1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26 #include "private-lib-tls-mbedtls.h"
27
28 void
lws_ssl_destroy(struct lws_vhost * vhost)29 lws_ssl_destroy(struct lws_vhost *vhost)
30 {
31 if (!lws_check_opt(vhost->context->options,
32 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
33 return;
34
35 if (vhost->tls.ssl_ctx)
36 SSL_CTX_free(vhost->tls.ssl_ctx);
37 if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
38 SSL_CTX_free(vhost->tls.ssl_client_ctx);
39
40 if (vhost->tls.x509_client_CA)
41 X509_free(vhost->tls.x509_client_CA);
42 }
43
44 int
lws_ssl_capable_read(struct lws * wsi,unsigned char * buf,size_t len)45 lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, size_t len)
46 {
47 struct lws_context *context = wsi->a.context;
48 struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
49 int n = 0, m;
50
51 if (!wsi->tls.ssl)
52 return lws_ssl_capable_read_no_ssl(wsi, buf, len);
53
54 errno = 0;
55 n = SSL_read(wsi->tls.ssl, buf, (int)len);
56 #if defined(LWS_PLAT_FREERTOS)
57 if (!n && errno == LWS_ENOTCONN) {
58 lwsl_debug("%s: SSL_read ENOTCONN\n", lws_wsi_tag(wsi));
59 return LWS_SSL_CAPABLE_ERROR;
60 }
61 #endif
62
63 lwsl_debug("%s: %s: SSL_read says %d\n", __func__, lws_wsi_tag(wsi), n);
64 /* manpage: returning 0 means connection shut down */
65 if (!n) {
66 wsi->socket_is_permanently_unusable = 1;
67
68 return LWS_SSL_CAPABLE_ERROR;
69 }
70
71 if (n < 0) {
72 m = SSL_get_error(wsi->tls.ssl, n);
73 lwsl_debug("%s: %s: ssl err %d errno %d\n", __func__, lws_wsi_tag(wsi), m, errno);
74 if (errno == LWS_ENOTCONN)
75 /* If the socket isn't connected anymore, bail out. */
76 goto do_err1;
77
78 #if defined(LWS_PLAT_FREERTOS)
79 if (errno == LWS_ECONNABORTED)
80 goto do_err1;
81 #endif
82
83 if (m == SSL_ERROR_ZERO_RETURN ||
84 m == SSL_ERROR_SYSCALL)
85 goto do_err;
86
87 if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
88 lwsl_debug("%s: WANT_READ\n", __func__);
89 lwsl_debug("%s: LWS_SSL_CAPABLE_MORE_SERVICE\n", lws_wsi_tag(wsi));
90 return LWS_SSL_CAPABLE_MORE_SERVICE;
91 }
92 if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
93 lwsl_info("%s: WANT_WRITE\n", __func__);
94 lwsl_debug("%s: LWS_SSL_CAPABLE_MORE_SERVICE\n", lws_wsi_tag(wsi));
95 wsi->tls_read_wanted_write = 1;
96 lws_callback_on_writable(wsi);
97 return LWS_SSL_CAPABLE_MORE_SERVICE;
98 }
99
100 do_err1:
101 wsi->socket_is_permanently_unusable = 1;
102
103 do_err:
104 #if defined(LWS_WITH_SYS_METRICS)
105 if (wsi->a.vhost)
106 lws_metric_event(wsi->a.vhost->mt_traffic_rx, METRES_NOGO, 0);
107 #endif
108
109 return LWS_SSL_CAPABLE_ERROR;
110 }
111
112 #if defined(LWS_TLS_LOG_PLAINTEXT_RX)
113 /*
114 * If using mbedtls type tls library, this is the earliest point for all
115 * paths to dump what was received as decrypted data from the tls tunnel
116 */
117 lwsl_notice("%s: len %d\n", __func__, n);
118 lwsl_hexdump_notice(buf, (size_t)n);
119 #endif
120
121 #if defined(LWS_WITH_SYS_METRICS)
122 if (wsi->a.vhost)
123 lws_metric_event(wsi->a.vhost->mt_traffic_rx,
124 METRES_GO /* rx */, (u_mt_t)n);
125 #endif
126
127 /*
128 * if it was our buffer that limited what we read,
129 * check if SSL has additional data pending inside SSL buffers.
