1 /* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * This is included from private-lib-core.h if LWS_WITH_TLS 25 */ 26 27 #if !defined(__LWS_TLS_PRIVATE_H__) 28 #define __LWS_TLS_PRIVATE_H__ 29 30 31 #if defined(LWS_WITH_TLS) 32 33 #include "private-jit-trust.h" 34 35 #if defined(USE_WOLFSSL) 36 #if defined(USE_OLD_CYASSL) 37 #if defined(_WIN32) 38 #include <IDE/WIN/user_settings.h> 39 #include <cyassl/ctaocrypt/settings.h> 40 #else 41 #include <cyassl/options.h> 42 #endif 43 #include <cyassl/openssl/ssl.h> 44 #include <cyassl/error-ssl.h> 45 #else 46 #if defined(_WIN32) 47 #include <IDE/WIN/user_settings.h> 48 #include <wolfssl/wolfcrypt/settings.h> 49 #else 50 #include <wolfssl/options.h> 51 #endif 52 #include <wolfssl/openssl/ssl.h> 53 #include <wolfssl/error-ssl.h> 54 #define OPENSSL_NO_TLSEXT 55 #endif /* not USE_OLD_CYASSL */ 56 #else /* WOLFSSL */ 57 #if defined(LWS_PLAT_FREERTOS) 58 #define OPENSSL_NO_TLSEXT 59 #if !defined(LWS_AMAZON_RTOS) 60 /* AMAZON RTOS has its own setting via MTK_MBEDTLS_CONFIG_FILE */ 61 #undef MBEDTLS_CONFIG_FILE 62 #define MBEDTLS_CONFIG_FILE <mbedtls/esp_config.h> 63 #endif 64 #include <mbedtls/ssl.h> 65 #include <mbedtls/aes.h> 66 #include <mbedtls/gcm.h> 67 #include <mbedtls/x509_crt.h> 68 #include "ssl.h" /* wrapper !!!! */ 69 #else /* not esp32 */ 70 #if defined(LWS_WITH_MBEDTLS) 71 #include <mbedtls/ssl.h> 72 #include <mbedtls/aes.h> 73 #include <mbedtls/gcm.h> 74 #include <mbedtls/x509_crt.h> 75 #include <mbedtls/x509_csr.h> 76 #include <mbedtls/ecp.h> 77 #include <mbedtls/ecdsa.h> 78 #if defined(LWS_AMAZON_LINUX) 79 #include "ssl.h" /* wrapper !!!! */ 80 #else 81 #include "openssl/ssl.h" /* wrapper !!!! */ 82 #endif 83 #else 84 #include <openssl/ssl.h> 85 #include <openssl/evp.h> 86 #include <openssl/err.h> 87 #include <openssl/md5.h> 88 #include <openssl/sha.h> 89 #include <openssl/rsa.h> 90 #include <openssl/bn.h> 91 #include <openssl/aes.h> 92 #ifdef LWS_HAVE_OPENSSL_ECDH_H 93 #include <openssl/ecdh.h> 94 #endif 95 #if !defined(LWS_HAVE_EVP_MD_CTX_free) && !defined(USE_WOLFSSL) 96 #define EVP_MD_CTX_free EVP_MD_CTX_destroy 97 #endif 98 #include <openssl/x509v3.h> 99 #endif /* not mbedtls */ 100 #if defined(OPENSSL_VERSION_NUMBER) 101 #if (OPENSSL_VERSION_NUMBER < 0x0009080afL) 102 /* 103 * later openssl defines this to negate the presence of tlsext... but it was 104 * only introduced at 0.9.8j. Earlier versions don't know it exists so don't 105 * define it... making it look like the feature exists... 106 */ 107 #define OPENSSL_NO_TLSEXT 108 #endif 109 #endif 110 #endif /* not ESP32 */ 111 #endif /* not USE_WOLFSSL */ 112 113 #endif /* LWS_WITH_TLS */ 114 115 enum lws_tls_extant { 116 LWS_TLS_EXTANT_NO, 117 LWS_TLS_EXTANT_YES, 118 LWS_TLS_EXTANT_ALTERNATIVE 119 }; 120 121 #if defined(LWS_WITH_TLS) 122 123 #if defined(LWS_WITH_TLS_SESSIONS) && defined(LWS_WITH_CLIENT) && \ 124 (defined(LWS_WITH_MBEDTLS) || defined(OPENSSL_IS_BORINGSSL)) 125 #define LWS_TLS_SYNTHESIZE_CB 1 126 #endif 127 128 int 129 lws_tls_restrict_borrow(struct lws *wsi); 130 131 void 132 lws_tls_restrict_return(struct lws *wsi); 133 134 void 135 lws_tls_restrict_return_handshake(struct lws *wsi); 136 137 typedef SSL lws_tls_conn; 138 typedef SSL_CTX lws_tls_ctx; 139 typedef BIO lws_tls_bio; 140 typedef X509 lws_tls_x509; 