1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26
27 static int
lws_ssl_client_connect1(struct lws * wsi,char * errbuf,size_t len)28 lws_ssl_client_connect1(struct lws *wsi, char *errbuf, size_t len)
29 {
30 int n;
31
32 n = lws_tls_client_connect(wsi, errbuf, len);
33 switch (n) {
34 case LWS_SSL_CAPABLE_ERROR:
35 lws_tls_restrict_return_handshake(wsi);
36 return -1;
37 case LWS_SSL_CAPABLE_DONE:
38 lws_tls_restrict_return_handshake(wsi);
39 lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
40 #if defined(LWS_WITH_CONMON)
41 wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
42 (lws_now_usecs() - wsi->conmon_datum);
43 #endif
44 return 1; /* connected */
45 case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
46 lws_callback_on_writable(wsi);
47 /* fallthru */
48 case LWS_SSL_CAPABLE_MORE_SERVICE:
49 case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
50 lwsi_set_state(wsi, LRS_WAITING_SSL);
51 break;
52 }
53
54 return 0; /* retry */
55 }
56
57 int
lws_ssl_client_connect2(struct lws * wsi,char * errbuf,size_t len)58 lws_ssl_client_connect2(struct lws *wsi, char *errbuf, size_t len)
59 {
60 int n;
61
62 if (lwsi_state(wsi) == LRS_WAITING_SSL) {
63 n = lws_tls_client_connect(wsi, errbuf, len);
64 lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
65
66 switch (n) {
67 case LWS_SSL_CAPABLE_ERROR:
68 lws_tls_restrict_return_handshake(wsi);
69 // lws_snprintf(errbuf, len, "client connect failed");
70 return -1;
71 case LWS_SSL_CAPABLE_DONE:
72 break; /* connected */
73 case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
74 lws_callback_on_writable(wsi);
75 /* fallthru */
76 case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
77 lwsi_set_state(wsi, LRS_WAITING_SSL);
78 /* fallthru */
79 case LWS_SSL_CAPABLE_MORE_SERVICE:
80 return 0; /* retry */
81 }
82 }
83
84 lws_tls_restrict_return_handshake(wsi);
85
86 if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len)) {
87 lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
88 return -1;
89 }
90
91 lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
92 #if defined(LWS_WITH_CONMON)
93 wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
94 (lws_now_usecs() - wsi->conmon_datum);
95 #endif
96
97 return 1; /* connected */
98 }
99
100
lws_context_init_client_ssl(const struct lws_context_creation_info * info,struct lws_vhost * vhost)101 int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
102 struct lws_vhost *vhost)
103 {
104 const char *private_key_filepath = info->ssl_private_key_filepath;
105 const char *cert_filepath = info->ssl_cert_filepath;
106 const char *ca_filepath = info->ssl_ca_filepath;
107 const char *cipher_list = info->ssl_cipher_list;
108 lws_fakewsi_def_plwsa(&vhost->context->pt[0]);
109
110 lws_fakewsi_prep_plwsa_ctx(vhost->context);
111
112 if (vhost->options & LWS_SERVER_OPTION_ADOPT_APPLY_LISTEN_ACCEPT_CONFIG)
113 return 0;
114
115 if (vhost->tls.ssl_ctx) {
116 cert_filepath = NULL;
117 private_key_filepath = NULL;
118 ca_filepath = NULL;
119 }
120
121 /*
122 * for backwards-compatibility default to using ssl_... members, but
123 * if the newer client-specific ones are given, use those
124 */
125 if (info->client_ssl_cipher_list)
126 cipher_list = info->client_ssl_cipher_list;
127 if (info->client_ssl_cert_filepath)
128 cert_filepath = info->client_ssl_cert_filepath;
129 if (info->client_ssl_private_key_filepath)
130 private_key_filepath = info->client_ssl_private_key_filepath;
131
132 if (info->client_ssl_ca_filepath)
133 ca_filepath = info->client_ssl_ca_filepath;
134
135 if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
136 return 0;
137
138 if (vhost->tls.ssl_client_ctx)
139 return 0;
140
141 #if !defined(LWS_WITH_MBEDTLS)
142 if (info->provided_client_ssl_ctx) {
143 /* use the provided OpenSSL context if given one */
144 vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
145 /* nothing for lib to delete */
146 vhost->tls.user_supplied_ssl_ctx = 1;
147
148 return 0;
149 }
150 #endif
151
152 if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
153 ca_filepath,
154 info->client_ssl_ca_mem,
155 info->client_ssl_ca_mem_len,
156 cert_filepath,
157 info->client_ssl_cert_mem,
158 info->client_ssl_cert_mem_len,
159 private_key_filepath,
160 info->client_ssl_key_mem,
161 info->client_ssl_key_mem_len
162 ))
163 return 1;
164
165 lwsl_info("created client ssl context for %s\n", vhost->name);
166
167 /*
168 * give him a fake wsi with context set, so he can use
169 * lws_get_context() in the callback
170 */
171
172 plwsa->vhost = vhost; /* not a real bound wsi */
173
174 vhost->protocols[0].callback((struct lws *)plwsa,
175 LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
176 vhost->tls.ssl_client_ctx, NULL, 0);
177
178 return 0;
179 }
180
181 int
lws_client_create_tls(struct lws * wsi,const char ** pcce,int do_c1)182 lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
183 {
184 /* we can retry this... just cook the SSL BIO the first time */
185
186 if (wsi->tls.use_ssl & LCCSCF_USE_SSL) {
187 int n;
188
189 if (!wsi->tls.ssl) {
190
191 #if defined(LWS_WITH_TLS)
192 if (!wsi->transaction_from_pipeline_queue &&
193 lws_tls_restrict_borrow(wsi)) {
194 *pcce = "tls restriction limit";
195 return CCTLS_RETURN_ERROR;
196 }
197 #endif
198 if (lws_ssl_client_bio_create(wsi) < 0) {
199 *pcce = "bio_create failed";
200 return CCTLS_RETURN_ERROR;
201 }
202 }
203
204 if (!do_c1)
205 return CCTLS_RETURN_DONE;
206
207 lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
208 lws_metrics_caliper_bind(wsi->cal_conn, wsi->a.context->mt_conn_tls);
209 #if defined(LWS_WITH_CONMON)
210 wsi->conmon_datum = lws_now_usecs();
211 #endif
212
213 n = lws_ssl_client_connect1(wsi, (char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf,
214 wsi->a.context->pt_serv_buf_size);
215 lwsl_debug("%s: lws_ssl_client_connect1: %d\n", __func__, n);
216 if (!n)
217 return CCTLS_RETURN_RETRY; /* caller should return 0 */
218
219 if (n < 0) {
220 *pcce = (const char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf;
221 lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
222 return CCTLS_RETURN_ERROR;
223 }
224 /* ...connect1 already handled caliper if SSL_accept done */
225
226 lws_tls_server_conn_alpn(wsi);
227
228 } else
229 wsi->tls.ssl = NULL;
230
231 return CCTLS_RETURN_DONE; /* OK */
232 }
233