130 *
131 * Because these won't signal at the network layer with POLLIN
132 * and if we don't realize, this data will sit there forever
133 */
134 if (n != (int)len)
135 goto bail;
136 if (!wsi->tls.ssl)
137 goto bail;
138
139 if (SSL_pending(wsi->tls.ssl)) {
140 if (lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
141 lws_dll2_add_head(&wsi->tls.dll_pending_tls,
142 &pt->tls.dll_pending_tls_owner);
143 } else
144 __lws_ssl_remove_wsi_from_buffered_list(wsi);
145
146 return n;
147 bail:
148 lws_ssl_remove_wsi_from_buffered_list(wsi);
149
150 return n;
151 }
152
153 int
lws_ssl_pending(struct lws * wsi)154 lws_ssl_pending(struct lws *wsi)
155 {
156 if (!wsi->tls.ssl)
157 return 0;
158
159 return SSL_pending(wsi->tls.ssl);
160 }
161
162 int
lws_ssl_capable_write(struct lws * wsi,unsigned char * buf,size_t len)163 lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, size_t len)
164 {
165 int n, m;
166
167 #if defined(LWS_TLS_LOG_PLAINTEXT_TX)
168 /*
169 * If using mbedtls type tls library, this is the last point for all
170 * paths before sending data into the tls tunnel, where you can dump it
171 * and see what is being sent.
172 */
173 lwsl_notice("%s: len %d\n", __func__, (int)len);
174 lwsl_hexdump_notice(buf, len);
175 #endif
176
177 if (!wsi->tls.ssl)
178 return lws_ssl_capable_write_no_ssl(wsi, buf, len);
179
180 n = SSL_write(wsi->tls.ssl, buf, (int)len);
181 if (n > 0) {
182 #if defined(LWS_WITH_SYS_METRICS)
183 if (wsi->a.vhost)
184 lws_metric_event(wsi->a.vhost->mt_traffic_tx,
185 METRES_GO, (u_mt_t)n);
186 #endif
187 return n;
188 }
189
190 m = SSL_get_error(wsi->tls.ssl, n);
191 if (m != SSL_ERROR_SYSCALL) {
192 if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
193 lwsl_notice("%s: want read\n", __func__);
194
195 return LWS_SSL_CAPABLE_MORE_SERVICE;
196 }
197
198 if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
199 lws_set_blocking_send(wsi);
200 lwsl_debug("%s: want write\n", __func__);
201
202 return LWS_SSL_CAPABLE_MORE_SERVICE;
203 }
204 }
205
206 lwsl_debug("%s failed: %d\n",__func__, m);
207 wsi->socket_is_permanently_unusable = 1;
208
209 #if defined(LWS_WITH_SYS_METRICS)
210 if (wsi->a.vhost)
211 lws_metric_event(wsi->a.vhost->mt_traffic_tx,
212 METRES_NOGO, (u_mt_t)n);
213 #endif
214
215 return LWS_SSL_CAPABLE_ERROR;
216 }
217
218 int openssl_SSL_CTX_private_data_index;
219
220 void
lws_ssl_info_callback(const SSL * ssl,int where,int ret)221 lws_ssl_info_callback(const SSL *ssl, int where, int ret)
222 {
223 struct lws *wsi;
224 struct lws_context *context;
225 struct lws_ssl_info si;
226
227 context = (struct lws_context *)SSL_CTX_get_ex_data(
228 SSL_get_SSL_CTX(ssl),
229 openssl_SSL_CTX_private_data_index);
230 if (!context)
231 return;
232 wsi = wsi_from_fd(context, SSL_get_fd(ssl));
233 if (!wsi)
234 return;
235
236 if (!(where & wsi->a.vhost->tls.ssl_info_event_mask))
237 return;
238
239 si.where = where;
240 si.ret = ret;
241
242 if (user_callback_handle_rxflow(wsi->a.protocol->callback,
243 wsi, LWS_CALLBACK_SSL_INFO,
244 wsi->user_space, &si, 0))
245 lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
246 }
247
248
249 int
