1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "ssl_lib.h"
16 #include "ssl_pkey.h"
17 #include "ssl_x509.h"
18 #include "ssl_cert.h"
19 #include "ssl_dbg.h"
20 #include "ssl_port.h"
21
22 #include "private-lib-core.h"
23
24 char *
25 lws_strncpy(char *dest, const char *src, size_t size);
26
27 #define SSL_SEND_DATA_MAX_LENGTH 1460
28
29 /**
30 * @brief create a new SSL session object
31 */
SSL_SESSION_new(void)32 static SSL_SESSION* SSL_SESSION_new(void)
33 {
34 SSL_SESSION *session;
35
36 session = ssl_mem_zalloc(sizeof(SSL_SESSION));
37 if (!session) {
38 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
39 goto failed1;
40 }
41
42 session->peer = X509_new();
43 if (!session->peer) {
44 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
45 goto failed2;
46 }
47
48 return session;
49
50 failed2:
51 ssl_mem_free(session);
52 failed1:
53 return NULL;
54 }
55
56 /**
57 * @brief free a new SSL session object
58 */
SSL_SESSION_free(SSL_SESSION * session)59 static void SSL_SESSION_free(SSL_SESSION *session)
60 {
61 X509_free(session->peer);
62 ssl_mem_free(session);
63 }
64
65 /**
66 * @brief Discover whether the current connection is in the error state
67 */
ossl_statem_in_error(const SSL * ssl)68 int ossl_statem_in_error(const SSL *ssl)
69 {
70 SSL_ASSERT1(ssl);
71
72 if (ssl->statem.state == MSG_FLOW_ERROR)
73 return 1;
74
75 return 0;
76 }
77
78 /**
79 * @brief get the SSL specifical statement
80 */
SSL_want(const SSL * ssl)81 int SSL_want(const SSL *ssl)
82 {
83 SSL_ASSERT1(ssl);
84
85 return ssl->rwstate;
86 }
87
88 /**
89 * @brief check if SSL want nothing
90 */
SSL_want_nothing(const SSL * ssl)91 int SSL_want_nothing(const SSL *ssl)
92 {
93 SSL_ASSERT1(ssl);
94
95 if (ssl->err)
96 return 1;
97
98 return (SSL_want(ssl) == SSL_NOTHING);
99 }
100
101 /**
102 * @brief check if SSL want to read
103 */
SSL_want_read(const SSL * ssl)104 int SSL_want_read(const SSL *ssl)
105 {
106 SSL_ASSERT1(ssl);
107
108 if (ssl->err)
109 return 0;
110
111 return (SSL_want(ssl) == SSL_READING);
112 }
113
114 /**
115 * @brief check if SSL want to write
116 */
SSL_want_write(const SSL * ssl)117 int SSL_want_write(const SSL *ssl)
118 {
119 SSL_ASSERT1(ssl);
120
121 if (ssl->err)
122 return 0;
123
124 return (SSL_want(ssl) == SSL_WRITING);
125 }
126
127 /**
128 * @brief check if SSL want to lookup X509 certification
129 */
SSL_want_x509_lookup(const SSL * ssl)130 int SSL_want_x509_lookup(const SSL *ssl)
131 {
132 SSL_ASSERT1(ssl);
133
134 return (SSL_want(ssl) == SSL_WRITING);
135 }
136
137 /**
138 * @brief get SSL error code
139 */
SSL_get_error(const SSL * ssl,int ret_code)140 int SSL_get_error(const SSL *ssl, int ret_code)
141 {
142 int ret = SSL_ERROR_SYSCALL;
143
144 SSL_ASSERT1(ssl);
145
146 if (ret_code > 0)
147 ret = SSL_ERROR_NONE;
148 else if (ret_code < 0)
149 {
150 if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl))
151 ret = SSL_ERROR_WANT_READ;
152 else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl))
153 ret = SSL_ERROR_WANT_WRITE;
154 else
155 ret = SSL_ERROR_SYSCALL; //unknown
156 }
157 else // ret_code == 0
158 {
159 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
160 ret = SSL_ERROR_ZERO_RETURN;
161 else
162 ret = SSL_ERROR_SYSCALL;
163 }
164
165 return ret;
166 }
167
168 /**
169 * @brief get the SSL state
