diff --git a/README.build.md b/README.build.md index 7c1d4b0a..5ddd4ec5 100644 --- a/README.build.md +++ b/README.build.md @@ -327,6 +327,19 @@ cmake .. -DLWS_USE_CYASSL=1 \ **NOTE**: On windows use the .lib file extension for `LWS_CYASSL_LIBRARIES` instead. +Compiling libwebsockets with PolarSSL +------------------------------------- + +Caution... at some point PolarSSL became MbedTLS. But it did not happen all at once. +The name changed first then at mbedTLS 2.0 the apis changed. So eg in Fedora 22, +there is an "mbedtls" package which is actually using polarssl for the include dir +and polarssl apis... this should be treated as polarssl then. + +Example config for this case is + +cmake .. -DLWS_USE_POLARSSL=1 -DLWS_POLARSSL_LIBRARIES=/usr/lib64/libmbedtls.so \ + -DLWS_POLARSSL_INCLUDE_DIRS=/usr/include/polarssl/ + Reproducing HTTP2.0 tests ------------------------- diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index 60bbe4f2..5265dc9e 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -215,13 +215,19 @@ struct sockaddr_in; #else #if defined(LWS_USE_POLARSSL) #include -#define SSL_CTX ssl_context -#define SSL ssl_session +struct lws_polarssl_context { + x509_crt ca; + x509_crt certificate; + rsa_context key; +}; +typedef struct lws_polarssl_context SSL_CTX; +typedef ssl_context SSL; #else #if defined(LWS_USE_MBEDTLS) #include #else #include +#include #endif /* not USE_MBEDTLS */ #endif /* not USE_POLARSSL */ #endif /* not USE_WOLFSSL */ diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index 60c038ca..e6afc544 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -200,6 +200,9 @@ static inline int compatible_close(int fd) { return close(fd); } #include #include #include +#define SSL_ERROR_WANT_READ POLARSSL_ERR_NET_WANT_READ +#define SSL_ERROR_WANT_WRITE POLARSSL_ERR_NET_WANT_WRITE +#define OPENSSL_VERSION_NUMBER 0x10002000L #else #if defined(LWS_USE_MBEDTLS) #include diff --git a/lib/sha-1.c b/lib/sha-1.c index f5d58c7a..9353fbef 100644 --- a/lib/sha-1.c +++ b/lib/sha-1.c @@ -189,7 +189,7 @@ sha1_step(struct sha1_ctxt *ctxt) /*------------------------------------------------------------*/ static void -sha1_init(struct sha1_ctxt *ctxt) +_sha1_init(struct sha1_ctxt *ctxt) { bzero(ctxt, sizeof(struct sha1_ctxt)); H(0) = 0x67452301; @@ -290,7 +290,7 @@ lws_SHA1(const unsigned char *d, size_t n, unsigned char *md) { struct sha1_ctxt ctx; - sha1_init(&ctx); + _sha1_init(&ctx); sha1_loop(&ctx, d, n); sha1_result(&ctx, (void *)md); diff --git a/lib/ssl-client.c b/lib/ssl-client.c index 4ae10a6c..14fc99c0 100644 --- a/lib/ssl-client.c +++ b/lib/ssl-client.c @@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010-2014 Andy Green + * Copyright (C) 2010-2016 Andy Green * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -27,9 +27,16 @@ extern int openssl_websocket_private_data_index, extern void lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info); +extern int lws_ssl_get_error(struct lws *wsi, int n); + int lws_ssl_client_bio_create(struct lws *wsi) { +#if defined(LWS_USE_POLARSSL) + return 0; +#else +#if defined(LWS_USE_MBEDTLS) +#else struct lws_context *context = wsi->context; #if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) const char *hostname = lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_HOST); @@ -93,24 +100,29 @@ lws_ssl_client_bio_create(struct lws *wsi) context); return 0; +#endif +#endif } int lws_ssl_client_connect1(struct lws *wsi) { struct lws_context *context = wsi->context; - struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi]; - char *p = (char *)&pt->serv_buf[0]; - char *sb = p; - int n; + int n = 0; lws_latency_pre(context, wsi); +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_connect(wsi->ssl); +#endif +#endif