141 142 #if defined(LWS_WITH_NETWORK) 143 #include "private-network.h" 144 #endif 145 146 int 147 lws_context_init_ssl_library(struct lws_context *cx, 148 const struct lws_context_creation_info *info); 149 void 150 lws_context_deinit_ssl_library(struct lws_context *context); 151 #define LWS_SSL_ENABLED(vh) (vh && vh->tls.use_ssl) 152 153 extern const struct lws_tls_ops tls_ops_openssl, tls_ops_mbedtls; 154 155 struct lws_ec_valid_curves { 156 int id; 157 const char *jwa_name; /* list terminates with NULL jwa_name */ 158 }; 159 160 enum lws_tls_extant 161 lws_tls_use_any_upgrade_check_extant(const char *name); 162 extern int openssl_websocket_private_data_index; 163 164 void 165 lws_tls_err_describe_clear(void); 166 167 int 168 lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type, 169 union lws_tls_cert_info_results *buf, size_t len); 170 int 171 lws_tls_check_all_cert_lifetimes(struct lws_context *context); 172 173 int 174 lws_tls_alloc_pem_to_der_file(struct lws_context *context, const char *filename, 175 const char *inbuf, lws_filepos_t inlen, 176 uint8_t **buf, lws_filepos_t *amount); 177 178 int 179 lws_gencrypto_bits_to_bytes(int bits); 180 181 void 182 lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m); 183 184 /* genec */ 185 186 struct lws_gencrypto_keyelem; 187 struct lws_ec_curves; 188 189 extern const struct lws_ec_curves lws_ec_curves[4]; 190 const struct lws_ec_curves * 191 lws_genec_curve(const struct lws_ec_curves *table, const char *name); 192 LWS_VISIBLE void 193 lws_genec_destroy_elements(struct lws_gencrypto_keyelem *el); 194 int 195 lws_gencrypto_mbedtls_rngf(void *context, unsigned char *buf, size_t len); 196 197 int 198 lws_genec_confirm_curve_allowed_by_tls_id(const char *allowed, int id, 199 struct lws_jwk *jwk); 200 201 void 202 lws_tls_reuse_session(struct lws *wsi); 203 204 void 205 lws_tls_session_cache(struct lws_vhost *vh, uint32_t ttl); 206 207 int 208 lws_tls_session_name_from_wsi(struct lws *wsi, char *buf, size_t len); 209 210 /** 211 * lws_tls_session_name_discrete() - form an lws session tag name from pieces 212 * 213 * \param vhname: name of the vhost 214 * \param host: name of the host we are connecting to, like warmcat.com 215 * \param port: the port we connected to 216 * \param buf: the destination buffer for the tag 217 * \param len: the max available size of the destination buffer 218 * 219 * Creates a tag string representing a specific host, for use with serializing 220 * sessions made with the host. 221 */ 222 void 223 lws_tls_session_tag_discrete(const char *vhname, const char *host, 224 uint16_t port, char *buf, size_t len); 225 226 /** 227 * lws_tls_session_name_from_wsi() - form an lws session tag name from a client wsi 228 * 229 * \param wsi: the wsi whose vhost, host and port we should use for the tag 230 * \param buf: the destination buffer for the tag 231 * \param len: the max available size of the destination buffer 232 * 233 * Creates a tag string representing a specific host, for use with serializing 234 * sessions made with the host. 235 */ 236 int 237 lws_tls_session_tag_from_wsi(struct lws *wsi, char *buf, size_t len); 238 239 #else /* ! WITH_TLS */ 240 241 #define lws_tls_restrict_borrow(xxx) (0) 242 #define lws_tls_restrict_return(xxx) 243 244 #endif 245 #endif 246