1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15
16 #include "private-lib-core.h"
17
18 #include "ssl_lib.h"
19 #include "ssl_pkey.h"
20 #include "ssl_x509.h"
21 #include "ssl_cert.h"
22 #include "ssl_dbg.h"
23 #include "ssl_port.h"
24
25 char *
26 lws_strncpy(char *dest, const char *src, size_t size);
27
28 #define SSL_SEND_DATA_MAX_LENGTH 1460
29
30 /**
31 * @brief create a new SSL session object
32 */
SSL_SESSION_new(void)33 static SSL_SESSION* SSL_SESSION_new(void)
34 {
35 SSL_SESSION *session;
36
37 session = ssl_mem_zalloc(sizeof(SSL_SESSION));
38 if (!session) {
39 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
40 goto failed1;
41 }
42
43 session->peer = X509_new();
44 if (!session->peer) {
45 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
46 goto failed2;
47 }
48
49 return session;
50
51 failed2:
52 ssl_mem_free(session);
53 failed1:
54 return NULL;
55 }
56
57 /**
58 * @brief free a new SSL session object
59 */
SSL_SESSION_free(SSL_SESSION * session)60 static void SSL_SESSION_free(SSL_SESSION *session)
61 {
62 X509_free(session->peer);
63 ssl_mem_free(session);
64 }
65
66 /**
67 * @brief Discover whether the current connection is in the error state
68 */
ossl_statem_in_error(const SSL * ssl)69 int ossl_statem_in_error(const SSL *ssl)
70 {
71 SSL_ASSERT1(ssl);
72
73 if (ssl->statem.state == MSG_FLOW_ERROR)
74 return 1;
75
76 return 0;
77 }
78
79 /**
80 * @brief get the SSL specifical statement
81 */
SSL_want(const SSL * ssl)82 int SSL_want(const SSL *ssl)
83 {
84 SSL_ASSERT1(ssl);
85
86 return ssl->rwstate;
87 }
88
89 /**
90 * @brief check if SSL want nothing
91 */
SSL_want_nothing(const SSL * ssl)92 int SSL_want_nothing(const SSL *ssl)
93 {
94 SSL_ASSERT1(ssl);
95
96 if (ssl->err)
97 return 1;
98
99 return (SSL_want(ssl) == SSL_NOTHING);
100 }
101
102 /**
103 * @brief check if SSL want to read
104 */
SSL_want_read(const SSL * ssl)105 int SSL_want_read(const SSL *ssl)
106 {
107 SSL_ASSERT1(ssl);
108
109 if (ssl->err)
110 return 0;
111
112 return (SSL_want(ssl) == SSL_READING);
113 }
114
115 /**
116 * @brief check if SSL want to write
117 */
SSL_want_write(const SSL * ssl)118 int SSL_want_write(const SSL *ssl)
119 {
120 SSL_ASSERT1(ssl);
121
122 if (ssl->err)
123 return 0;
124
125 return (SSL_want(ssl) == SSL_WRITING);
126 }
127
128 /**
129 * @brief check if SSL want to lookup X509 certification
130 */
SSL_want_x509_lookup(const SSL * ssl)131 int SSL_want_x509_lookup(const SSL *ssl)
132 {
133 SSL_ASSERT1(ssl);
134
135 return (SSL_want(ssl) == SSL_WRITING);
136 }
137
138 /**
139 * @brief get SSL error code
140 */
SSL_get_error(const SSL * ssl,int ret_code)141 int SSL_get_error(const SSL *ssl, int ret_code)
142 {
143 int ret = SSL_ERROR_SYSCALL;
144
145 SSL_ASSERT1(ssl);
146
147 if (ret_code > 0)
148 ret = SSL_ERROR_NONE;
149 else if (ret_code < 0)
150 {
151 if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl))
152 ret = SSL_ERROR_WANT_READ;
153 else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl))
154 ret = SSL_ERROR_WANT_WRITE;
155 else
156 ret = SSL_ERROR_SYSCALL; //unknown
157 }
158 else // ret_code == 0
159 {
160 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
161 ret = SSL_ERROR_ZERO_RETURN;
162 else
163 ret = SSL_ERROR_SYSCALL;
164 }
165
166 return ret;
167 }
168
169 /**
170 * @brief get the SSL state
171 */
SSL_get_state(const SSL * ssl)172 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
