stv0g/libwebsockets
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

polarssl implementation

Browse source 
Signed-off-by: Andy Green <andy@warmcat.com>
This commit is contained in:
Andy Green 2016-04-17 11:28:43 +08:00
parent 19f61e59b0
commit 451cee5d47
15 changed files with 494 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
README.build.md
View file

@ -327,6 +327,19 @@ cmake .. -DLWS_USE_CYASSL=1 \
**NOTE**: On windows use the .lib file extension for `LWS_CYASSL_LIBRARIES` instead.
Compiling libwebsockets with PolarSSL
-------------------------------------
Caution... at some point PolarSSL became MbedTLS. But it did not happen all at once.
The name changed first then at mbedTLS 2.0 the apis changed. So eg in Fedora 22,
there is an "mbedtls" package which is actually using polarssl for the include dir
and polarssl apis... this should be treated as polarssl then.
Example config for this case is
cmake .. -DLWS_USE_POLARSSL=1 -DLWS_POLARSSL_LIBRARIES=/usr/lib64/libmbedtls.so \
-DLWS_POLARSSL_INCLUDE_DIRS=/usr/include/polarssl/
Reproducing HTTP2.0 tests
-------------------------

10
lib/libwebsockets.h
View file

@ -215,13 +215,19 @@ struct sockaddr_in;
#else
#if defined(LWS_USE_POLARSSL)
#include <polarssl/ssl.h>
#define SSL_CTX ssl_context
#define SSL ssl_session
struct lws_polarssl_context {
x509_crt ca;
x509_crt certificate;
rsa_context key;
};
typedef struct lws_polarssl_context SSL_CTX;
typedef ssl_context SSL;
#else
#if defined(LWS_USE_MBEDTLS)
#include <mbedtls/ssl.h>
#else
#include <openssl/ssl.h>
#include <openssl/err.h>
#endif /* not USE_MBEDTLS */
#endif /* not USE_POLARSSL */
#endif /* not USE_WOLFSSL */

3
lib/private-libwebsockets.h
View file

@ -200,6 +200,9 @@ static inline int compatible_close(int fd) { return close(fd); }
#include <polarssl/md5.h>
#include <polarssl/sha1.h>
#include <polarssl/ecdh.h>
#define SSL_ERROR_WANT_READ POLARSSL_ERR_NET_WANT_READ
#define SSL_ERROR_WANT_WRITE POLARSSL_ERR_NET_WANT_WRITE
#define OPENSSL_VERSION_NUMBER 0x10002000L
#else
#if defined(LWS_USE_MBEDTLS)
#include <mbedtls/ssl.h>

4
lib/sha-1.c
View file

@ -189,7 +189,7 @@ sha1_step(struct sha1_ctxt *ctxt)
/*------------------------------------------------------------*/
static void
sha1_init(struct sha1_ctxt *ctxt)
_sha1_init(struct sha1_ctxt *ctxt)
{
bzero(ctxt, sizeof(struct sha1_ctxt));
H(0) = 0x67452301;
@ -290,7 +290,7 @@ lws_SHA1(const unsigned char *d, size_t n, unsigned char *md)
{
struct sha1_ctxt ctx;
sha1_init(&ctx);
_sha1_init(&ctx);
sha1_loop(&ctx, d, n);
sha1_result(&ctx, (void *)md);