170 */
SSL_get_state(const SSL * ssl)171 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
172 {
173 OSSL_HANDSHAKE_STATE state;
174
175 SSL_ASSERT1(ssl);
176
177 state = SSL_METHOD_CALL(get_state, ssl);
178
179 return state;
180 }
181
182 /**
183 * @brief create a SSL context
184 */
SSL_CTX_new(const SSL_METHOD * method)185 SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
186 {
187 SSL_CTX *ctx;
188 CERT *cert;
189 X509 *client_ca;
190
191 if (!method) {
192 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
193 return NULL;
194 }
195
196 client_ca = X509_new();
197 if (!client_ca) {
198 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
199 goto failed1;
200 }
201
202 cert = ssl_cert_new();
203 if (!cert) {
204 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
205 goto failed2;
206 }
207
208 ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
209 if (!ctx) {
210 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
211 goto failed3;
212 }
213
214 ctx->method = method;
215 ctx->client_CA = client_ca;
216 ctx->cert = cert;
217
218 ctx->version = method->version;
219
220 return ctx;
221
222 failed3:
223 ssl_cert_free(cert);
224 failed2:
225 X509_free(client_ca);
226 failed1:
227 return NULL;
228 }
229
230 /**
231 * @brief free a SSL context
232 */
SSL_CTX_free(SSL_CTX * ctx)233 void SSL_CTX_free(SSL_CTX* ctx)
234 {
235 SSL_ASSERT3(ctx);
236
237 ssl_cert_free(ctx->cert);
238
239 X509_free(ctx->client_CA);
240
241 if (ctx->alpn_protos)
242 ssl_mem_free(ctx->alpn_protos);
243
244 ssl_mem_free(ctx);
245 }
246
247 /**
248 * @brief set the SSL context version
249 */
SSL_CTX_set_ssl_version(SSL_CTX * ctx,const SSL_METHOD * meth)250 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
251 {
252 SSL_ASSERT1(ctx);
253 SSL_ASSERT1(meth);
254
255 ctx->method = meth;
256
257 ctx->version = meth->version;
258
259 return 1;
260 }
261
262 /**
263 * @brief get the SSL context current method
264 */
SSL_CTX_get_ssl_method(SSL_CTX * ctx)265 const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
266 {
267 SSL_ASSERT2(ctx);
268
269 return ctx->method;
270 }
271
272 /**
273 * @brief create a SSL
274 */
SSL_new(SSL_CTX * ctx)275 SSL *SSL_new(SSL_CTX *ctx)
276 {
277 int ret = 0;
278 SSL *ssl;
279
280 if (!ctx) {
281 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
282 return NULL;
283 }
284
285 ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
286 if (!ssl) {
287 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
288 goto failed1;
289 }
290
291 ssl->session = SSL_SESSION_new();
292 if (!ssl->session) {
293 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
294 goto failed2;
295 }
296
297 ssl->cert = __ssl_cert_new(ctx->cert);
298 if (!ssl->cert) {
299 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
300 goto failed3;
301 }
302
303 ssl->client_CA = __X509_new(ctx->client_CA);
304 if (!ssl->client_CA) {
305 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
306 goto failed4;
307 }
308
309 ssl->ctx = ctx;
310 ssl->method = ctx->method;
311
312 ssl->version = ctx->version;
313 ssl->options = ctx->options;
314
315 ssl->verify_mode = ctx->verify_mode;
316
317 ret = SSL_METHOD_CALL(new, ssl);
318 if (ret) {
319 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
320 goto failed5;
321 }
322
323 _ssl_set_alpn_list(ssl);