173 {
174 OSSL_HANDSHAKE_STATE state;
175
176 SSL_ASSERT1(ssl);
177
178 state = SSL_METHOD_CALL(get_state, ssl);
179
180 return state;
181 }
182
183 const char *mbedtls_client_preload_filepath;
184
185 /**
186 * @brief create a SSL context
187 */
SSL_CTX_new(const SSL_METHOD * method,void * rngctx)188 SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx)
189 {
190 SSL_CTX *ctx;
191 CERT *cert;
192 X509 *client_ca;
193 #if defined(LWS_HAVE_mbedtls_x509_crt_parse_file)
194 int n;
195 #endif
196
197 if (!method) {
198 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
199 return NULL;
200 }
201
202 client_ca = X509_new();
203 if (!client_ca) {
204 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
205 goto failed1;
206 }
207
208 cert = ssl_cert_new(rngctx);
209 if (!cert) {
210 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
211 goto failed2;
212 }
213
214 ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
215 if (!ctx) {
216 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
217 goto failed3;
218 }
219
220 ctx->method = method;
221 ctx->client_CA = client_ca;
222 ctx->cert = cert;
223 ctx->rngctx = rngctx;
224
225 ctx->version = method->version;
226
227 #if defined(LWS_HAVE_mbedtls_x509_crt_parse_file)
228 if (mbedtls_client_preload_filepath) {
229 mbedtls_x509_crt **px = (mbedtls_x509_crt **)ctx->client_CA->x509_pm;
230
231 *px = malloc(sizeof(**px));
232 mbedtls_x509_crt_init(*px);
233 n = mbedtls_x509_crt_parse_file(*px, mbedtls_client_preload_filepath);
234 if (n < 0)
235 lwsl_err("%s: unable to load cert bundle 0x%x\n", __func__, -n);
236 else
237 lwsl_info("%s: loaded cert bundle %d\n", __func__, n);
238 }
239 #endif
240
241 return ctx;
242
243 failed3:
244 ssl_cert_free(cert);
245 failed2:
246 X509_free(client_ca);
247 failed1:
248 return NULL;
249 }
250
251 /**
252 * @brief free a SSL context
253 */
SSL_CTX_free(SSL_CTX * ctx)254 void SSL_CTX_free(SSL_CTX* ctx)
255 {
256 SSL_ASSERT3(ctx);
257
258 ssl_cert_free(ctx->cert);
259
260 X509_free(ctx->client_CA);
261
262 if (ctx->alpn_protos) {
263 ssl_mem_free((void *)ctx->alpn_protos);
264 ctx->alpn_protos = NULL;
265 }
266
267 ssl_mem_free(ctx);
268 }
269
270 /**
271 * @brief set the SSL context version
272 */
SSL_CTX_set_ssl_version(SSL_CTX * ctx,const SSL_METHOD * meth)273 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
274 {
275 SSL_ASSERT1(ctx);
276 SSL_ASSERT1(meth);
277
278 ctx->method = meth;
279
280 ctx->version = meth->version;
281
282 return 1;
283 }
284
285 /**
286 * @brief get the SSL context current method
287 */
SSL_CTX_get_ssl_method(SSL_CTX * ctx)288 const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
289 {
290 SSL_ASSERT2(ctx);
291
292 return ctx->method;
293 }
294
295 /**
296 * @brief create a SSL
297 */
SSL_new(SSL_CTX * ctx)298 SSL *SSL_new(SSL_CTX *ctx)
299 {
300 int ret = 0;
301 SSL *ssl;
302
303 if (!ctx) {
304 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
305 return NULL;
306 }
307
308 ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
309 if (!ssl) {
310 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
311 goto failed1;
312 }
313
314 ssl->session = SSL_SESSION_new();
315 if (!ssl->session) {
316 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
317 goto failed2;
318 }
319
320 ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx);
321 if (!ssl->cert) {
322 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