69
lib/ssl-client.c
View file

@ -1,7 +1,7 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010-2014 Andy Green <andy@warmcat.com>
* Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -27,9 +27,16 @@ extern int openssl_websocket_private_data_index,
extern void
lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info);
extern int lws_ssl_get_error(struct lws *wsi, int n);
int
lws_ssl_client_bio_create(struct lws *wsi)
{
#if defined(LWS_USE_POLARSSL)
return 0;
#else
#if defined(LWS_USE_MBEDTLS)
#else
struct lws_context *context = wsi->context;
#if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
const char *hostname = lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_HOST);
@ -93,24 +100,29 @@ lws_ssl_client_bio_create(struct lws *wsi)
context);
return 0;
#endif
#endif
}
int
lws_ssl_client_connect1(struct lws *wsi)
{
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
int n;
int n = 0;
lws_latency_pre(context, wsi);
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_connect(wsi->ssl);
#endif
#endif
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
n = lws_ssl_get_error(wsi, n);
if (n == SSL_ERROR_WANT_READ)
goto some_wait;
@ -143,12 +155,22 @@ some_wait:
* retry if new data comes until we
* run into the connection timeout or win
*/
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
#endif
#endif
}
return 1;
@ -158,19 +180,31 @@ int
lws_ssl_client_connect2(struct lws *wsi)
{
struct lws_context *context = wsi->context;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
int n;
#endif
#endif
int n = 0;
if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {
lws_latency_pre(context, wsi);
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_connect(wsi->ssl);
#endif
#endif
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_WAITING_SSL", n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
n = lws_ssl_get_error(wsi, n);
if (n == SSL_ERROR_WANT_READ) {
wsi->mode = LWSCM_WSCL_WAITING_SSL;
@ -206,15 +240,25 @@ lws_ssl_client_connect2(struct lws *wsi)
* retry if new data comes until we
* run into the connection timeout or win
*/
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
#endif
#endif
}
}
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#ifndef USE_WOLFSSL
/*
* See comment above about wolfSSL certificate
@ -239,6 +283,8 @@ lws_ssl_client_connect2(struct lws *wsi)
}
}
#endif /* USE_WOLFSSL */
#endif
#endif
return 1;
}
@ -247,6 +293,11 @@ lws_ssl_client_connect2(struct lws *wsi)
int lws_context_init_client_ssl(struct lws_context_creation_info *info,
struct lws_vhost *vhost)
{
#if defined(LWS_USE_POLARSSL)
return 0;
#else
#if defined(LWS_USE_MBEDTLS)
#else
int error;
int n;
SSL_METHOD *method;
@ -379,4 +430,6 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
vhost->ssl_client_ctx, NULL, 0);
return 0;
#endif
#endif
}

115
lib/ssl-server.c
View file

@ -1,7 +1,7 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010-2014 Andy Green <andy@warmcat.com>
* Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -21,6 +21,11 @@
#include "private-libwebsockets.h"
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
extern int openssl_websocket_private_data_index,
openssl_SSL_CTX_private_data_index;
@ -190,11 +195,13 @@ lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
}
#endif
#endif
#endif
LWS_VISIBLE int
lws_context_init_server_ssl(struct lws_context_creation_info *info,
struct lws_vhost *vhost)
{
SSL_METHOD *method;
struct lws_context *context = vhost->context;
struct lws wsi;
int error;
@ -224,7 +231,70 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
*/
memset(&wsi, 0, sizeof(wsi));
wsi.vhost = vhost;
wsi.context = vhost->context;
wsi.context = context;
(void)n;
(void)error;
#if defined(LWS_USE_POLARSSL)
lwsl_notice(" Compiled with PolarSSL support\n");
vhost->ssl_ctx = lws_zalloc(sizeof (*vhost->ssl_ctx));
/* Load the trusted CA */
if (info->ssl_ca_filepath) {
n = x509_crt_parse_file(&vhost->ssl_ctx->ca,
info->ssl_ca_filepath);
if (n < 0) {
// error_strerror(ret, errorbuf, sizeof(errorbuf));
lwsl_err("%s: Failed to load ca cert\n", __func__);
return -1;
}
}
/* Load our cert */
if (info->ssl_cert_filepath) {
n = x509_crt_parse_file(&vhost->ssl_ctx->certificate,
info->ssl_cert_filepath);
if (n < 0) {
// error_strerror(ret, errorbuf, sizeof(errorbuf));
lwsl_err("%s: Failed to load cert\n", __func__);
return -1;
}
}
/* Load cert private key */
if (info->ssl_private_key_filepath) {
pk_context pk;
pk_init(&pk);
n = pk_parse_keyfile(&pk, info->ssl_private_key_filepath,
info->ssl_private_key_password);
if (!n && !pk_can_do(&pk, POLARSSL_PK_RSA))
n = POLARSSL_ERR_PK_TYPE_MISMATCH;
if (!n)
rsa_copy(&vhost->ssl_ctx->key, pk_rsa(pk));
else
rsa_free(&vhost->ssl_ctx->key);
pk_free(&pk);
if (n) {
//error_strerror(ret, errorbuf, sizeof(errorbuf));
lwsl_err("%s: error reading private key\n", __func__);
return -1;
}
}
#else
#if defined(LWS_USE_MBEDTLS)
lwsl_notice(" Compiled with mbedTLS support\n");
#else
/*
* Firefox insists on SSLv23 not SSLv3
@ -235,21 +305,25 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
* tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options()
*/
method = (SSL_METHOD *)SSLv23_server_method();
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
{
SSL_METHOD *method;
method = (SSL_METHOD *)SSLv23_server_method();
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
}
vhost->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->ssl_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
return 1;
}
vhost->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->ssl_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
return 1;
}
}
/* associate the lws context with the SSL_CTX */
@ -270,10 +344,12 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
/* as a server, are we requiring clients to identify themselves? */
if (lws_check_opt(info->options, LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
if (lws_check_opt(info->options,
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
int verify_options = SSL_VERIFY_PEER;
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
if (!lws_check_opt(info->options,
LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_session_id_context(vhost->ssl_ctx,
@ -369,6 +445,9 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
lws_context_init_http2_ssl(vhost);
}
#endif
#endif
return 0;
}