lws_latency(context, wsi, "SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0); if (n < 0) { - n = SSL_get_error(wsi->ssl, n); + n = lws_ssl_get_error(wsi, n); if (n == SSL_ERROR_WANT_READ) goto some_wait; @@ -143,12 +155,22 @@ some_wait: * retry if new data comes until we * run into the connection timeout or win */ +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else n = ERR_get_error(); + if (n != SSL_ERROR_NONE) { + struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi]; + char *p = (char *)&pt->serv_buf[0]; + char *sb = p; lwsl_err("SSL connect error %lu: %s\n", n, ERR_error_string(n, sb)); return 0; } +#endif +#endif } return 1; @@ -158,19 +180,31 @@ int lws_ssl_client_connect2(struct lws *wsi) { struct lws_context *context = wsi->context; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi]; char *p = (char *)&pt->serv_buf[0]; char *sb = p; - int n; +#endif +#endif + int n = 0; if (wsi->mode == LWSCM_WSCL_WAITING_SSL) { lws_latency_pre(context, wsi); +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_connect(wsi->ssl); +#endif +#endif lws_latency(context, wsi, "SSL_connect LWSCM_WSCL_WAITING_SSL", n, n > 0); if (n < 0) { - n = SSL_get_error(wsi->ssl, n); + n = lws_ssl_get_error(wsi, n); if (n == SSL_ERROR_WANT_READ) { wsi->mode = LWSCM_WSCL_WAITING_SSL; @@ -206,15 +240,25 @@ lws_ssl_client_connect2(struct lws *wsi) * retry if new data comes until we * run into the connection timeout or win */ +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else n = ERR_get_error(); if (n != SSL_ERROR_NONE) { lwsl_err("SSL connect error %lu: %s\n", n, ERR_error_string(n, sb)); return 0; } +#endif +#endif } } +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #ifndef USE_WOLFSSL /* * See comment above about wolfSSL certificate @@ -239,6 +283,8 @@ lws_ssl_client_connect2(struct lws *wsi) } } #endif /* USE_WOLFSSL */ +#endif +#endif return 1; } @@ -247,6 +293,11 @@ lws_ssl_client_connect2(struct lws *wsi) int lws_context_init_client_ssl(struct lws_context_creation_info *info, struct lws_vhost *vhost) { +#if defined(LWS_USE_POLARSSL) + return 0; +#else +#if defined(LWS_USE_MBEDTLS) +#else int error; int n; SSL_METHOD *method; @@ -379,4 +430,6 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info, vhost->ssl_client_ctx, NULL, 0); return 0; +#endif +#endif } diff --git a/lib/ssl-server.c b/lib/ssl-server.c index f544fbe9..762911f7 100644 --- a/lib/ssl-server.c +++ b/lib/ssl-server.c @@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010-2014 Andy Green + * Copyright (C) 2010-2016 Andy Green * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -21,6 +21,11 @@ #include "private-libwebsockets.h" +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else + extern int openssl_websocket_private_data_index, openssl_SSL_CTX_private_data_index; @@ -190,11 +195,13 @@ lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg) } #endif +#endif +#endif + LWS_VISIBLE int lws_context_init_server_ssl(struct lws_context_creation_info *info, struct lws_vhost *vhost) { - SSL_METHOD *method; struct lws_context *context = vhost->context; struct lws wsi; int error; @@ -224,7 +231,70 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info, */ memset(&wsi, 0, sizeof(wsi)); wsi.vhost = vhost; - wsi.context = vhost->context; + wsi.context = context; + + (void)n; + (void)error; + +#if defined(LWS_USE_POLARSSL) + lwsl_notice(" Compiled with PolarSSL support\n"); + + vhost->ssl_ctx = lws_zalloc(sizeof (*vhost->ssl_ctx)); + + /* Load the trusted CA */ + + if (info->ssl_ca_filepath) { + n = x509_crt_parse_file(&vhost->ssl_ctx->ca, + info->ssl_ca_filepath); + + if (n < 0) { +// error_strerror(ret, errorbuf, sizeof(errorbuf)); + lwsl_err("%s: Failed to load ca cert\n", __func__); + return -1; + } + } + + /* Load our cert */ + + if (info->ssl_cert_filepath) { + n = x509_crt_parse_file(&vhost->ssl_ctx->certificate, + info->ssl_cert_filepath); + + if (n < 0) { +// error_strerror(ret, errorbuf, sizeof(errorbuf)); + lwsl_err("%s: Failed to load cert\n", __func__); + return -1; + } + } + + /* Load cert private key */ + + if (info->ssl_private_key_filepath) { + pk_context pk; + pk_init(&pk); + n = pk_parse_keyfile(&pk, info->ssl_private_key_filepath, + info->ssl_private_key_password); + + if (!n && !pk_can_do(&pk, POLARSSL_PK_RSA)) + n = POLARSSL_ERR_PK_TYPE_MISMATCH; + + if (!n) + rsa_copy(&vhost->ssl_ctx->key, pk_rsa(pk)); + else + rsa_free(&vhost->ssl_ctx->key); + pk_free(&pk); + + if (n) { + //error_strerror(ret, errorbuf, sizeof(errorbuf)); + lwsl_err("%s: error reading private key\n", __func__); + + return -1; + } + } +#else +#if defined(LWS_USE_MBEDTLS) + lwsl_notice(" Compiled with mbedTLS support\n"); +#else /* * Firefox insists on SSLv23 not SSLv3 @@ -235,21 +305,25 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info, * tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options() */ - method = (SSL_METHOD *)SSLv23_server_method(); - if (!method) { - error = ERR_get_error(); - lwsl_err("problem creating ssl method %lu: %s\n", - error, ERR_error_string(error, + { + SSL_METHOD *method; + + method = (SSL_METHOD *)SSLv23_server_method(); + if (!method) { + error = ERR_get_error(); + lwsl_err("problem creating ssl method %lu: %s\n", + error, ERR_error_string(error, (char *)context->pt[0].serv_buf)); - return 1; - } - vhost->ssl_ctx = SSL_CTX_new(method); /* create context */ - if (!vhost->ssl_ctx) { - error = ERR_get_error(); - lwsl_err("problem creating ssl context %lu: %s\n", - error, ERR_error_string(error, + return 1; + } + vhost->ssl_ctx = SSL_CTX_new(method); /* create context */ + if (!vhost->ssl_ctx) { + error = ERR_get_error(); + lwsl_err("problem creating ssl context %lu: %s\n", + error, ERR_error_string(error, (char *)context->pt[0].serv_buf)); - return 1; + return 1; + } } /* associate the lws context with the SSL_CTX */ @@ -270,10 +344,12 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info, /* as a server, are we requiring clients to identify themselves? */ - if (lws_check_opt(info->options, LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) { + if (lws_check_opt(info->options, + LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) { int verify_options = SSL_VERIFY_PEER; - if (!lws_check_opt(info->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED)) + if (!lws_check_opt(info->options, + LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED)) verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_CTX_set_session_id_context(vhost->ssl_ctx, @@ -369,6 +445,9 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info, lws_context_init_http2_ssl(vhost); } +#endif +#endif + return 0; } diff --git a/lib/ssl.c b/lib/ssl.c index fe4c1607..2be1a0a2 100644 --- a/lib/ssl.c +++ b/lib/ssl.c @@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010-2014 Andy Green + * Copyright (C) 2010-2016 Andy Green * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -21,9 +21,59 @@ #include "private-libwebsockets.h" +#if defined(LWS_USE_POLARSSL) +static const int ciphers[] = +{ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + 0 +}; + +static int urandom_bytes(void *ctx, unsigned char *dest, size_t len) +{ + int cur; + int fd = open("/dev/urandom", O_RDONLY); + + while (len) { + cur = read(fd, dest, len); + if (cur < 0) + continue; + len -= cur; + } + close(fd); + + return 0; +} + +static void pssl_debug(void *ctx, int level, const char *str) +{ + lwsl_err("PolarSSL [level %d]: %s", level, str); +} + +#endif + int openssl_websocket_private_data_index, openssl_SSL_CTX_private_data_index; +int lws_ssl_get_error(struct lws *wsi, int