1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26 #include "private-lib-tls-openssl.h"
27
28 extern int openssl_websocket_private_data_index,
29 openssl_SSL_CTX_private_data_index;
30
lws_ssl_get_error_string(int status,int ret,char * buf,size_t len)31 char* lws_ssl_get_error_string(int status, int ret, char *buf, size_t len) {
32 switch (status) {
33 case SSL_ERROR_NONE:
34 return lws_strncpy(buf, "SSL_ERROR_NONE", len);
35 case SSL_ERROR_ZERO_RETURN:
36 return lws_strncpy(buf, "SSL_ERROR_ZERO_RETURN", len);
37 case SSL_ERROR_WANT_READ:
38 return lws_strncpy(buf, "SSL_ERROR_WANT_READ", len);
39 case SSL_ERROR_WANT_WRITE:
40 return lws_strncpy(buf, "SSL_ERROR_WANT_WRITE", len);
41 case SSL_ERROR_WANT_CONNECT:
42 return lws_strncpy(buf, "SSL_ERROR_WANT_CONNECT", len);
43 case SSL_ERROR_WANT_ACCEPT:
44 return lws_strncpy(buf, "SSL_ERROR_WANT_ACCEPT", len);
45 case SSL_ERROR_WANT_X509_LOOKUP:
46 return lws_strncpy(buf, "SSL_ERROR_WANT_X509_LOOKUP", len);
47 case SSL_ERROR_SYSCALL:
48 switch (ret) {
49 case 0:
50 lws_snprintf(buf, len, "SSL_ERROR_SYSCALL: EOF");
51 return buf;
52 case -1:
53 #ifndef LWS_PLAT_OPTEE
54 lws_snprintf(buf, len, "SSL_ERROR_SYSCALL: %s",
55 strerror(errno));
56 #else
57 lws_snprintf(buf, len, "SSL_ERROR_SYSCALL: %d", errno);
58 #endif
59 return buf;
60 default:
61 return strncpy(buf, "SSL_ERROR_SYSCALL", len);
62 }
63 case SSL_ERROR_SSL:
64 return "SSL_ERROR_SSL";
65 default:
66 return "SSL_ERROR_UNKNOWN";
67 }
68 }
69
70 void
lws_tls_err_describe_clear(void)71 lws_tls_err_describe_clear(void)
72 {
73 char buf[160];
74 unsigned long l;
75
76 do {
77 l = ERR_get_error();
78 if (!l)
79 break;
80
81 ERR_error_string_n(l, buf, sizeof(buf));
82 lwsl_info(" openssl error: %s\n", buf);
83 } while (l);
84 lwsl_info("\n");
85 }
86
87 #if LWS_MAX_SMP != 1
88
89 static pthread_mutex_t *openssl_mutexes;
90
91 static void
lws_openssl_lock_callback(int mode,int type,const char * file,int line)92 lws_openssl_lock_callback(int mode, int type, const char *file, int line)
93 {
94 (void)file;
95 (void)line;
96
97 if (mode & CRYPTO_LOCK)
98 pthread_mutex_lock(&openssl_mutexes[type]);
99 else
100 pthread_mutex_unlock(&openssl_mutexes[type]);
101 }
102
103 static unsigned long
lws_openssl_thread_id(void)104 lws_openssl_thread_id(void)
105 {
106 return (unsigned long)pthread_self();
107 }
108 #endif
109
110
111 int
lws_context_init_ssl_library(const struct lws_context_creation_info * info)112 lws_context_init_ssl_library(const struct lws_context_creation_info *info)
113 {
114 #ifdef USE_WOLFSSL
115 #ifdef USE_OLD_CYASSL
116 lwsl_info(" Compiled with CyaSSL support\n");
117 #else
118 lwsl_info(" Compiled with wolfSSL support\n");
119 #endif
120 #else
121 #if defined(LWS_WITH_BORINGSSL)
122 lwsl_info(" Compiled with BoringSSL support\n");
123 #else
124 lwsl_info(" Compiled with OpenSSL support\n");
125 #endif
126 #endif
127 if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
128 lwsl_info(" SSL disabled: no "
129 "LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
130 return 0;
131 }
132
133 /* basic openssl init */
134
135 lwsl_info("Doing SSL library init\n");
136
137 #if OPENSSL_VERSION_NUMBER < 0x10100000L
138 SSL_library_init();
139 OpenSSL_add_all_algorithms();
140 SSL_load_error_strings();
141 #else
142 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
143 #endif
144 #if defined(LWS_WITH_NETWORK)
145 openssl_websocket_private_data_index =
146 SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL);
147
148 openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0,
149 NULL, NULL, NULL, NULL);
150 #endif
151
152 #if LWS_MAX_SMP != 1
153 {
154 int n;
155
156 openssl_mutexes = (pthread_mutex_t *)
157 OPENSSL_malloc(CRYPTO_num_locks() *
158 sizeof(openssl_mutexes[0]));
159
160 for (n = 0; n < CRYPTO_num_locks(); n++)
161 pthread_mutex_init(&openssl_mutexes[n], NULL);
162
163 /*
164 * These "functions" disappeared in later OpenSSL which is
165 * already threadsafe.
166 */
167
168 (void)lws_openssl_thread_id;
169 (void)lws_openssl_lock_callback;
170
171 CRYPTO_set_id_callback(lws_openssl_thread_id);
172 CRYPTO_set_locking_callback(lws_openssl_lock_callback);
173 }
174 #endif
175
176 return 0;
177 }
178
179 void
lws_context_deinit_ssl_library(struct lws_context * context)180 lws_context_deinit_ssl_library(struct lws_context *context)
181 {
182 #if LWS_MAX_SMP != 1
183 int n;
184
185 if (!lws_check_opt(context->options,
186 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
187 return;
188
189 CRYPTO_set_locking_callback(NULL);
190
191 for (n = 0; n < CRYPTO_num_locks(); n++)
192 pthread_mutex_destroy(&openssl_mutexes[n]);
193
194 OPENSSL_free(openssl_mutexes);
195 #endif
196 }
197