ssl_client_ctx, der_len, der) != 1) {
|
|
lwsl_err("%s: failed\n", __func__);
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|