324
325 ssl->rwstate = SSL_NOTHING;
326
327 return ssl;
328
329 failed5:
330 X509_free(ssl->client_CA);
331 failed4:
332 ssl_cert_free(ssl->cert);
333 failed3:
334 SSL_SESSION_free(ssl->session);
335 failed2:
336 ssl_mem_free(ssl);
337 failed1:
338 return NULL;
339 }
340
341 /**
342 * @brief free the SSL
343 */
SSL_free(SSL * ssl)344 void SSL_free(SSL *ssl)
345 {
346 SSL_ASSERT3(ssl);
347
348 SSL_METHOD_CALL(free, ssl);
349
350 X509_free(ssl->client_CA);
351
352 ssl_cert_free(ssl->cert);
353
354 SSL_SESSION_free(ssl->session);
355
356 if (ssl->alpn_protos)
357 ssl_mem_free(ssl->alpn_protos);
358
359 ssl_mem_free(ssl);
360 }
361
362 /**
363 * @brief perform the SSL handshake
364 */
SSL_do_handshake(SSL * ssl)365 int SSL_do_handshake(SSL *ssl)
366 {
367 int ret;
368
369 SSL_ASSERT1(ssl);
370
371 ret = SSL_METHOD_CALL(handshake, ssl);
372
373 return ret;
374 }
375
376 /**
377 * @brief connect to the remote SSL server
378 */
SSL_connect(SSL * ssl)379 int SSL_connect(SSL *ssl)
380 {
381 SSL_ASSERT1(ssl);
382
383 return SSL_do_handshake(ssl);
384 }
385
386 /**
387 * @brief accept the remote connection
388 */
SSL_accept(SSL * ssl)389 int SSL_accept(SSL *ssl)
390 {
391 SSL_ASSERT1(ssl);
392
393 return SSL_do_handshake(ssl);
394 }
395
396 /**
397 * @brief shutdown the connection
398 */
SSL_shutdown(SSL * ssl)399 int SSL_shutdown(SSL *ssl)
400 {
401 int ret;
402
403 SSL_ASSERT1(ssl);
404
405 if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
406
407 ret = SSL_METHOD_CALL(shutdown, ssl);
408
409 return ret;
410 }
411
412 /**
413 * @brief reset the SSL
414 */
SSL_clear(SSL * ssl)415 int SSL_clear(SSL *ssl)
416 {
417 int ret;
418
419 SSL_ASSERT1(ssl);
420
421 ret = SSL_shutdown(ssl);
422 if (1 != ret) {
423 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
424 goto failed1;
425 }
426
427 SSL_METHOD_CALL(free, ssl);
428
429 ret = SSL_METHOD_CALL(new, ssl);
430 if (!ret) {
431 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
432 goto failed1;
433 }
434
435 return 1;
436
437 failed1:
438 return ret;
439 }
440
441 /**
442 * @brief read data from to remote
443 */
SSL_read(SSL * ssl,void * buffer,int len)444 int SSL_read(SSL *ssl, void *buffer, int len)
445 {
446 int ret;
447
448 SSL_ASSERT1(ssl);
449 SSL_ASSERT1(buffer);
450 SSL_ASSERT1(len);
451
452 ssl->rwstate = SSL_READING;
453
454 ret = SSL_METHOD_CALL(read, ssl, buffer, len);
455
456 if (ret == len)
457 ssl->rwstate = SSL_NOTHING;
458
459 return ret;
460 }
461
462 /**
463 * @brief send the data to remote
464 */
SSL_write(SSL * ssl,const void * buffer,int len)465 int SSL_write(SSL *ssl, const void *buffer, int len)
466 {
467 int ret;
468 int send_bytes, bytes;
469 const unsigned char *pbuf;
470
471 SSL_ASSERT1(ssl);
472 SSL_ASSERT1(buffer);
473 SSL_ASSERT1(len);
474
475 ssl->rwstate = SSL_WRITING;
476
477 send_bytes = len;
478 pbuf = (const unsigned char *)buffer;
479
480 do {
481 if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
482 bytes = SSL_SEND_DATA_MAX_LENGTH;
483 else
484 bytes = send_bytes;
485
486 if (ssl->interrupted_remaining_write) {
487 bytes = ssl->interrupted_remaining_write;
488 ssl->interrupted_remaining_write = 0;
489 }
490
491 ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
492 //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes);