n) +{ +#if defined(LWS_USE_POLARSSL) +#define ERR_error_string(a, b) "" + return n; +#else +#if defined(LWS_USE_MBEDTLS) + return n; +#else + return SSL_get_error(wsi->ssl, n); +#endif +#endif +} + +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else static int lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata) { @@ -35,12 +85,18 @@ lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userd return strlen(buf); } +#endif +#endif void lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info) { if (!info->ssl_private_key_password) return; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else /* * password provided, set ssl callback and user data * for checking password which will be trigered during @@ -48,6 +104,8 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info */ SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info); SSL_CTX_set_default_passwd_cb(ssl_ctx, lws_context_init_ssl_pem_passwd_cb); +#endif +#endif } int @@ -59,8 +117,16 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info) #else lwsl_notice(" Compiled with wolfSSL support\n"); #endif +#else +#if defined(LWS_USE_POLARSSL) + lwsl_notice(" Compiled with PolarSSL support\n"); +#else +#if defined(LWS_USE_MBEDTLS) + lwsl_notice(" Compiled with mbedTLS support\n"); #else lwsl_notice(" Compiled with OpenSSL support\n"); +#endif +#endif #endif if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) { @@ -70,6 +136,10 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info) /* basic openssl init */ +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else SSL_library_init(); OpenSSL_add_all_algorithms(); @@ -80,6 +150,8 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info) openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); +#endif +#endif return 0; } @@ -88,9 +160,15 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info) LWS_VISIBLE void lws_ssl_destroy(struct lws_vhost *vhost) { - if (!lws_check_opt(vhost->context->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) + if (!lws_check_opt(vhost->context->options, + LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) return; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else + if (vhost->ssl_ctx) SSL_CTX_free(vhost->ssl_ctx); if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx) @@ -108,18 +186,25 @@ lws_ssl_destroy(struct lws_vhost *vhost) ERR_free_strings(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); +#endif +#endif } LWS_VISIBLE void lws_decode_ssl_error(void) { +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else char buf[256]; u_long err; - while ((err = ERR_get_error()) != 0) { ERR_error_string_n(err, buf, sizeof(buf)); lwsl_err("*** %lu %s\n", err, buf); } +#endif +#endif } LWS_VISIBLE void @@ -155,18 +240,25 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len) { struct lws_context *context = wsi->context; struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi]; - int n; + int n = 0; if (!wsi->ssl) return lws_ssl_capable_read_no_ssl(wsi, buf, len); +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_read(wsi->ssl, buf, len); +#endif +#endif + /* manpage: returning 0 means connection shut down */ if (!n) return LWS_SSL_CAPABLE_ERROR; if (n < 0) { - n = SSL_get_error(wsi->ssl, n); + n = lws_ssl_get_error(wsi, n); if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE) return LWS_SSL_CAPABLE_MORE_SERVICE; @@ -187,8 +279,16 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len) goto bail; if (!wsi->ssl) goto bail; +#if defined(LWS_USE_POLARSSL) + if (ssl_get_bytes_avail(wsi->ssl) <= 0) + goto bail; +#else +#if defined(LWS_USE_MBEDTLS) +#else if (!SSL_pending(wsi->ssl)) goto bail; +#endif +#endif if (wsi->pending_read_list_next) return n; if (wsi->pending_read_list_prev) @@ -216,8 +316,15 @@ lws_ssl_pending(struct lws *wsi) { if (!wsi->ssl) return 0; - +#if defined(LWS_USE_POLARSSL) + return ssl_get_bytes_avail(wsi->ssl) > 0; +#else +#if defined(LWS_USE_MBEDTLS) + return ssl_get_bytes_avail(wsi->ssl) > 0;; +#else return SSL_pending(wsi->ssl); +#endif +#endif } LWS_VISIBLE int @@ -228,11 +335,18 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len) if (!wsi->ssl) return lws_ssl_capable_write_no_ssl(wsi, buf, len); +#if defined(LWS_USE_POLARSSL) + n = ssl_write(wsi->ssl, buf, len); +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_write(wsi->ssl, buf, len); +#endif +#endif if (n > 0) return n; - n = SSL_get_error(wsi->ssl, n); + n = lws_ssl_get_error(wsi, n); if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE) { if (n == SSL_ERROR_WANT_WRITE) lws_set_blocking_send(wsi); @@ -250,10 +364,19 @@ lws_ssl_close(struct lws *wsi) if (!wsi->ssl) return 0; /* not handled */ +#if defined(LWS_USE_POLARSSL) + ssl_close_notify(wsi->ssl); + (void)n; /* we need to close the fd? */ + ssl_free(wsi->ssl); +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_get_fd(wsi->ssl); SSL_shutdown(wsi->ssl); compatible_close(n); SSL_free(wsi->ssl); +#endif +#endif wsi->ssl = NULL; return 1; /* handled */ @@ -267,7 +390,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) struct lws_context *context = wsi->context; struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi]; int n, m; -#ifndef USE_WOLFSSL +#if !defined(USE_WOLFSSL) && !defined(LWS_USE_POLARSSL) && !defined(LWS_USE_MBEDTLS) BIO *bio; #endif @@ -282,10 +405,48 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) if (accept_fd == LWS_SOCK_INVALID) assert(0); +#if defined(LWS_USE_POLARSSL) + { + ssl_session *ssn; + int rc; + + wsi->ssl = lws_zalloc(sizeof(ssl_context)); + ssn = lws_zalloc(sizeof(ssl_session)); + + rc = ssl_init(wsi->ssl); + if (rc) { + lwsl_err("ssl_init failed\n"); + goto fail; + } + + ssl_set_endpoint(wsi->ssl, SSL_IS_SERVER); + ssl_set_authmode(wsi->ssl, SSL_VERIFY_OPTIONAL); + ssl_set_rng(wsi->ssl, urandom_bytes, NULL); + ssl_set_dbg(wsi->ssl, pssl_debug, NULL); + ssl_set_bio(wsi->ssl, net_recv, &wsi->sock, net_send, &wsi->sock); + + ssl_set_ciphersuites(wsi->ssl, ciphers); + + ssl_set_session(wsi->ssl, ssn); + + ssl_set_ca_chain(wsi->ssl, &wsi->vhost->ssl_ctx->ca, + NULL, NULL); + + ssl_set_own_cert_rsa(wsi->ssl, + &wsi->vhost->ssl_ctx->certificate, + &wsi->vhost->ssl_ctx->key); + +// ssl_set_dh_param(wsi->ssl, my_dhm_P, my_dhm_G); + + lwsl_err("%s: polarssl init done\n", __func__); + } +#else +#if defined(LWS_USE_MBEDTLS) +#else wsi->ssl = SSL_new(wsi->vhost->ssl_ctx); if (wsi->ssl == NULL) { lwsl_err("SSL_new failed: %s\n", - ERR_error_string(SSL_get_error(wsi->ssl, 0), NULL)); + ERR_error_string(lws_ssl_get_error(wsi, 0), NULL)); lws_decode_ssl_error(); if (accept_fd != LWS_SOCK_INVALID) compatible_close(accept_fd); @@ -296,6 +457,8 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) openssl_websocket_private_data_index, wsi->vhost); SSL_set_fd(wsi->ssl, accept_fd); +#endif +#endif #ifdef USE_WOLFSSL #ifdef USE_OLD_CYASSL @@ -303,6 +466,11 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) #else wolfSSL_set_using_nonblock(wsi->ssl, 1); #endif +#else +#if defined(LWS_USE_POLARSSL) + +#else +#if defined(LWS_USE_MBEDTLS) #else SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); bio = SSL_get_rbio(wsi->ssl); @@ -315,6 +483,8 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) BIO_set_nbio(bio, 1); /* nonblocking */ else lwsl_notice("NULL rbio\n"); +#endif +#endif #endif /* @@ -368,8 +538,16 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) * connection upgrade directly. */ wsi->use_ssl = 0; +#if defined(LWS_USE_POLARSSL) + ssl_close_notify(wsi->ssl); + ssl_free(wsi->ssl); +#else +#if defined(LWS_USE_MBEDTLS) +#else