323 goto failed3;
324 }
325
326 ssl->client_CA = __X509_new(ctx->client_CA);
327 if (!ssl->client_CA) {
328 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
329 goto failed4;
330 }
331
332 ssl->ctx = ctx;
333 ssl->method = ctx->method;
334
335 ssl->version = ctx->version;
336 ssl->options = ctx->options;
337
338 ssl->verify_mode = ctx->verify_mode;
339
340 ret = SSL_METHOD_CALL(new, ssl);
341 if (ret) {
342 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
343 goto failed5;
344 }
345
346 _ssl_set_alpn_list(ssl);
347
348 ssl->rwstate = SSL_NOTHING;
349
350 return ssl;
351
352 failed5:
353 X509_free(ssl->client_CA);
354 failed4:
355 ssl_cert_free(ssl->cert);
356 failed3:
357 SSL_SESSION_free(ssl->session);
358 failed2:
359 ssl_mem_free(ssl);
360 failed1:
361 return NULL;
362 }
363
364 /**
365 * @brief free the SSL
366 */
SSL_free(SSL * ssl)367 void SSL_free(SSL *ssl)
368 {
369 SSL_ASSERT3(ssl);
370
371 SSL_METHOD_CALL(free, ssl);
372
373 X509_free(ssl->client_CA);
374
375 ssl_cert_free(ssl->cert);
376
377 SSL_SESSION_free(ssl->session);
378
379 if (ssl->alpn_protos) {
380 ssl_mem_free((void *)ssl->alpn_protos);
381 ssl->alpn_protos = NULL;
382 }
383
384 ssl_mem_free(ssl);
385 }
386
387 /**
388 * @brief perform the SSL handshake
389 */
SSL_do_handshake(SSL * ssl)390 int SSL_do_handshake(SSL *ssl)
391 {
392 int ret;
393
394 SSL_ASSERT1(ssl);
395
396 ret = SSL_METHOD_CALL(handshake, ssl);
397
398 return ret;
399 }
400
401 /**
402 * @brief connect to the remote SSL server
403 */
SSL_connect(SSL * ssl)404 int SSL_connect(SSL *ssl)
405 {
406 SSL_ASSERT1(ssl);
407
408 return SSL_do_handshake(ssl);
409 }
410
411 /**
412 * @brief accept the remote connection
413 */
SSL_accept(SSL * ssl)414 int SSL_accept(SSL *ssl)
415 {
416 SSL_ASSERT1(ssl);
417
418 return SSL_do_handshake(ssl);
419 }
420
421 /**
422 * @brief shutdown the connection
423 */
SSL_shutdown(SSL * ssl)424 int SSL_shutdown(SSL *ssl)
425 {
426 int ret;
427
428 SSL_ASSERT1(ssl);
429
430 if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
431
432 ret = SSL_METHOD_CALL(shutdown, ssl);
433
434 return ret;
435 }
436
437 /**
438 * @brief reset the SSL
439 */
SSL_clear(SSL * ssl)440 int SSL_clear(SSL *ssl)
441 {
442 int ret;
443
444 SSL_ASSERT1(ssl);
445
446 ret = SSL_shutdown(ssl);
447 if (1 != ret) {
448 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
449 goto failed1;
450 }
451
452 SSL_METHOD_CALL(free, ssl);
453
454 ret = SSL_METHOD_CALL(new, ssl);
455 if (!ret) {
456 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
457 goto failed1;
458 }
459
460 return 1;
461
462 failed1:
463 return ret;
464 }
465
466 /**
467 * @brief read data from to remote
468 */
SSL_read(SSL * ssl,void * buffer,int len)469 int SSL_read(SSL *ssl, void *buffer, int len)
470 {
471 int ret;
472
473 SSL_ASSERT1(ssl);
474 SSL_ASSERT1(buffer);
475 SSL_ASSERT1(len);
476
477 ssl->rwstate = SSL_READING;
478
479 ret = SSL_METHOD_CALL(read, ssl, buffer, len);
480
481 if (ret == len)
482 ssl->rwstate = SSL_NOTHING;
483
484 return ret;
485 }
486
487 /**
488 * @brief send the data to remote
489 */
SSL_write(SSL * ssl,const void * buffer,int len)490 int SSL_write(SSL *ssl, const void *buffer, int len)
491 {
492 int ret;
493 int send_bytes, bytes;
494 const unsigned char *pbuf;
495
496 SSL_ASSERT1(ssl);
497 SSL_ASSERT1(buffer);
498 SSL_ASSERT1(len);
499
500 ssl->rwstate = SSL_WRITING;
501
502 send_bytes = len;