238
lib/ssl.c
View file

@ -1,7 +1,7 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010-2014 Andy Green <andy@warmcat.com>
* Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -21,9 +21,59 @@
#include "private-libwebsockets.h"
#if defined(LWS_USE_POLARSSL)
static const int ciphers[] =
{
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
0
};
static int urandom_bytes(void *ctx, unsigned char *dest, size_t len)
{
int cur;
int fd = open("/dev/urandom", O_RDONLY);
while (len) {
cur = read(fd, dest, len);
if (cur < 0)
continue;
len -= cur;
}
close(fd);
return 0;
}
static void pssl_debug(void *ctx, int level, const char *str)
{
lwsl_err("PolarSSL [level %d]: %s", level, str);
}
#endif
int openssl_websocket_private_data_index,
openssl_SSL_CTX_private_data_index;
int lws_ssl_get_error(struct lws *wsi, int n)
{
#if defined(LWS_USE_POLARSSL)
#define ERR_error_string(a, b) ""
return n;
#else
#if defined(LWS_USE_MBEDTLS)
return n;
#else
return SSL_get_error(wsi->ssl, n);
#endif
#endif
}
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
static int
lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata)
{
@ -35,12 +85,18 @@ lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userd
return strlen(buf);
}
#endif
#endif
void
lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info)
{
if (!info->ssl_private_key_password)
return;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
/*
* password provided, set ssl callback and user data
* for checking password which will be trigered during
@ -48,6 +104,8 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info
*/
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info);
SSL_CTX_set_default_passwd_cb(ssl_ctx, lws_context_init_ssl_pem_passwd_cb);
#endif
#endif
}
int
@ -59,8 +117,16 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
#else
lwsl_notice(" Compiled with wolfSSL support\n");
#endif
#else
#if defined(LWS_USE_POLARSSL)
lwsl_notice(" Compiled with PolarSSL support\n");
#else
#if defined(LWS_USE_MBEDTLS)
lwsl_notice(" Compiled with mbedTLS support\n");
#else
lwsl_notice(" Compiled with OpenSSL support\n");
#endif
#endif
#endif
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
@ -70,6 +136,10 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
/* basic openssl init */
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_library_init();
OpenSSL_add_all_algorithms();
@ -80,6 +150,8 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0,
NULL, NULL, NULL, NULL);
#endif
#endif
return 0;
}
@ -88,9 +160,15 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
LWS_VISIBLE void
lws_ssl_destroy(struct lws_vhost *vhost)
{
if (!lws_check_opt(vhost->context->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
if (!lws_check_opt(vhost->context->options,
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
return;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
if (vhost->ssl_ctx)
SSL_CTX_free(vhost->ssl_ctx);
if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
@ -108,18 +186,25 @@ lws_ssl_destroy(struct lws_vhost *vhost)
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#endif
#endif
}
LWS_VISIBLE void
lws_decode_ssl_error(void)
{