lws_ssl_close(struct lws * wsi)250 lws_ssl_close(struct lws *wsi)
251 {
252 lws_sockfd_type n;
253
254 if (!wsi->tls.ssl)
255 return 0; /* not handled */
256
257 #if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
258 /* kill ssl callbacks, becausse we will remove the fd from the
259 * table linking it to the wsi
260 */
261 if (wsi->a.vhost->tls.ssl_info_event_mask)
262 SSL_set_info_callback(wsi->tls.ssl, NULL);
263 #endif
264
265 #if defined(LWS_TLS_SYNTHESIZE_CB)
266 lws_sul_cancel(&wsi->tls.sul_cb_synth);
267 /*
268 * ... check the session in case it did not live long enough to get
269 * the scheduled callback to sample it
270 */
271 lws_sess_cache_synth_cb(&wsi->tls.sul_cb_synth);
272 #endif
273
274 n = SSL_get_fd(wsi->tls.ssl);
275 if (!wsi->socket_is_permanently_unusable)
276 SSL_shutdown(wsi->tls.ssl);
277 compatible_close(n);
278 SSL_free(wsi->tls.ssl);
279 wsi->tls.ssl = NULL;
280
281 lws_tls_restrict_return(wsi);
282
283 return 1; /* handled */
284 }
285
286 void
lws_ssl_SSL_CTX_destroy(struct lws_vhost * vhost)287 lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
288 {
289 if (vhost->tls.ssl_ctx)
290 SSL_CTX_free(vhost->tls.ssl_ctx);
291
292 if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
293 SSL_CTX_free(vhost->tls.ssl_client_ctx);
294 #if defined(LWS_WITH_ACME)
295 lws_tls_acme_sni_cert_destroy(vhost);
296 #endif
297 }
298
299 void
lws_ssl_context_destroy(struct lws_context * context)300 lws_ssl_context_destroy(struct lws_context *context)
301 {
302 }
303
304 lws_tls_ctx *
lws_tls_ctx_from_wsi(struct lws * wsi)305 lws_tls_ctx_from_wsi(struct lws *wsi)
306 {
307 if (!wsi->tls.ssl)
308 return NULL;
309
310 return SSL_get_SSL_CTX(wsi->tls.ssl);
311 }
312
313 enum lws_ssl_capable_status
__lws_tls_shutdown(struct lws * wsi)314 __lws_tls_shutdown(struct lws *wsi)
315 {
316 int n = SSL_shutdown(wsi->tls.ssl);
317
318 lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
319
320 switch (n) {
321 case 1: /* successful completion */
322 (void)shutdown(wsi->desc.sockfd, SHUT_WR);
323 return LWS_SSL_CAPABLE_DONE;
324
325 case 0: /* needs a retry */
326 __lws_change_pollfd(wsi, 0, LWS_POLLIN);
327 return LWS_SSL_CAPABLE_MORE_SERVICE;
328
329 default: /* fatal error, or WANT */
330 n = SSL_get_error(wsi->tls.ssl, n);
331 if (n != SSL_ERROR_SYSCALL && n != SSL_ERROR_SSL) {
332 if (SSL_want_read(wsi->tls.ssl)) {
333 lwsl_debug("(wants read)\n");
334 __lws_change_pollfd(wsi, 0, LWS_POLLIN);
335 return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
336 }
337 if (SSL_want_write(wsi->tls.ssl)) {
338 lwsl_debug("(wants write)\n");
339 __lws_change_pollfd(wsi, 0, LWS_POLLOUT);
340 return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
341 }
342 }
343 return LWS_SSL_CAPABLE_ERROR;
344 }
345 }
346
347
348 static int
tops_fake_POLLIN_for_buffered_mbedtls(struct lws_context_per_thread * pt)349 tops_fake_POLLIN_for_buffered_mbedtls(struct lws_context_per_thread *pt)
350 {
351 return lws_tls_fake_POLLIN_for_buffered(pt);
352 }
353
354 const struct lws_tls_ops tls_ops_mbedtls = {
355 /* fake_POLLIN_for_buffered */ tops_fake_POLLIN_for_buffered_mbedtls,
356 };
357