SSL_shutdown(wsi->ssl); SSL_free(wsi->ssl); +#endif +#endif wsi->ssl = NULL; if (lws_check_opt(context->options, LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS)) @@ -396,15 +574,21 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd) } /* normal SSL connection processing path */ - +#if defined(LWS_USE_POLARSSL) + n = ssl_handshake(wsi->ssl); +#else +#if defined(LWS_USE_MBEDTLS) +#else n = SSL_accept(wsi->ssl); +#endif +#endif lws_latency(context, wsi, "SSL_accept LWSCM_SSL_ACK_PENDING\n", n, n == 1); if (n == 1) goto accepted; - m = SSL_get_error(wsi->ssl, n); + m = lws_ssl_get_error(wsi, n); lwsl_debug("SSL_accept failed %d / %s\n", m, ERR_error_string(m, NULL)); go_again: @@ -428,6 +612,10 @@ go_again: lwsl_err("SSL_accept failed skt %u: %s\n", wsi->sock, ERR_error_string(m, NULL)); +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else { char buf[256]; u_long err; @@ -437,6 +625,8 @@ go_again: lwsl_err("*** %s\n", buf); } } +#endif +#endif goto fail; accepted: @@ -461,15 +651,35 @@ fail: void lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost) { - if (vhost->ssl_ctx) + if (vhost->ssl_ctx) { +#if defined(LWS_USE_POLARSSL) + lws_free(vhost->ssl_ctx); +#else +#if defined(LWS_USE_MBEDTLS) +#else SSL_CTX_free(vhost->ssl_ctx); - if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx) +#endif +#endif + } + if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx) { +#if defined(LWS_USE_POLARSSL) + lws_free(vhost->ssl_client_ctx); +#else +#if defined(LWS_USE_MBEDTLS) +#else SSL_CTX_free(vhost->ssl_client_ctx); +#endif +#endif + } } void lws_ssl_context_destroy(struct lws_context *context) { +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL) ERR_remove_state(0); #else @@ -482,4 +692,6 @@ lws_ssl_context_destroy(struct lws_context *context) ERR_free_strings(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); +#endif +#endif } diff --git a/plugins/protocol_lws_mirror.c b/plugins/protocol_lws_mirror.c index 4b9319c4..44b82400 100644 --- a/plugins/protocol_lws_mirror.c +++ b/plugins/protocol_lws_mirror.c @@ -19,6 +19,7 @@ */ #include "../lib/libwebsockets.h" #include +#include /* lws-mirror_protocol */ diff --git a/plugins/protocol_lws_server_status.c b/plugins/protocol_lws_server_status.c index 588ada55..b9301745 100644 --- a/plugins/protocol_lws_server_status.c +++ b/plugins/protocol_lws_server_status.c @@ -19,6 +19,7 @@ */ #include "../lib/libwebsockets.h" #include +#include #define LWS_SS_VERSIONS 3 diff --git a/test-server/test-client.c b/test-server/test-client.c index aeb752ce..c21f0330 100644 --- a/test-server/test-client.c +++ b/test-server/test-client.c @@ -35,16 +35,18 @@ #include "../lib/libwebsockets.h" -#ifdef LWS_OPENSSL_SUPPORT -#include -#endif - static int deny_deflate, deny_mux, longlived, mirror_lifetime; static struct lws *wsi_dumb, *wsi_mirror; static volatile int force_exit; static unsigned int opts; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) -static char crl_path[1024] = ""; +char crl_path[1024] = ""; +#endif +#endif #endif /* @@ -133,6 +135,10 @@ callback_dumb_increment(struct lws *wsi, enum lws_callback_reasons reason, force_exit = 1; break; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if (crl_path[0]) { @@ -152,6 +158,8 @@ callback_dumb_increment(struct lws *wsi, enum lws_callback_reasons reason, } } break; +#endif +#endif #endif default: @@ -368,10 +376,16 @@ int main(int argc, char **argv) case 'A': strncpy(ca_path, optarg, sizeof ca_path); break; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) case 'R': strncpy(crl_path, optarg, sizeof crl_path); break; +#endif +#endif #endif case 'h': goto usage; @@ -431,9 +445,15 @@ int main(int argc, char **argv) */ if (ca_path[0]) info.ssl_ca_filepath = ca_path; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) else if (crl_path[0]) lwsl_notice("WARNING, providing a CRL requires a CA cert!