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
char buf[256];
u_long err;
while ((err = ERR_get_error()) != 0) {
ERR_error_string_n(err, buf, sizeof(buf));
lwsl_err("*** %lu %s\n", err, buf);
}
#endif
#endif
}
LWS_VISIBLE void
@ -155,18 +240,25 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
{
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n;
int n = 0;
if (!wsi->ssl)
return lws_ssl_capable_read_no_ssl(wsi, buf, len);
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_read(wsi->ssl, buf, len);
#endif
#endif
/* manpage: returning 0 means connection shut down */
if (!n)
return LWS_SSL_CAPABLE_ERROR;
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
n = lws_ssl_get_error(wsi, n);
if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE)
return LWS_SSL_CAPABLE_MORE_SERVICE;
@ -187,8 +279,16 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
goto bail;
if (!wsi->ssl)
goto bail;
#if defined(LWS_USE_POLARSSL)
if (ssl_get_bytes_avail(wsi->ssl) <= 0)
goto bail;
#else
#if defined(LWS_USE_MBEDTLS)
#else
if (!SSL_pending(wsi->ssl))
goto bail;
#endif
#endif
if (wsi->pending_read_list_next)
return n;
if (wsi->pending_read_list_prev)
@ -216,8 +316,15 @@ lws_ssl_pending(struct lws *wsi)
{
if (!wsi->ssl)
return 0;
#if defined(LWS_USE_POLARSSL)
return ssl_get_bytes_avail(wsi->ssl) > 0;
#else
#if defined(LWS_USE_MBEDTLS)
return ssl_get_bytes_avail(wsi->ssl) > 0;;
#else
return SSL_pending(wsi->ssl);
#endif
#endif
}
LWS_VISIBLE int
@ -228,11 +335,18 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
if (!wsi->ssl)
return lws_ssl_capable_write_no_ssl(wsi, buf, len);
#if defined(LWS_USE_POLARSSL)
n = ssl_write(wsi->ssl, buf, len);
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_write(wsi->ssl, buf, len);
#endif
#endif
if (n > 0)
return n;
n = SSL_get_error(wsi->ssl, n);
n = lws_ssl_get_error(wsi, n);
if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE) {
if (n == SSL_ERROR_WANT_WRITE)
lws_set_blocking_send(wsi);
@ -250,10 +364,19 @@ lws_ssl_close(struct lws *wsi)
if (!wsi->ssl)
return 0; /* not handled */
#if defined(LWS_USE_POLARSSL)
ssl_close_notify(wsi->ssl);
(void)n; /* we need to close the fd? */
ssl_free(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_get_fd(wsi->ssl);
SSL_shutdown(wsi->ssl);
compatible_close(n);
SSL_free(wsi->ssl);
#endif
#endif
wsi->ssl = NULL;
return 1; /* handled */
@ -267,7 +390,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n, m;
#ifndef USE_WOLFSSL
#if !defined(USE_WOLFSSL) && !defined(LWS_USE_POLARSSL) && !defined(LWS_USE_MBEDTLS)
BIO *bio;
#endif
@ -282,10 +405,48 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
if (accept_fd == LWS_SOCK_INVALID)
assert(0);
#if defined(LWS_USE_POLARSSL)
{
ssl_session *ssn;
int rc;
wsi->ssl = lws_zalloc(sizeof(ssl_context));
ssn = lws_zalloc(sizeof(ssl_session));
rc = ssl_init(wsi->ssl);
if (rc) {
lwsl_err("ssl_init failed\n");
goto fail;
}
ssl_set_endpoint(wsi->ssl, SSL_IS_SERVER);
ssl_set_authmode(wsi->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(wsi->ssl, urandom_bytes, NULL);
ssl_set_dbg(wsi->ssl, pssl_debug, NULL);
ssl_set_bio(wsi->ssl, net_recv, &wsi->sock, net_send, &wsi->sock);
ssl_set_ciphersuites(wsi->ssl, ciphers);