503 pbuf = (const unsigned char *)buffer;
504
505 do {
506 if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
507 bytes = SSL_SEND_DATA_MAX_LENGTH;
508 else
509 bytes = send_bytes;
510
511 if (ssl->interrupted_remaining_write) {
512 bytes = ssl->interrupted_remaining_write;
513 ssl->interrupted_remaining_write = 0;
514 }
515
516 ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
517 //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes);
518 /* the return is a NEGATIVE OpenSSL error code, or the length sent */
519 if (ret > 0) {
520 pbuf += ret;
521 send_bytes -= ret;
522 } else
523 ssl->interrupted_remaining_write = bytes;
524 } while (ret > 0 && send_bytes && ret == bytes);
525
526 if (ret >= 0) {
527 ret = len - send_bytes;
528 if (!ret)
529 ssl->rwstate = SSL_NOTHING;
530 } else {
531 if (send_bytes == len)
532 ret = -1;
533 else
534 ret = len - send_bytes;
535 }
536
537 return ret;
538 }
539
540 /**
541 * @brief get SSL context of the SSL
542 */
SSL_get_SSL_CTX(const SSL * ssl)543 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
544 {
545 SSL_ASSERT2(ssl);
546
547 return ssl->ctx;
548 }
549
550 /**
551 * @brief get the SSL current method
552 */
SSL_get_ssl_method(SSL * ssl)553 const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
554 {
555 SSL_ASSERT2(ssl);
556
557 return ssl->method;
558 }
559
560 /**
561 * @brief set the SSL method
562 */
SSL_set_ssl_method(SSL * ssl,const SSL_METHOD * method)563 int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
564 {
565 int ret;
566
567 SSL_ASSERT1(ssl);
568 SSL_ASSERT1(method);
569
570 if (ssl->version != method->version) {
571
572 ret = SSL_shutdown(ssl);
573 if (1 != ret) {
574 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
575 goto failed1;
576 }
577
578 SSL_METHOD_CALL(free, ssl);
579
580 ssl->method = method;
581
582 ret = SSL_METHOD_CALL(new, ssl);
583 if (!ret) {
584 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
585 goto failed1;
586 }
587 } else {
588 ssl->method = method;
589 }
590
591
592 return 1;
593
594 failed1:
595 return ret;
596 }
597
598 /**
599 * @brief get SSL shutdown mode
600 */
SSL_get_shutdown(const SSL * ssl)601 int SSL_get_shutdown(const SSL *ssl)
602 {
603 SSL_ASSERT1(ssl);
604
605 return ssl->shutdown;
606 }
607
608 /**
609 * @brief set SSL shutdown mode
610 */
SSL_set_shutdown(SSL * ssl,int mode)611 void SSL_set_shutdown(SSL *ssl, int mode)
612 {
613 SSL_ASSERT3(ssl);
614
615 ssl->shutdown = mode;
616 }
617
618
619 /**
620 * @brief get the number of the bytes to be read
621 */
SSL_pending(const SSL * ssl)622 int SSL_pending(const SSL *ssl)
623 {
624 int ret;
625
626 SSL_ASSERT1(ssl);
627
628 ret = SSL_METHOD_CALL(pending, ssl);
629
630 return ret;
631 }
632
633 /**
634 * @brief check if some data can be read
635 */
SSL_has_pending(const SSL * ssl)636 int SSL_has_pending(const SSL *ssl)
637 {
638 int ret;
639
640 SSL_ASSERT1(ssl);
641
642 if (SSL_pending(ssl))
643 ret = 1;
644 else
645 ret = 0;
646
647 return ret;
648 }
649
650 /**
651 * @brief clear the SSL context option bit of "op"
652 */
SSL_CTX_clear_options(SSL_CTX * ctx,unsigned long op)653 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
654 {
655 SSL_ASSERT1(ctx);
656
657 return ctx->options &= ~op;
658 }
659
660 /**
661 * @brief get the SSL context option
662 */
SSL_CTX_get_options(SSL_CTX * ctx)663 unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
664 {
665 SSL_ASSERT1(ctx);