493 /* the return is a NEGATIVE OpenSSL error code, or the length sent */
494 if (ret > 0) {
495 pbuf += ret;
496 send_bytes -= ret;
497 } else
498 ssl->interrupted_remaining_write = bytes;
499 } while (ret > 0 && send_bytes && ret == bytes);
500
501 if (ret >= 0) {
502 ret = len - send_bytes;
503 if (!ret)
504 ssl->rwstate = SSL_NOTHING;
505 } else {
506 if (send_bytes == len)
507 ret = -1;
508 else
509 ret = len - send_bytes;
510 }
511
512 return ret;
513 }
514
515 /**
516 * @brief get SSL context of the SSL
517 */
SSL_get_SSL_CTX(const SSL * ssl)518 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
519 {
520 SSL_ASSERT2(ssl);
521
522 return ssl->ctx;
523 }
524
525 /**
526 * @brief get the SSL current method
527 */
SSL_get_ssl_method(SSL * ssl)528 const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
529 {
530 SSL_ASSERT2(ssl);
531
532 return ssl->method;
533 }
534
535 /**
536 * @brief set the SSL method
537 */
SSL_set_ssl_method(SSL * ssl,const SSL_METHOD * method)538 int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
539 {
540 int ret;
541
542 SSL_ASSERT1(ssl);
543 SSL_ASSERT1(method);
544
545 if (ssl->version != method->version) {
546
547 ret = SSL_shutdown(ssl);
548 if (1 != ret) {
549 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
550 goto failed1;
551 }
552
553 SSL_METHOD_CALL(free, ssl);
554
555 ssl->method = method;
556
557 ret = SSL_METHOD_CALL(new, ssl);
558 if (!ret) {
559 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
560 goto failed1;
561 }
562 } else {
563 ssl->method = method;
564 }
565
566
567 return 1;
568
569 failed1:
570 return ret;
571 }
572
573 /**
574 * @brief get SSL shutdown mode
575 */
SSL_get_shutdown(const SSL * ssl)576 int SSL_get_shutdown(const SSL *ssl)
577 {
578 SSL_ASSERT1(ssl);
579
580 return ssl->shutdown;
581 }
582
583 /**
584 * @brief set SSL shutdown mode
585 */
SSL_set_shutdown(SSL * ssl,int mode)586 void SSL_set_shutdown(SSL *ssl, int mode)
587 {
588 SSL_ASSERT3(ssl);
589
590 ssl->shutdown = mode;
591 }
592
593
594 /**
595 * @brief get the number of the bytes to be read
596 */
SSL_pending(const SSL * ssl)597 int SSL_pending(const SSL *ssl)
598 {
599 int ret;
600
601 SSL_ASSERT1(ssl);
602
603 ret = SSL_METHOD_CALL(pending, ssl);
604
605 return ret;
606 }
607
608 /**
609 * @brief check if some data can be read
610 */
SSL_has_pending(const SSL * ssl)611 int SSL_has_pending(const SSL *ssl)
612 {
613 int ret;
614
615 SSL_ASSERT1(ssl);
616
617 if (SSL_pending(ssl))
618 ret = 1;
619 else
620 ret = 0;
621
622 return ret;
623 }
624
625 /**
626 * @brief clear the SSL context option bit of "op"
627 */
SSL_CTX_clear_options(SSL_CTX * ctx,unsigned long op)628 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
629 {
630 SSL_ASSERT1(ctx);
631
632 return ctx->options &= ~op;
633 }
634
635 /**
636 * @brief get the SSL context option
637 */
SSL_CTX_get_options(SSL_CTX * ctx)638 unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
639 {
640 SSL_ASSERT1(ctx);
641
642 return ctx->options;
643 }
644
645 /**
646 * @brief set the option of the SSL context
647 */
SSL_CTX_set_options(SSL_CTX * ctx,unsigned long opt)648 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
649 {
650 SSL_ASSERT1(ctx);
651
652 return ctx->options |= opt;
653 }
654
655 /**
656 * @brief clear SSL option