ssl_set_session(wsi->ssl, ssn);
ssl_set_ca_chain(wsi->ssl, &wsi->vhost->ssl_ctx->ca,
NULL, NULL);
ssl_set_own_cert_rsa(wsi->ssl,
&wsi->vhost->ssl_ctx->certificate,
&wsi->vhost->ssl_ctx->key);
// ssl_set_dh_param(wsi->ssl, my_dhm_P, my_dhm_G);
lwsl_err("%s: polarssl init done\n", __func__);
}
#else
#if defined(LWS_USE_MBEDTLS)
#else
wsi->ssl = SSL_new(wsi->vhost->ssl_ctx);
if (wsi->ssl == NULL) {
lwsl_err("SSL_new failed: %s\n",
ERR_error_string(SSL_get_error(wsi->ssl, 0), NULL));
ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
lws_decode_ssl_error();
if (accept_fd != LWS_SOCK_INVALID)
compatible_close(accept_fd);
@ -296,6 +457,8 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
openssl_websocket_private_data_index, wsi->vhost);
SSL_set_fd(wsi->ssl, accept_fd);
#endif
#endif
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
@ -303,6 +466,11 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
bio = SSL_get_rbio(wsi->ssl);
@ -315,6 +483,8 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
BIO_set_nbio(bio, 1); /* nonblocking */
else
lwsl_notice("NULL rbio\n");
#endif
#endif
#endif
/*
@ -368,8 +538,16 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
* connection upgrade directly.
*/
wsi->use_ssl = 0;
#if defined(LWS_USE_POLARSSL)
ssl_close_notify(wsi->ssl);
ssl_free(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_shutdown(wsi->ssl);
SSL_free(wsi->ssl);
#endif
#endif
wsi->ssl = NULL;
if (lws_check_opt(context->options,
LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS))
@ -396,15 +574,21 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
}
/* normal SSL connection processing path */
#if defined(LWS_USE_POLARSSL)
n = ssl_handshake(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_accept(wsi->ssl);
#endif
#endif
lws_latency(context, wsi,
"SSL_accept LWSCM_SSL_ACK_PENDING\n", n, n == 1);
if (n == 1)
goto accepted;
m = SSL_get_error(wsi->ssl, n);
m = lws_ssl_get_error(wsi, n);
lwsl_debug("SSL_accept failed %d / %s\n",
m, ERR_error_string(m, NULL));
go_again:
@ -428,6 +612,10 @@ go_again:
lwsl_err("SSL_accept failed skt %u: %s\n",
wsi->sock, ERR_error_string(m, NULL));
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
{
char buf[256];
u_long err;
@ -437,6 +625,8 @@ go_again:
lwsl_err("*** %s\n", buf);
}
}
#endif
#endif
goto fail;
accepted:
@ -461,15 +651,35 @@ fail:
void
lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
{
if (vhost->ssl_ctx)
if (vhost->ssl_ctx) {
#if defined(LWS_USE_POLARSSL)
lws_free(vhost->ssl_ctx);
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_CTX_free(vhost->ssl_ctx);
if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
#endif
#endif
}
if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx) {
#if defined(LWS_USE_POLARSSL)
lws_free(vhost->ssl_client_ctx);
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_CTX_free(vhost->ssl_client_ctx);
#endif
#endif
}
}
void
lws_ssl_context_destroy(struct lws_context *context)
{
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL)
ERR_remove_state(0);
#else
@ -482,4 +692,6 @@ lws_ssl_context_destroy(struct lws_context *context)
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#endif
#endif
}

