1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26
27 static int
OpenSSL_client_verify_callback(int preverify_ok,X509_STORE_CTX * x509_ctx)28 OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
29 {
30 return 0;
31 }
32
33 int
lws_ssl_client_bio_create(struct lws * wsi)34 lws_ssl_client_bio_create(struct lws *wsi)
35 {
36 char hostname[128], *p;
37 const char *alpn_comma = wsi->context->tls.alpn_default;
38 struct alpn_ctx protos;
39
40 if (wsi->stash)
41 lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
42 else
43 if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
44 _WSI_TOKEN_CLIENT_HOST) <= 0) {
45 lwsl_err("%s: Unable to get hostname\n", __func__);
46
47 return -1;
48 }
49
50 /*
51 * remove any :port part on the hostname... necessary for network
52 * connection but typical certificates do not contain it
53 */
54 p = hostname;
55 while (*p) {
56 if (*p == ':') {
57 *p = '\0';
58 break;
59 }
60 p++;
61 }
62
63 wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx);
64 if (!wsi->tls.ssl) {
65 lwsl_info("%s: SSL_new() failed\n", __func__);
66 return -1;
67 }
68
69 if (wsi->vhost->tls.ssl_info_event_mask)
70 SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
71
72 if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
73 X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
74 /* Enable automatic hostname checks */
75 // X509_VERIFY_PARAM_set_hostflags(param,
76 // X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
77 X509_VERIFY_PARAM_set1_host(param, hostname, 0);
78 }
79
80 if (wsi->vhost->tls.alpn)
81 alpn_comma = wsi->vhost->tls.alpn;
82
83 if (wsi->stash) {
84 lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
85 alpn_comma = wsi->stash->cis[CIS_ALPN];
86 } else {
87 if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
88 _WSI_TOKEN_CLIENT_ALPN) > 0)
89 alpn_comma = hostname;
90 }
91
92 lwsl_info("%s: %p: client conn sending ALPN list '%s'\n",
93 __func__, wsi, alpn_comma);
94
95 protos.len = lws_alpn_comma_to_openssl(alpn_comma, protos.data,
96 sizeof(protos.data) - 1);
97
98 /* with mbedtls, protos is not pointed to after exit from this call */
99 SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
100
101 /*
102 * use server name indication (SNI), if supported,
103 * when establishing connection
104 */
105 SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
106 OpenSSL_client_verify_callback);
107
108 SSL_set_fd(wsi->tls.ssl, wsi->desc.sockfd);
109
110 if (wsi->sys_tls_client_cert) {
111 lws_system_blob_t *b = lws_system_get_blob(wsi->context,
112 LWS_SYSBLOB_TYPE_CLIENT_CERT_DER,
113 wsi->sys_tls_client_cert - 1);
114 const uint8_t *data;
115 size_t size;
116
117 if (!b)
118 goto no_client_cert;
119
120 /*
121 * Set up the per-connection client cert
122 */
123
124 size = lws_system_blob_get_size(b);
125 if (!size)
126 goto no_client_cert;
127
128 if (lws_system_blob_get_single_ptr(b, &data))
129 goto no_client_cert;
130
131 if (SSL_use_certificate_ASN1(wsi->tls.ssl, data, size) != 1)
132 goto no_client_cert;
133
134 b = lws_system_get_blob(wsi->context,
135 LWS_SYSBLOB_TYPE_CLIENT_KEY_DER,
136 wsi->sys_tls_client_cert - 1);
137 if (!b)
138 goto no_client_cert;
139 size = lws_system_blob_get_size(b);
140 if (!size)
141 goto no_client_cert;
142
143 if (lws_system_blob_get_single_ptr(b, &data))
144 goto no_client_cert;
145
146 if (SSL_use_PrivateKey_ASN1(0, wsi->tls.ssl, data, size) != 1)
147 goto no_client_cert;
148
