1 /* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * This is included from private-lib-core.h if LWS_WITH_TLS 25 */ 26 27 #if !defined(__LWS_TLS_PRIVATE_H__) 28 #define __LWS_TLS_PRIVATE_H__ 29 30 31 #if defined(LWS_WITH_TLS) 32 33 #if defined(USE_WOLFSSL) 34 #if defined(USE_OLD_CYASSL) 35 #if defined(_WIN32) 36 #include <IDE/WIN/user_settings.h> 37 #include <cyassl/ctaocrypt/settings.h> 38 #else 39 #include <cyassl/options.h> 40 #endif 41 #include <cyassl/openssl/ssl.h> 42 #include <cyassl/error-ssl.h> 43 #else 44 #if defined(_WIN32) 45 #include <IDE/WIN/user_settings.h> 46 #include <wolfssl/wolfcrypt/settings.h> 47 #else 48 #include <wolfssl/options.h> 49 #endif 50 #include <wolfssl/openssl/ssl.h> 51 #include <wolfssl/error-ssl.h> 52 #define OPENSSL_NO_TLSEXT 53 #endif /* not USE_OLD_CYASSL */ 54 #else /* WOLFSSL */ 55 #if defined(LWS_PLAT_FREERTOS) 56 #define OPENSSL_NO_TLSEXT 57 #if !defined(LWS_AMAZON_RTOS) 58 /* AMAZON RTOS has its own setting via MTK_MBEDTLS_CONFIG_FILE */ 59 #undef MBEDTLS_CONFIG_FILE 60 #define MBEDTLS_CONFIG_FILE <mbedtls/esp_config.h> 61 #endif 62 #include <mbedtls/ssl.h> 63 #include <mbedtls/aes.h> 64 #include <mbedtls/gcm.h> 65 #include <mbedtls/x509_crt.h> 66 #include "ssl.h" /* wrapper !!!! */ 67 #else /* not esp32 */ 68 #if defined(LWS_WITH_MBEDTLS) 69 #include <mbedtls/ssl.h> 70 #include <mbedtls/aes.h> 71 #include <mbedtls/gcm.h> 72 #include <mbedtls/x509_crt.h> 73 #include <mbedtls/x509_csr.h> 74 #include <mbedtls/ecp.h> 75 #include <mbedtls/ecdsa.h> 76 #if defined(LWS_AMAZON_LINUX) 77 #include "ssl.h" /* wrapper !!!! */ 78 #else 79 #include "openssl/ssl.h" /* wrapper !!!! */ 80 #endif 81 #else 82 #include <openssl/ssl.h> 83 #include <openssl/evp.h> 84 #include <openssl/err.h> 85 #include <openssl/md5.h> 86 #include <openssl/sha.h> 87 #include <openssl/rsa.h> 88 #include <openssl/bn.h> 89 #include <openssl/aes.h> 90 #ifdef LWS_HAVE_OPENSSL_ECDH_H 91 #include <openssl/ecdh.h> 92 #endif 93 #if !defined(LWS_HAVE_EVP_MD_CTX_free) 94 #define EVP_MD_CTX_free EVP_MD_CTX_destroy 95 #endif 96 #include <openssl/x509v3.h> 97 #endif /* not mbedtls */ 98 #if defined(OPENSSL_VERSION_NUMBER) 99 #if (OPENSSL_VERSION_NUMBER < 0x0009080afL) 100 /* 101 * later openssl defines this to negate the presence of tlsext... but it was 102 * only introduced at 0.9.8j. Earlier versions don't know it exists so don't 103 * define it... making it look like the feature exists... 104 */ 105 #define OPENSSL_NO_TLSEXT 106 #endif 107 #endif 108 #endif /* not ESP32 */ 109 #endif /* not USE_WOLFSSL */ 110 111 #endif /* LWS_WITH_TLS */ 112 113 enum lws_tls_extant { 114 LWS_TLS_EXTANT_NO, 115 LWS_TLS_EXTANT_YES, 116 LWS_TLS_EXTANT_ALTERNATIVE 117 }; 118 119 120 #if defined(LWS_WITH_TLS) 121 122 int 123 lws_tls_restrict_borrow(struct lws_context *context); 124 125 void 126 lws_tls_restrict_return(struct lws_context *context); 127 128 typedef SSL lws_tls_conn; 129 typedef SSL_CTX lws_tls_ctx; 130 typedef BIO lws_tls_bio; 131 typedef X509 lws_tls_x509; 132 133 #if defined(LWS_WITH_NETWORK) 134 #include "private-network.h" 135 #endif 136 137 LWS_EXTERN int 138 lws_context_init_ssl_library(const struct lws_context_creation_info *info); 139 LWS_EXTERN void 140 lws_context_deinit_ssl_library(struct lws_context *context); 141 #define LWS_SSL_ENABLED(vh) (vh && vh->tls.use_ssl) 142 143 extern const struct lws_tls_ops tls_ops_openssl, tls_ops_mbedtls; 144 145 struct lws_ec_valid_curves { 146 int id; 147 const char *jwa_name; /* list terminates with NULL jwa_name */ 148 }; 149 150 LWS_EXTERN enum lws_tls_extant 151 lws_tls_use_any_upgrade_check_extant(const char *name); 152 LWS_EXTERN int openssl_websocket_private_data_index; 153 154 155 LWS_EXTERN void 156 lws_tls_err_describe_clear(void); 157 158 LWS_EXTERN int 159 lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type, 160 union lws_tls_cert_info_results *buf, size_t len); 161 LWS_EXTERN int 162 lws_tls_check_all_cert_lifetimes(struct lws_context *context); 163 164 LWS_EXTERN int 165 lws_tls_alloc_pem_to_der_file(struct lws_context *context, const char *filename, 166 const char *inbuf, lws_filepos_t inlen, 167 uint8_t **buf, lws_filepos_t *amount); 168 LWS_EXTERN char * 169 lws_ssl_get_error_string(int status, int ret, char *buf, size_t len); 170 171 int 172 lws_gencrypto_bits_to_bytes(int bits); 173 174 void 175 lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m); 176 177 /* genec */ 178 179 struct lws_gencrypto_keyelem; 180 struct lws_ec_curves; 181 182 LWS_EXTERN const struct lws_ec_curves lws_ec_curves[4]; 183 const struct lws_ec_curves * 184 lws_genec_curve(const struct lws_ec_curves *table, const char *name); 185 LWS_VISIBLE void 186 lws_genec_destroy_elements(struct lws_gencrypto_keyelem *el); 187 int 188 lws_gencrypto_mbedtls_rngf(void *context, unsigned char *buf, size_t len); 189 190 int 191 lws_genec_confirm_curve_allowed_by_tls_id(const char *allowed, int id, 192 struct lws_jwk *jwk); 193 194 195 #else /* ! WITH_TLS */ 196 197 #define lws_tls_restrict_borrow(xxx) (0) 198 #define lws_tls_restrict_return(xxx) 199 200 #endif 201 #endif 202