666
667 return ctx->options;
668 }
669
670 /**
671 * @brief set the option of the SSL context
672 */
SSL_CTX_set_options(SSL_CTX * ctx,unsigned long opt)673 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
674 {
675 SSL_ASSERT1(ctx);
676
677 return ctx->options |= opt;
678 }
679
680 /**
681 * @brief clear SSL option
682 */
SSL_clear_options(SSL * ssl,unsigned long op)683 unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
684 {
685 SSL_ASSERT1(ssl);
686
687 return ssl->options & ~op;
688 }
689
690 /**
691 * @brief get SSL option
692 */
SSL_get_options(SSL * ssl)693 unsigned long SSL_get_options(SSL *ssl)
694 {
695 SSL_ASSERT1(ssl);
696
697 return ssl->options;
698 }
699
700 /**
701 * @brief clear SSL option
702 */
SSL_set_options(SSL * ssl,unsigned long op)703 unsigned long SSL_set_options(SSL *ssl, unsigned long op)
704 {
705 SSL_ASSERT1(ssl);
706
707 return ssl->options |= op;
708 }
709
710 /**
711 * @brief get the socket handle of the SSL
712 */
SSL_get_fd(const SSL * ssl)713 int SSL_get_fd(const SSL *ssl)
714 {
715 int ret;
716
717 SSL_ASSERT1(ssl);
718
719 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
720
721 return ret;
722 }
723
724 /**
725 * @brief get the read only socket handle of the SSL
726 */
SSL_get_rfd(const SSL * ssl)727 int SSL_get_rfd(const SSL *ssl)
728 {
729 int ret;
730
731 SSL_ASSERT1(ssl);
732
733 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
734
735 return ret;
736 }
737
738 /**
739 * @brief get the write only socket handle of the SSL
740 */
SSL_get_wfd(const SSL * ssl)741 int SSL_get_wfd(const SSL *ssl)
742 {
743 int ret;
744
745 SSL_ASSERT1(ssl);
746
747 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
748
749 return ret;
750 }
751
752 /**
753 * @brief bind the socket file description into the SSL
754 */
SSL_set_fd(SSL * ssl,int fd)755 int SSL_set_fd(SSL *ssl, int fd)
756 {
757 SSL_ASSERT1(ssl);
758 SSL_ASSERT1(fd >= 0);
759
760 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
761
762 return 1;
763 }
764
765 /**
766 * @brief bind the read only socket file description into the SSL
767 */
SSL_set_rfd(SSL * ssl,int fd)768 int SSL_set_rfd(SSL *ssl, int fd)
769 {
770 SSL_ASSERT1(ssl);
771 SSL_ASSERT1(fd >= 0);
772
773 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
774
775 return 1;
776 }
777
778 /**
779 * @brief bind the write only socket file description into the SSL
780 */
SSL_set_wfd(SSL * ssl,int fd)781 int SSL_set_wfd(SSL *ssl, int fd)
782 {
783 SSL_ASSERT1(ssl);
784 SSL_ASSERT1(fd >= 0);
785
786 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
787
788 return 1;
789 }
790
791 /**
792 * @brief get SSL version
793 */
SSL_version(const SSL * ssl)794 int SSL_version(const SSL *ssl)
795 {
796 SSL_ASSERT1(ssl);
797
798 return ssl->version;
799 }
800
801 /**
802 * @brief get the SSL version string
803 */
ssl_protocol_to_string(int version)804 static const char* ssl_protocol_to_string(int version)
805 {
806 const char *str;
807
808 if (version == TLS1_2_VERSION)
809 str = "TLSv1.2";
810 else if (version == TLS1_1_VERSION)
811 str = "TLSv1.1";
812 else if (version == TLS1_VERSION)
813 str = "TLSv1";
814 else if (version == SSL3_VERSION)
815 str = "SSLv3";
816 else
817 str = "unknown";
818
819 return str;
820 }
821
822 /**
823 * @brief get the SSL current version
824 */
SSL_get_version(const SSL * ssl)825 const char *SSL_get_version(const SSL *ssl)
826 {
827 SSL_ASSERT2(ssl);