657 */
SSL_clear_options(SSL * ssl,unsigned long op)658 unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
659 {
660 SSL_ASSERT1(ssl);
661
662 return ssl->options & ~op;
663 }
664
665 /**
666 * @brief get SSL option
667 */
SSL_get_options(SSL * ssl)668 unsigned long SSL_get_options(SSL *ssl)
669 {
670 SSL_ASSERT1(ssl);
671
672 return ssl->options;
673 }
674
675 /**
676 * @brief clear SSL option
677 */
SSL_set_options(SSL * ssl,unsigned long op)678 unsigned long SSL_set_options(SSL *ssl, unsigned long op)
679 {
680 SSL_ASSERT1(ssl);
681
682 return ssl->options |= op;
683 }
684
685 /**
686 * @brief get the socket handle of the SSL
687 */
SSL_get_fd(const SSL * ssl)688 int SSL_get_fd(const SSL *ssl)
689 {
690 int ret;
691
692 SSL_ASSERT1(ssl);
693
694 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
695
696 return ret;
697 }
698
699 /**
700 * @brief get the read only socket handle of the SSL
701 */
SSL_get_rfd(const SSL * ssl)702 int SSL_get_rfd(const SSL *ssl)
703 {
704 int ret;
705
706 SSL_ASSERT1(ssl);
707
708 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
709
710 return ret;
711 }
712
713 /**
714 * @brief get the write only socket handle of the SSL
715 */
SSL_get_wfd(const SSL * ssl)716 int SSL_get_wfd(const SSL *ssl)
717 {
718 int ret;
719
720 SSL_ASSERT1(ssl);
721
722 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
723
724 return ret;
725 }
726
727 /**
728 * @brief bind the socket file description into the SSL
729 */
SSL_set_fd(SSL * ssl,int fd)730 int SSL_set_fd(SSL *ssl, int fd)
731 {
732 SSL_ASSERT1(ssl);
733 SSL_ASSERT1(fd >= 0);
734
735 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
736
737 return 1;
738 }
739
740 /**
741 * @brief bind the read only socket file description into the SSL
742 */
SSL_set_rfd(SSL * ssl,int fd)743 int SSL_set_rfd(SSL *ssl, int fd)
744 {
745 SSL_ASSERT1(ssl);
746 SSL_ASSERT1(fd >= 0);
747
748 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
749
750 return 1;
751 }
752
753 /**
754 * @brief bind the write only socket file description into the SSL
755 */
SSL_set_wfd(SSL * ssl,int fd)756 int SSL_set_wfd(SSL *ssl, int fd)
757 {
758 SSL_ASSERT1(ssl);
759 SSL_ASSERT1(fd >= 0);
760
761 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
762
763 return 1;
764 }
765
766 /**
767 * @brief get SSL version
768 */
SSL_version(const SSL * ssl)769 int SSL_version(const SSL *ssl)
770 {
771 SSL_ASSERT1(ssl);
772
773 return ssl->version;
774 }
775
776 /**
777 * @brief get the SSL version string
778 */
ssl_protocol_to_string(int version)779 static const char* ssl_protocol_to_string(int version)
780 {
781 const char *str;
782
783 if (version == TLS1_2_VERSION)
784 str = "TLSv1.2";
785 else if (version == TLS1_1_VERSION)
786 str = "TLSv1.1";
787 else if (version == TLS1_VERSION)
788 str = "TLSv1";
789 else if (version == SSL3_VERSION)
790 str = "SSLv3";
791 else
792 str = "unknown";
793
794 return str;
795 }
796
797 /**
798 * @brief get the SSL current version
799 */
SSL_get_version(const SSL * ssl)800 const char *SSL_get_version(const SSL *ssl)
801 {
802 SSL_ASSERT2(ssl);
803
804 return ssl_protocol_to_string(SSL_version(ssl));
805 }
806
807 /**
808 * @brief get alert type string
809 */
SSL_alert_type_string(int value)810 const char *SSL_alert_type_string(int value)
811 {
812 const char *str;