\n"); +#endif +#endif #endif } diff --git a/test-server/test-server-http.c b/test-server/test-server-http.c index b3c1bb1d..4904e455 100644 --- a/test-server/test-server-http.c +++ b/test-server/test-server-http.c @@ -34,13 +34,15 @@ * using this protocol, including the sender */ -#ifdef LWS_OPENSSL_SUPPORT -#include -#endif - +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) /* location of the certificate revocation list */ -char crl_path[1024] = ""; +extern char crl_path[1024]; +#endif +#endif #endif extern int debug_level; @@ -629,6 +631,10 @@ bail: break; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_OPENSSL_SUPPORT) case LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION: /* Verify the client certificate */ @@ -660,6 +666,8 @@ bail: } break; #endif +#endif +#endif #endif default: diff --git a/test-server/test-server-libev.c b/test-server/test-server-libev.c index 470d103d..323c40de 100644 --- a/test-server/test-server-libev.c +++ b/test-server/test-server-libev.c @@ -30,6 +30,16 @@ struct lws_plat_file_ops fops_plat; #define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server" char *resource_path = LOCAL_RESOURCE_PATH; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else +#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) +char crl_path[1024] = ""; +#endif +#endif +#endif + /* * libev dumps their hygiene problems on their users blaming compiler * http://lists.schmorp.de/pipermail/libev/2008q4/000442.html diff --git a/test-server/test-server-libuv.c b/test-server/test-server-libuv.c index 183c2b75..8548da3b 100644 --- a/test-server/test-server-libuv.c +++ b/test-server/test-server-libuv.c @@ -31,6 +31,16 @@ struct lws_plat_file_ops fops_plat; #define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server" char *resource_path = LOCAL_RESOURCE_PATH; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else +#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) +char crl_path[1024] = ""; +#endif +#endif +#endif + /* singlethreaded version --> no locks */ void test_server_lock(int care) diff --git a/test-server/test-server-pthreads.c b/test-server/test-server-pthreads.c index 1870ae83..7e386e00 100644 --- a/test-server/test-server-pthreads.c +++ b/test-server/test-server-pthreads.c @@ -33,6 +33,16 @@ int count_pollfds; volatile int force_exit = 0; struct lws_context *context; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else +#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) +char crl_path[1024] = ""; +#endif +#endif +#endif + /* * This mutex lock protects code that changes or relies on wsi list outside of * the service thread. The service thread will acquire it when changing the diff --git a/test-server/test-server.c b/test-server/test-server.c index 76715b9f..da618ce3 100644 --- a/test-server/test-server.c +++ b/test-server/test-server.c @@ -36,6 +36,15 @@ struct lws_plat_file_ops fops_plat; /* http server gets files from this path */ #define LOCAL_RESOURCE_PATH INSTALL_DATADIR"/libwebsockets-test-server" char *resource_path = LOCAL_RESOURCE_PATH; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else +#if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param) +char crl_path[1024] = ""; +#endif +#endif +#endif /* singlethreaded version --> no locks */ @@ -269,11 +278,17 @@ int main(int argc, char **argv) use_ssl = 1; opts |= LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT; break; +#if defined(LWS_USE_POLARSSL) +#else +#if defined(LWS_USE_MBEDTLS) +#else #if defined(LWS_HAVE_SSL_CTX_set1_param) case 'R': strncpy(crl_path, optarg, sizeof crl_path); break; #endif +#endif +#endif #endif case 'h': fprintf(stderr, "Usage: test-server "