149 /* no wrapper api for check key */
150
151 lwsl_notice("%s: set system client cert %u\n", __func__,
152 wsi->sys_tls_client_cert - 1);
153 }
154
155 return 0;
156
157 no_client_cert:
158 lwsl_err("%s: unable to set up system client cert %d\n", __func__,
159 wsi->sys_tls_client_cert - 1);
160
161 return 1;
162 }
163
ERR_get_error(void)164 int ERR_get_error(void)
165 {
166 return 0;
167 }
168
169 enum lws_ssl_capable_status
lws_tls_client_connect(struct lws * wsi)170 lws_tls_client_connect(struct lws *wsi)
171 {
172 int m, n = SSL_connect(wsi->tls.ssl);
173 const unsigned char *prot;
174 unsigned int len;
175
176 if (n == 1) {
177 SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
178 lws_role_call_alpn_negotiated(wsi, (const char *)prot);
179 lwsl_info("client connect OK\n");
180 return LWS_SSL_CAPABLE_DONE;
181 }
182
183 m = SSL_get_error(wsi->tls.ssl, n);
184
185 if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
186 return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
187
188 if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
189 return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
190
191 if (!n) /* we don't know what he wants, but he says to retry */
192 return LWS_SSL_CAPABLE_MORE_SERVICE;
193
194 return LWS_SSL_CAPABLE_ERROR;
195 }
196
197 int
lws_tls_client_confirm_peer_cert(struct lws * wsi,char * ebuf,int ebuf_len)198 lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)
199 {
200 int n;
201 X509 *peer = SSL_get_peer_certificate(wsi->tls.ssl);
202 struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
203 char *sb = (char *)&pt->serv_buf[0];
204
205 if (!peer) {
206 lwsl_info("peer did not provide cert\n");
207 lws_snprintf(ebuf, ebuf_len, "no peer cert");
208
209 return -1;
210 }
211 lwsl_info("peer provided cert\n");
212
213 n = SSL_get_verify_result(wsi->tls.ssl);
214 lwsl_debug("get_verify says %d\n", n);
215
216 if (n == X509_V_OK)
217 return 0;
218
219 if (n == X509_V_ERR_HOSTNAME_MISMATCH &&
220 (wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
221 lwsl_info("accepting certificate for invalid hostname\n");
222 return 0;
223 }
224
225 if (n == X509_V_ERR_INVALID_CA &&
226 (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)) {
227 lwsl_info("accepting certificate from untrusted CA\n");
228 return 0;
229 }
230
231 if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
232 n == X509_V_ERR_CERT_HAS_EXPIRED) &&
233 (wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED)) {
234 lwsl_info("accepting expired or not yet valid certificate\n");
235
236 return 0;
237 }
238 lws_snprintf(ebuf, ebuf_len,
239 "server's cert didn't look good, (use_ssl 0x%x) X509_V_ERR = %d: %s\n",
240 (unsigned int)wsi->tls.use_ssl, n, ERR_error_string(n, sb));
241 lwsl_info("%s\n", ebuf);
242 lws_tls_err_describe_clear();
243
244 return -1;
245 }
246
247 int
lws_tls_client_create_vhost_context(struct lws_vhost * vh,const struct lws_context_creation_info * info,const char * cipher_list,const char * ca_filepath,const void * ca_mem,unsigned int ca_mem_len,const char * cert_filepath,const void * cert_mem,unsigned int cert_mem_len,const char * private_key_filepath)248 lws_tls_client_create_vhost_context(struct lws_vhost *vh,
249 const struct lws_context_creation_info *info,
250 const char *cipher_list,
251 const char *ca_filepath,
252 const void *ca_mem,
253 unsigned int ca_mem_len,
254 const char *cert_filepath,
255 const void *cert_mem,
256 unsigned int cert_mem_len,