828
829 return ssl_protocol_to_string(SSL_version(ssl));
830 }
831
832 /**
833 * @brief get alert type string
834 */
SSL_alert_type_string(int value)835 const char *SSL_alert_type_string(int value)
836 {
837 const char *str;
838
839 switch (value >> 8)
840 {
841 case SSL3_AL_WARNING:
842 str = "W";
843 break;
844 case SSL3_AL_FATAL:
845 str = "F";
846 break;
847 default:
848 str = "U";
849 break;
850 }
851
852 return str;
853 }
854
855 /**
856 * @brief set the SSL context read buffer length
857 */
SSL_CTX_set_default_read_buffer_len(SSL_CTX * ctx,size_t len)858 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
859 {
860 SSL_ASSERT3(ctx);
861
862 ctx->read_buffer_len = (int)len;
863 }
864
865 /**
866 * @brief set the SSL read buffer length
867 */
SSL_set_default_read_buffer_len(SSL * ssl,size_t len)868 void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
869 {
870 SSL_ASSERT3(ssl);
871 SSL_ASSERT3(len);
872
873 SSL_METHOD_CALL(set_bufflen, ssl, (int)len);
874 }
875
876 /**
877 * @brief set the SSL information callback function
878 */
SSL_set_info_callback(SSL * ssl,void (* cb)(const SSL * ssl,int type,int val))879 void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
880 {
881 SSL_ASSERT3(ssl);
882
883 ssl->info_callback = cb;
884 }
885
886 /**
887 * @brief add SSL context reference count by '1'
888 */
SSL_CTX_up_ref(SSL_CTX * ctx)889 int SSL_CTX_up_ref(SSL_CTX *ctx)
890 {
891 SSL_ASSERT1(ctx);
892
893 /**
894 * no support multi-thread SSL here
895 */
896 ctx->references++;
897
898 return 1;
899 }
900
901 /**
902 * @brief set the SSL security level
903 */
SSL_set_security_level(SSL * ssl,int level)904 void SSL_set_security_level(SSL *ssl, int level)
905 {
906 SSL_ASSERT3(ssl);
907
908 ssl->cert->sec_level = level;
909 }
910
911 /**
912 * @brief get the SSL security level
913 */
SSL_get_security_level(const SSL * ssl)914 int SSL_get_security_level(const SSL *ssl)
915 {
916 SSL_ASSERT1(ssl);
917
918 return ssl->cert->sec_level;
919 }
920
921 /**
922 * @brief get the SSL verifying mode of the SSL context
923 */
SSL_CTX_get_verify_mode(const SSL_CTX * ctx)924 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
925 {
926 SSL_ASSERT1(ctx);
927
928 return ctx->verify_mode;
929 }
930
931 /**
932 * @brief set the session timeout time
933 */
SSL_CTX_set_timeout(SSL_CTX * ctx,long t)934 long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
935 {
936 long l;
937
938 SSL_ASSERT1(ctx);
939
940 l = ctx->session_timeout;
941 ctx->session_timeout = t;
942
943 return l;
944 }
945
946 /**
947 * @brief get the session timeout time
948 */
SSL_CTX_get_timeout(const SSL_CTX * ctx)949 long SSL_CTX_get_timeout(const SSL_CTX *ctx)
950 {
951 SSL_ASSERT1(ctx);
952
953 return ctx->session_timeout;
954 }
955
956 /**
957 * @brief set the SSL if we can read as many as data
958 */
SSL_set_read_ahead(SSL * ssl,int yes)959 void SSL_set_read_ahead(SSL *ssl, int yes)
960 {
961 SSL_ASSERT3(ssl);
962
963 ssl->rlayer.read_ahead = yes;
964 }
965
966 /**
967 * @brief set the SSL context if we can read as many as data
968 */
SSL_CTX_set_read_ahead(SSL_CTX * ctx,int yes)969 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
970 {
971 SSL_ASSERT3(ctx);
972
973 ctx->read_ahead = yes;
974 }
975
976 /**
977 * @brief get the SSL ahead signal if we can read as many as data
978 */
SSL_get_read_ahead(const SSL * ssl)979 int SSL_get_read_ahead(const SSL *ssl)
980 {