813
814 switch (value >> 8)
815 {
816 case SSL3_AL_WARNING:
817 str = "W";
818 break;
819 case SSL3_AL_FATAL:
820 str = "F";
821 break;
822 default:
823 str = "U";
824 break;
825 }
826
827 return str;
828 }
829
830 /**
831 * @brief set the SSL context read buffer length
832 */
SSL_CTX_set_default_read_buffer_len(SSL_CTX * ctx,size_t len)833 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
834 {
835 SSL_ASSERT3(ctx);
836
837 ctx->read_buffer_len = len;
838 }
839
840 /**
841 * @brief set the SSL read buffer length
842 */
SSL_set_default_read_buffer_len(SSL * ssl,size_t len)843 void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
844 {
845 SSL_ASSERT3(ssl);
846 SSL_ASSERT3(len);
847
848 SSL_METHOD_CALL(set_bufflen, ssl, len);
849 }
850
851 /**
852 * @brief set the SSL information callback function
853 */
SSL_set_info_callback(SSL * ssl,void (* cb)(const SSL * ssl,int type,int val))854 void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
855 {
856 SSL_ASSERT3(ssl);
857
858 ssl->info_callback = cb;
859 }
860
861 /**
862 * @brief add SSL context reference count by '1'
863 */
SSL_CTX_up_ref(SSL_CTX * ctx)864 int SSL_CTX_up_ref(SSL_CTX *ctx)
865 {
866 SSL_ASSERT1(ctx);
867
868 /**
869 * no support multi-thread SSL here
870 */
871 ctx->references++;
872
873 return 1;
874 }
875
876 /**
877 * @brief set the SSL security level
878 */
SSL_set_security_level(SSL * ssl,int level)879 void SSL_set_security_level(SSL *ssl, int level)
880 {
881 SSL_ASSERT3(ssl);
882
883 ssl->cert->sec_level = level;
884 }
885
886 /**
887 * @brief get the SSL security level
888 */
SSL_get_security_level(const SSL * ssl)889 int SSL_get_security_level(const SSL *ssl)
890 {
891 SSL_ASSERT1(ssl);
892
893 return ssl->cert->sec_level;
894 }
895
896 /**
897 * @brief get the SSL verifying mode of the SSL context
898 */
SSL_CTX_get_verify_mode(const SSL_CTX * ctx)899 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
900 {
901 SSL_ASSERT1(ctx);
902
903 return ctx->verify_mode;
904 }
905
906 /**
907 * @brief set the session timeout time
908 */
SSL_CTX_set_timeout(SSL_CTX * ctx,long t)909 long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
910 {
911 long l;
912
913 SSL_ASSERT1(ctx);
914
915 l = ctx->session_timeout;
916 ctx->session_timeout = t;
917
918 return l;
919 }
920
921 /**
922 * @brief get the session timeout time
923 */
SSL_CTX_get_timeout(const SSL_CTX * ctx)924 long SSL_CTX_get_timeout(const SSL_CTX *ctx)
925 {
926 SSL_ASSERT1(ctx);
927
928 return ctx->session_timeout;
929 }
930
931 /**
932 * @brief set the SSL if we can read as many as data
933 */
SSL_set_read_ahead(SSL * ssl,int yes)934 void SSL_set_read_ahead(SSL *ssl, int yes)
935 {
936 SSL_ASSERT3(ssl);
937
938 ssl->rlayer.read_ahead = yes;
939 }
940
941 /**
942 * @brief set the SSL context if we can read as many as data
943 */
SSL_CTX_set_read_ahead(SSL_CTX * ctx,int yes)944 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
945 {
946 SSL_ASSERT3(ctx);
947
948 ctx->read_ahead = yes;
949 }
950
951 /**
952 * @brief get the SSL ahead signal if we can read as many as data
953 */
SSL_get_read_ahead(const SSL * ssl)954 int SSL_get_read_ahead(const SSL *ssl)
955 {
956 SSL_ASSERT1(ssl);
957
958 return ssl->rlayer.read_ahead;
959 }
960
961 /**
962 * @brief get the SSL context ahead signal if we can read as many as data