257 const char *private_key_filepath)
258 {
259 X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
260 SSL_METHOD *method = (SSL_METHOD *)TLS_client_method();
261 unsigned long error;
262 int n;
263
264 if (!method) {
265 error = ERR_get_error();
266 lwsl_err("problem creating ssl method %lu: %s\n",
267 error, ERR_error_string(error,
268 (char *)vh->context->pt[0].serv_buf));
269 return 1;
270 }
271 /* create context */
272 vh->tls.ssl_client_ctx = SSL_CTX_new(method);
273 if (!vh->tls.ssl_client_ctx) {
274 error = ERR_get_error();
275 lwsl_err("problem creating ssl context %lu: %s\n",
276 error, ERR_error_string(error,
277 (char *)vh->context->pt[0].serv_buf));
278 return 1;
279 }
280
281 if (!ca_filepath && (!ca_mem || !ca_mem_len))
282 return 0;
283
284 if (ca_filepath) {
285 #if !defined(LWS_PLAT_OPTEE)
286 uint8_t *buf;
287 lws_filepos_t len;
288
289 if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
290 lwsl_err("Load CA cert file %s failed\n", ca_filepath);
291 return 1;
292 }
293 vh->tls.x509_client_CA = d2i_X509(NULL, buf, len);
294 free(buf);
295 lwsl_notice("Loading client CA for verification %s\n", ca_filepath);
296 #endif
297 } else {
298 vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len);
299 lwsl_notice("%s: using mem client CA cert %d\n",
300 __func__, ca_mem_len);
301 }
302
303 if (!vh->tls.x509_client_CA) {
304 lwsl_err("client CA: x509 parse failed\n");
305 return 1;
306 }
307
308 if (!vh->tls.ssl_ctx)
309 SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
310 else
311 SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
312
313 /* support for client-side certificate authentication */
314 if (cert_filepath) {
315 #if !defined(LWS_PLAT_OPTEE)
316 uint8_t *buf;
317 lws_filepos_t amount;
318
319 if (lws_tls_use_any_upgrade_check_extant(cert_filepath) !=
320 LWS_TLS_EXTANT_YES &&
321 (info->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT))
322 return 0;
323
324 lwsl_notice("%s: doing cert filepath %s\n", __func__,
325 cert_filepath);
326
327 if (alloc_file(vh->context, cert_filepath, &buf, &amount))
328 return 1;
329
330 buf[amount++] = '\0';
331
332 SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
333 buf, amount);
334
335 n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
336 amount, buf);
337 lws_free(buf);
338 if (n < 1) {
339 lwsl_err("problem %d getting cert '%s'\n", n,
340 cert_filepath);
341 lws_tls_err_describe_clear();
342 return 1;
343 }
344
345 lwsl_notice("Loaded client cert %s\n", cert_filepath);
346 #endif
347 } else if (cert_mem && cert_mem_len) {
348 // lwsl_hexdump_notice(cert_mem, cert_mem_len - 1);
349 SSL_CTX_use_PrivateKey_ASN1(0, vh->tls.ssl_client_ctx,
350 cert_mem, cert_mem_len - 1);
351 n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
352 cert_mem_len, cert_mem);
353 if (n < 1) {
354 lwsl_err("%s: problem interpreting client cert\n",
355 __func__);
356 lws_tls_err_describe_clear();
357 return 1;
358 }
359 lwsl_notice("%s: using mem client cert %d\n",
360 __func__, cert_mem_len);
361 }
362
363 return 0;
364 }
365
366 int
lws_tls_client_vhost_extra_cert_mem(struct lws_vhost * vh,const uint8_t * der,size_t der_len)367 lws_tls_client_vhost_extra_cert_mem(struct lws_vhost *vh,
368 const uint8_t *der, size_t der_len)
369 {
370 if (SSL_CTX_add_client_CA_ASN1(vh->tls.ssl_client_ctx, der_len, der) != 1) {
371 lwsl_err("%s: failed\n", __func__);
372 return 1;
373 }
374
375 return 0;
376 }
377
378