1
plugins/protocol_lws_mirror.c
View file

@ -19,6 +19,7 @@
*/
#include "../lib/libwebsockets.h"
#include <string.h>
#include <stdlib.h>
/* lws-mirror_protocol */

1
plugins/protocol_lws_server_status.c
View file

@ -19,6 +19,7 @@
*/
#include "../lib/libwebsockets.h"
#include <string.h>
#include <stdlib.h>
#define LWS_SS_VERSIONS 3

30
test-server/test-client.c
View file

@ -35,16 +35,18 @@
#include "../lib/libwebsockets.h"
#ifdef LWS_OPENSSL_SUPPORT
#include <openssl/err.h>
#endif
static int deny_deflate, deny_mux, longlived, mirror_lifetime;
static struct lws *wsi_dumb, *wsi_mirror;
static volatile int force_exit;
static unsigned int opts;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
static char crl_path[1024] = "";
char crl_path[1024] = "";
#endif
#endif
#endif
/*
@ -133,6 +135,10 @@ callback_dumb_increment(struct lws *wsi, enum lws_callback_reasons reason,
force_exit = 1;
break;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS:
if (crl_path[0]) {
@ -152,6 +158,8 @@ callback_dumb_increment(struct lws *wsi, enum lws_callback_reasons reason,
}
}
break;
#endif
#endif
#endif
default:
@ -368,10 +376,16 @@ int main(int argc, char **argv)
case 'A':
strncpy(ca_path, optarg, sizeof ca_path);
break;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
case 'R':
strncpy(crl_path, optarg, sizeof crl_path);
break;
#endif
#endif
#endif
case 'h':
goto usage;
@ -431,9 +445,15 @@ int main(int argc, char **argv)
*/
if (ca_path[0])
info.ssl_ca_filepath = ca_path;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
else if (crl_path[0])
lwsl_notice("WARNING, providing a CRL requires a CA cert!\n");
#endif
#endif
#endif
}

18
test-server/test-server-http.c
View file

@ -34,13 +34,15 @@
* using this protocol, including the sender
*/
#ifdef LWS_OPENSSL_SUPPORT
#include <openssl/err.h>
#endif
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
/* location of the certificate revocation list */
char crl_path[1024] = "";
extern char crl_path[1024];
#endif
#endif
#endif
extern int debug_level;
@ -629,6 +631,10 @@ bail:
break;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT)
case LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION:
/* Verify the client certificate */
@ -660,6 +666,8 @@ bail:
}
break;
#endif
#endif
#endif
#endif
default:

10
test-server/test-server-libev.c
View file

@ -30,6 +30,16 @@ struct lws_plat_file_ops fops_plat;
#define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server"
char *resource_path = LOCAL_RESOURCE_PATH;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
char crl_path[1024] = "";
#endif
#endif
#endif
/*
* libev dumps their hygiene problems on their users blaming compiler
* http://lists.schmorp.de/pipermail/libev/2008q4/000442.html

10
test-server/test-server-libuv.c
View file

@ -31,6 +31,16 @@ struct lws_plat_file_ops fops_plat;
#define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server"
char *resource_path = LOCAL_RESOURCE_PATH;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
char crl_path[1024] = "";
#endif
#endif
#endif
/* singlethreaded version --> no locks */
void test_server_lock(int care)

10
test-server/test-server-pthreads.c
View file

@ -33,6 +33,16 @@ int count_pollfds;
volatile int force_exit = 0;
struct lws_context *context;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
char crl_path[1024] = "";
#endif
#endif
#endif
/*
* This mutex lock protects code that changes or relies on wsi list outside of
* the service thread. The service thread will acquire it when changing the

15
test-server/test-server.c
View file

@ -36,6 +36,15 @@ struct lws_plat_file_ops fops_plat;
/* http server gets files from this path */
#define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server"
char *resource_path = LOCAL_RESOURCE_PATH;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
char crl_path[1024] = "";
#endif
#endif
#endif
/* singlethreaded version --> no locks */
@ -269,11 +278,17 @@ int main(int argc, char **argv)
use_ssl = 1;
opts |= LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;
break;
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
#if defined(LWS_HAVE_SSL_CTX_set1_param)
case 'R':
strncpy(crl_path, optarg, sizeof crl_path);
break;
#endif
#endif
#endif
#endif
case 'h':
fprintf(stderr, "Usage: test-server "