963 */
SSL_CTX_get_read_ahead(SSL_CTX * ctx)964 long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
965 {
966 SSL_ASSERT1(ctx);
967
968 return ctx->read_ahead;
969 }
970
971 /**
972 * @brief check if the SSL context can read as many as data
973 */
SSL_CTX_get_default_read_ahead(SSL_CTX * ctx)974 long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
975 {
976 SSL_ASSERT1(ctx);
977
978 return ctx->read_ahead;
979 }
980
981 /**
982 * @brief set SSL session time
983 */
SSL_set_time(SSL * ssl,long t)984 long SSL_set_time(SSL *ssl, long t)
985 {
986 SSL_ASSERT1(ssl);
987
988 ssl->session->time = t;
989
990 return t;
991 }
992
993 /**
994 * @brief set SSL session timeout time
995 */
SSL_set_timeout(SSL * ssl,long t)996 long SSL_set_timeout(SSL *ssl, long t)
997 {
998 SSL_ASSERT1(ssl);
999
1000 ssl->session->timeout = t;
1001
1002 return t;
1003 }
1004
1005 /**
1006 * @brief get the verifying result of the SSL certification
1007 */
SSL_get_verify_result(const SSL * ssl)1008 long SSL_get_verify_result(const SSL *ssl)
1009 {
1010 SSL_ASSERT1(ssl);
1011
1012 return SSL_METHOD_CALL(get_verify_result, ssl);
1013 }
1014
1015 /**
1016 * @brief get the SSL verifying depth of the SSL context
1017 */
SSL_CTX_get_verify_depth(const SSL_CTX * ctx)1018 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1019 {
1020 SSL_ASSERT1(ctx);
1021
1022 return ctx->param.depth;
1023 }
1024
1025 /**
1026 * @brief set the SSL verify depth of the SSL context
1027 */
SSL_CTX_set_verify_depth(SSL_CTX * ctx,int depth)1028 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
1029 {
1030 SSL_ASSERT3(ctx);
1031
1032 ctx->param.depth = depth;
1033 }
1034
1035 /**
1036 * @brief get the SSL verifying depth of the SSL
1037 */
SSL_get_verify_depth(const SSL * ssl)1038 int SSL_get_verify_depth(const SSL *ssl)
1039 {
1040 SSL_ASSERT1(ssl);
1041
1042 return ssl->param.depth;
1043 }
1044
1045 /**
1046 * @brief set the SSL verify depth of the SSL
1047 */
SSL_set_verify_depth(SSL * ssl,int depth)1048 void SSL_set_verify_depth(SSL *ssl, int depth)
1049 {
1050 SSL_ASSERT3(ssl);
1051
1052 ssl->param.depth = depth;
1053 }
1054
1055 /**
1056 * @brief set the SSL context verifying of the SSL context
1057 */
SSL_CTX_set_verify(SSL_CTX * ctx,int mode,int (* verify_callback)(int,X509_STORE_CTX *))1058 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
1059 {
1060 SSL_ASSERT3(ctx);
1061
1062 ctx->verify_mode = mode;
1063 ctx->default_verify_callback = verify_callback;
1064 }
1065
1066 /**
1067 * @brief set the SSL verifying of the SSL context
1068 */
SSL_set_verify(SSL * ssl,int mode,int (* verify_callback)(int,X509_STORE_CTX *))1069 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
1070 {
1071 SSL_ASSERT3(ssl);
1072
1073 ssl->verify_mode = mode;
1074 ssl->verify_callback = verify_callback;
1075 }
1076
ERR_error_string_n(unsigned long e,char * buf,size_t len)1077 void ERR_error_string_n(unsigned long e, char *buf, size_t len)
1078 {
1079 lws_strncpy(buf, "unknown", len);
1080 }
1081
ERR_free_strings(void)1082 void ERR_free_strings(void)
1083 {
1084 }
1085
ERR_error_string(unsigned long e,char * buf)1086 char *ERR_error_string(unsigned long e, char *buf)
1087 {
1088 if (!buf)
1089 return "unknown";
1090
1091 switch(e) {
1092 case X509_V_ERR_INVALID_CA:
1093 strcpy(buf, "CA is not trusted");
1094 break;
1095 case X509_V_ERR_HOSTNAME_MISMATCH:
1096 strcpy(buf, "Hostname mismatch");
1097 break;
1098 case X509_V_ERR_CA_KEY_TOO_SMALL:
1099 strcpy(buf, "CA key too small");
1100 break;
1101 case X509_V_ERR_CA_MD_TOO_WEAK:
1102 strcpy(buf, "MD key too weak");
1103 break;
1104 case X509_V_ERR_CERT_NOT_YET_VALID:
1105 strcpy(buf, "Cert from the future");
1106 break;
1107 case X509_V_ERR_CERT_HAS_EXPIRED:
1108 strcpy(buf, "Cert expired");
1109 break;
1110 default:
1111 strcpy(buf, "unknown");
1112 break;
1113 }
1114
1115 return buf;
1116 }
1117
SSL_CTX_get_ex_data(const SSL_CTX * ctx,int idx)1118 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
1119 {
1120 return NULL;
1121 }
1122
1123 /*
1124 * Openssl wants the valid protocol names supplied like this:
1125 *
1126 * (unsigned char *)"\x02h2\x08http/1.1", 6 + 9
1127 *
1128 * Mbedtls wants this:
1129 *
1130 * Pointer to a NULL-terminated list of supported protocols, in decreasing
1131 * preference order. The pointer to the list is recorded by the library for
1132 * later reference as required, so the lifetime of the table must be at least
1133 * as long as the lifetime of the SSL configuration structure.
1134 *
1135 * So accept the OpenSSL style and convert to mbedtls style
1136 */
1137
1138
1139 static void
_openssl_alpn_to_mbedtls(struct alpn_ctx * ac,char *** palpn_protos)1140 _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)
1141 {
1142 unsigned char *p = ac->data, *q;
1143 unsigned char len;
1144 char **alpn_protos;
1145 int count = 0;
1146
1147 /* find out how many entries he gave us */
1148
1149 if (ac->len) {
1150 len = *p++;
1151 if (len)
1152 count++;
1153 while (p - ac->data < ac->len) {
1154 if (len--) {
1155 p++;
1156 continue;
1157 }
1158 len = *p++;
1159 if (!len)
1160 break;
1161 count++;
1162 }
1163 }
1164
1165 if (!count)
1166 return;
1167
1168 /* allocate space for count + 1 pointers and the data afterwards */
1169
1170 alpn_protos = ssl_mem_zalloc((count + 1) * sizeof(char *) + ac->len + 1);
1171 if (!alpn_protos)
1172 return;
1173
1174 *palpn_protos = alpn_protos;
1175
1176 /* convert to mbedtls format */
1177
1178 q = (unsigned char *)alpn_protos + (count + 1) * sizeof(char *);
1179 p = ac->data;
1180 count = 0;
1181
1182 len = *p++;
1183 alpn_protos[count] = (char *)q;
1184 while (p - ac->data < ac->len) {
1185 if (len--) {
1186 *q++ = *p++;
1187 continue;
1188 }
1189 *q++ = '\0';
1190 count++;
1191 len = *p++;
1192 alpn_protos[count] = (char *)q;
1193 if (!len)
1194 break;
1195 }
1196 if (!len) {
1197 *q++ = '\0';
1198 count++;
1199 /* len = *p++; */
1200 alpn_protos[count] = (char *)q;
1201 }
1202 alpn_protos[count] = NULL; /* last pointer ends list with NULL */
1203 }
1204
SSL_CTX_set_alpn_select_cb(SSL_CTX * ctx,next_proto_cb cb,void * arg)1205 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg)
1206 {
1207 struct alpn_ctx *ac = arg;
1208
1209 ctx->alpn_cb = cb;
1210
1211 _openssl_alpn_to_mbedtls(ac, (char ***)&ctx->alpn_protos);
1212 }
1213
SSL_set_alpn_select_cb(SSL * ssl,void * arg)1214 void SSL_set_alpn_select_cb(SSL *ssl, void *arg)
1215 {
1216 struct alpn_ctx *ac = arg;
1217
1218 _openssl_alpn_to_mbedtls(ac, (char ***)&ssl->alpn_protos);
1219
1220 _ssl_set_alpn_list(ssl);
1221 }
1222