981 SSL_ASSERT1(ssl);
982
983 return ssl->rlayer.read_ahead;
984 }
985
986 /**
987 * @brief get the SSL context ahead signal if we can read as many as data
988 */
SSL_CTX_get_read_ahead(SSL_CTX * ctx)989 long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
990 {
991 SSL_ASSERT1(ctx);
992
993 return ctx->read_ahead;
994 }
995
996 /**
997 * @brief check if the SSL context can read as many as data
998 */
SSL_CTX_get_default_read_ahead(SSL_CTX * ctx)999 long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
1000 {
1001 SSL_ASSERT1(ctx);
1002
1003 return ctx->read_ahead;
1004 }
1005
1006 /**
1007 * @brief set SSL session time
1008 */
SSL_set_time(SSL * ssl,long t)1009 long SSL_set_time(SSL *ssl, long t)
1010 {
1011 SSL_ASSERT1(ssl);
1012
1013 ssl->session->time = t;
1014
1015 return t;
1016 }
1017
1018 /**
1019 * @brief set SSL session timeout time
1020 */
SSL_set_timeout(SSL * ssl,long t)1021 long SSL_set_timeout(SSL *ssl, long t)
1022 {
1023 SSL_ASSERT1(ssl);
1024
1025 ssl->session->timeout = t;
1026
1027 return t;
1028 }
1029
1030 /**
1031 * @brief get the verifying result of the SSL certification
1032 */
SSL_get_verify_result(const SSL * ssl)1033 long SSL_get_verify_result(const SSL *ssl)
1034 {
1035 SSL_ASSERT1(ssl);
1036
1037 return SSL_METHOD_CALL(get_verify_result, ssl);
1038 }
1039
1040 /**
1041 * @brief get the SSL verifying depth of the SSL context
1042 */
SSL_CTX_get_verify_depth(const SSL_CTX * ctx)1043 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1044 {
1045 SSL_ASSERT1(ctx);
1046
1047 return ctx->param.depth;
1048 }
1049
1050 /**
1051 * @brief set the SSL verify depth of the SSL context
1052 */
SSL_CTX_set_verify_depth(SSL_CTX * ctx,int depth)1053 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
1054 {
1055 SSL_ASSERT3(ctx);
1056
1057 ctx->param.depth = depth;
1058 }
1059
1060 /**
1061 * @brief get the SSL verifying depth of the SSL
1062 */
SSL_get_verify_depth(const SSL * ssl)1063 int SSL_get_verify_depth(const SSL *ssl)
1064 {
1065 SSL_ASSERT1(ssl);
1066
1067 return ssl->param.depth;
1068 }
1069
1070 /**
1071 * @brief set the SSL verify depth of the SSL
1072 */
SSL_set_verify_depth(SSL * ssl,int depth)1073 void SSL_set_verify_depth(SSL *ssl, int depth)
1074 {
1075 SSL_ASSERT3(ssl);
1076
1077 ssl->param.depth = depth;
1078 }
1079
1080 /**
1081 * @brief set the SSL context verifying of the SSL context
1082 */
SSL_CTX_set_verify(SSL_CTX * ctx,int mode,int (* verify_callback)(SSL *,mbedtls_x509_crt *))1083 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(SSL *, mbedtls_x509_crt *))
1084 {
1085 SSL_ASSERT3(ctx);
1086
1087 ctx->verify_mode = mode;
1088 ctx->default_verify_callback = verify_callback;
1089 }
1090
1091 /**
1092 * @brief set the SSL verifying of the SSL context
1093 */
SSL_set_verify(SSL * ssl,int mode,int (* verify_callback)(SSL *,mbedtls_x509_crt *))1094 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(SSL *, mbedtls_x509_crt *))
1095 {
1096 SSL_ASSERT3(ssl);
1097
1098 ssl->verify_mode = mode;
1099 ssl->verify_callback = verify_callback;
1100 }
1101
ERR_error_string_n(unsigned long e,char * buf,size_t len)1102 void ERR_error_string_n(unsigned long e, char *buf, size_t len)
1103 {
1104 lws_strncpy(buf, "unknown", len);
1105 }
1106
ERR_free_strings(void)1107 void ERR_free_strings(void)
1108 {
1109 }
1110
ERR_error_string(unsigned long e,char * buf)1111 char *ERR_error_string(unsigned long e, char *buf)
