1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26
27 int
lws_ssl_client_connect1(struct lws * wsi)28 lws_ssl_client_connect1(struct lws *wsi)
29 {
30 int n;
31
32 n = lws_tls_client_connect(wsi);
33 switch (n) {
34 case LWS_SSL_CAPABLE_ERROR:
35 return -1;
36 case LWS_SSL_CAPABLE_DONE:
37 return 1; /* connected */
38 case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
39 lws_callback_on_writable(wsi);
40 /* fallthru */
41 case LWS_SSL_CAPABLE_MORE_SERVICE:
42 case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
43 lwsi_set_state(wsi, LRS_WAITING_SSL);
44 break;
45 }
46
47 return 0; /* retry */
48 }
49
50 int
lws_ssl_client_connect2(struct lws * wsi,char * errbuf,int len)51 lws_ssl_client_connect2(struct lws *wsi, char *errbuf, int len)
52 {
53 int n;
54
55 if (lwsi_state(wsi) == LRS_WAITING_SSL) {
56 n = lws_tls_client_connect(wsi);
57 lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
58
59 switch (n) {
60 case LWS_SSL_CAPABLE_ERROR:
61 lws_snprintf(errbuf, len, "client connect failed");
62 return -1;
63 case LWS_SSL_CAPABLE_DONE:
64 break; /* connected */
65 case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
66 lws_callback_on_writable(wsi);
67 /* fallthru */
68 case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
69 lwsi_set_state(wsi, LRS_WAITING_SSL);
70 /* fallthru */
71 case LWS_SSL_CAPABLE_MORE_SERVICE:
72 return 0;
73 }
74 }
75
76 if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len))
77 return -1;
78
79 return 1;
80 }
81
82
lws_context_init_client_ssl(const struct lws_context_creation_info * info,struct lws_vhost * vhost)83 int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
84 struct lws_vhost *vhost)
85 {
86 const char *private_key_filepath = info->ssl_private_key_filepath;
87 const char *cert_filepath = info->ssl_cert_filepath;
88 const char *ca_filepath = info->ssl_ca_filepath;
89 const char *cipher_list = info->ssl_cipher_list;
90 struct lws *wsi = vhost->context->pt[0].fake_wsi;
91
92 if (vhost->options & LWS_SERVER_OPTION_ADOPT_APPLY_LISTEN_ACCEPT_CONFIG)
93 return 0;
94
95 if (vhost->tls.ssl_ctx) {
96 cert_filepath = NULL;
97 private_key_filepath = NULL;
98 ca_filepath = NULL;
99 }
100
101 /*
102 * for backwards-compatibility default to using ssl_... members, but
103 * if the newer client-specific ones are given, use those
104 */
105 if (info->client_ssl_cipher_list)
106 cipher_list = info->client_ssl_cipher_list;
107 if (info->client_ssl_cert_filepath)
108 cert_filepath = info->client_ssl_cert_filepath;
109 if (info->client_ssl_private_key_filepath)
110 private_key_filepath = info->client_ssl_private_key_filepath;
111
112 if (info->client_ssl_ca_filepath)
113 ca_filepath = info->client_ssl_ca_filepath;
114
115 if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
116 return 0;
117
118 if (vhost->tls.ssl_client_ctx)
119 return 0;
120
121 if (info->provided_client_ssl_ctx) {
122 /* use the provided OpenSSL context if given one */
123 vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
124 /* nothing for lib to delete */
125 vhost->tls.user_supplied_ssl_ctx = 1;
126
127 return 0;
128 }
129
130 if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
131 ca_filepath,
132 info->client_ssl_ca_mem,
133 info->client_ssl_ca_mem_len,
134 cert_filepath,
135 info->client_ssl_cert_mem,
136 info->client_ssl_cert_mem_len,
137 private_key_filepath))
138 return 1;
139
140 lwsl_info("created client ssl context for %s\n", vhost->name);
141
142 /*
143 * give him a fake wsi with context set, so he can use
144 * lws_get_context() in the callback
145 */
146
147 wsi->vhost = vhost; /* not a real bound wsi */
148 wsi->context = vhost->context;
149 wsi->protocol = NULL;
150
151 vhost->protocols[0].callback(wsi,
152 LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
153 vhost->tls.ssl_client_ctx, NULL, 0);
154
155 return 0;
156 }
157
158