1112 {
1113 if (!buf)
1114 return "unknown";
1115
1116 switch(e) {
1117 case X509_V_ERR_INVALID_CA:
1118 strcpy(buf, "CA is not trusted");
1119 break;
1120 case X509_V_ERR_HOSTNAME_MISMATCH:
1121 strcpy(buf, "Hostname mismatch");
1122 break;
1123 case X509_V_ERR_CA_KEY_TOO_SMALL:
1124 strcpy(buf, "CA key too small");
1125 break;
1126 case X509_V_ERR_CA_MD_TOO_WEAK:
1127 strcpy(buf, "MD key too weak");
1128 break;
1129 case X509_V_ERR_CERT_NOT_YET_VALID:
1130 strcpy(buf, "Cert from the future");
1131 break;
1132 case X509_V_ERR_CERT_HAS_EXPIRED:
1133 strcpy(buf, "Cert expired");
1134 break;
1135 default:
1136 strcpy(buf, "unknown");
1137 break;
1138 }
1139
1140 return buf;
1141 }
1142
SSL_CTX_get_ex_data(const SSL_CTX * ctx,int idx)1143 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
1144 {
1145 return NULL;
1146 }
1147
1148 /*
1149 * Openssl wants the valid protocol names supplied like this:
1150 *
1151 * (unsigned char *)"\x02h2\x08http/1.1", 6 + 9
1152 *
1153 * Mbedtls wants this:
1154 *
1155 * Pointer to a NULL-terminated list of supported protocols, in decreasing
1156 * preference order. The pointer to the list is recorded by the library for
1157 * later reference as required, so the lifetime of the table must be at least
1158 * as long as the lifetime of the SSL configuration structure.
1159 *
1160 * So accept the OpenSSL style and convert to mbedtls style
1161 */
1162
1163
1164 static void
_openssl_alpn_to_mbedtls(struct alpn_ctx * ac,char *** palpn_protos)1165 _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)
1166 {
1167 unsigned char *p = ac->data, *q;
1168 unsigned char len;
1169 char **alpn_protos;
1170 int count = 0;
1171
1172 /* find out how many entries he gave us */
1173
1174 if (ac->len) {
1175 len = *p++;
1176 if (len)
1177 count++;
1178 while (p - ac->data < ac->len) {
1179 if (len--) {
1180 p++;
1181 continue;
1182 }
1183 len = *p++;
1184 if (!len)
1185 break;
1186 count++;
1187 }
1188 }
1189
1190 if (!count)
1191 return;
1192
1193 /* allocate space for count + 1 pointers and the data afterwards */
1194
1195 alpn_protos = ssl_mem_zalloc((unsigned int)(count + 1) * sizeof(char *) + ac->len + 1);
1196 if (!alpn_protos)
1197 return;
1198
1199 *palpn_protos = alpn_protos;
1200
1201 /* convert to mbedtls format */
1202
1203 q = (unsigned char *)alpn_protos + (unsigned int)(count + 1) * sizeof(char *);
1204 p = ac->data;
1205 count = 0;
1206
1207 len = *p++;
1208 alpn_protos[count] = (char *)q;
1209 while (p - ac->data < ac->len) {
1210 if (len--) {
1211 *q++ = *p++;
1212 continue;
1213 }
1214 *q++ = '\0';
1215 count++;
1216 len = *p++;
1217 alpn_protos[count] = (char *)q;
1218 if (!len)
1219 break;
1220 }
1221 if (!len) {
1222 *q++ = '\0';
1223 count++;
1224 /* len = *p++; */
1225 alpn_protos[count] = (char *)q;
1226 }
1227 alpn_protos[count] = NULL; /* last pointer ends list with NULL */
1228 }
1229
SSL_CTX_set_alpn_select_cb(SSL_CTX * ctx,next_proto_cb cb,void * arg)1230 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg)
1231 {
1232 struct alpn_ctx *ac = arg;
1233
1234 ctx->alpn_cb = cb;
1235
1236 _openssl_alpn_to_mbedtls(ac, (char ***)&ctx->alpn_protos);
1237 }
1238
SSL_set_alpn_select_cb(SSL * ssl,void * arg)1239 void SSL_set_alpn_select_cb(SSL *ssl, void *arg)
1240 {
1241 struct alpn_ctx *ac = arg;
1242
1243 _openssl_alpn_to_mbedtls(ac, (char ***)&ssl->alpn_protos);
1244
1245 _ssl_set_alpn_list(ssl);
1246 }
1247