35 #include "private-lib-tls-openssl.h"
71 	xs = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(wsi->tls.ssl));
114 			     wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED) {  in OpenSSL_client_verify_callback()
121 			    wsi->tls.use_ssl & LCCSCF_ALLOW_INSECURE) {  in OpenSSL_client_verify_callback()
127 				    wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED) {  in OpenSSL_client_verify_callback()
160 				    wsi->tls.kid_chain.count !=  in OpenSSL_client_verify_callback()
161 				     LWS_ARRAY_SIZE(wsi->tls.kid_chain.akid); n++) {  in OpenSSL_client_verify_callback()
168 						&wsi->tls.kid_chain.skid[  in OpenSSL_client_verify_callback()
169 						     wsi->tls.kid_chain.count]);  in OpenSSL_client_verify_callback()
175 						 &wsi->tls.kid_chain.akid[  in OpenSSL_client_verify_callback()
176 						     wsi->tls.kid_chain.count]);  in OpenSSL_client_verify_callback()
178 				wsi->tls.kid_chain.count++;  in OpenSSL_client_verify_callback()
184 		lws_tls_jit_trust_sort_kids(wsi, &wsi->tls.kid_chain);  in OpenSSL_client_verify_callback()
204 			lws_strncpy(wsi->tls.err_helper, msg,  in OpenSSL_client_verify_callback()
205 				    sizeof(wsi->tls.err_helper));  in OpenSSL_client_verify_callback()
215 					     "tls=\"%s\"", msg);  in OpenSSL_client_verify_callback()
240 	const char *alpn_comma = wsi->a.context->tls.alpn_default;  in lws_ssl_client_bio_create()
275 	wsi->tls.ssl = SSL_new(wsi->a.vhost->tls.ssl_client_ctx);  in lws_ssl_client_bio_create()
276 	if (!wsi->tls.ssl) {  in lws_ssl_client_bio_create()
295 	if (wsi->a.vhost->tls.ssl_info_event_mask)  in lws_ssl_client_bio_create()
296 		SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);  in lws_ssl_client_bio_create()
300 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {  in lws_ssl_client_bio_create()
303 		X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);  in lws_ssl_client_bio_create()
316 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {  in lws_ssl_client_bio_create()
317 		lwsl_err("%s: your tls lib is too old to have "  in lws_ssl_client_bio_create()
318 			 "X509_VERIFY_PARAM_set1_host, failing all client tls\n",  in lws_ssl_client_bio_create()
327 	SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,  in lws_ssl_client_bio_create()
333 	SSL_set_mode(wsi->tls.ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);  in lws_ssl_client_bio_create()
342 	CyaSSL_UseSNI(wsi->tls.ssl, CYASSL_SNI_HOST_NAME, hostname,  in lws_ssl_client_bio_create()
347 	wolfSSL_UseSNI(wsi->tls.ssl, WOLFSSL_SNI_HOST_NAME, hostname,  in lws_ssl_client_bio_create()
353 	SSL_set_tlsext_host_name(wsi->tls.ssl, hostname);  in lws_ssl_client_bio_create()
366 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)  in lws_ssl_client_bio_create()
367 		CyaSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);  in lws_ssl_client_bio_create()
369 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)  in lws_ssl_client_bio_create()
370 		wolfSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);  in lws_ssl_client_bio_create()
374 	wsi->tls.client_bio = BIO_new_socket((int)(lws_intptr_t)wsi->desc.sockfd,  in lws_ssl_client_bio_create()
376 	SSL_set_bio(wsi->tls.ssl, wsi->tls.client_bio, wsi->tls.client_bio);  in lws_ssl_client_bio_create()
380 	CyaSSL_set_using_nonblock(wsi->tls.ssl, 1);  in lws_ssl_client_bio_create()
382 	wolfSSL_set_using_nonblock(wsi->tls.ssl, 1);  in lws_ssl_client_bio_create()
385 	BIO_set_nbio(wsi->tls.client_bio, 1); /* nonblocking */  in lws_ssl_client_bio_create()
390 	if (wsi->a.vhost->tls.alpn)  in lws_ssl_client_bio_create()
391 		alpn_comma = wsi->a.vhost->tls.alpn;  in lws_ssl_client_bio_create()
405 	SSL_set_alpn_protos(wsi->tls.ssl, openssl_alpn, (unsigned int)n);  in lws_ssl_client_bio_create()
408 	SSL_set_ex_data(wsi->tls.ssl, openssl_websocket_private_data_index,  in lws_ssl_client_bio_create()
432 		if (SSL_use_certificate_ASN1(wsi->tls.ssl,  in lws_ssl_client_bio_create()
461 		if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, wsi->tls.ssl,  in lws_ssl_client_bio_create()
473 		    SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, wsi->tls.ssl,  in lws_ssl_client_bio_create()
489 		if (SSL_check_private_key(wsi->tls.ssl) != 1) {  in lws_ssl_client_bio_create()
523 	wsi->tls.err_helper[0] = '\0';  in lws_tls_client_connect()
524 	n = SSL_connect(wsi->tls.ssl);  in lws_tls_client_connect()
542 		n = lws_snprintf(errbuf, elen, "tls: %s", wsi->tls.err_helper);  in lws_tls_client_connect()
543 		if (!wsi->tls.err_helper[0])  in lws_tls_client_connect()
549 	if (SSL_session_reused(wsi->tls.ssl)) {  in lws_tls_client_connect()
551 		sess = SSL_get_session(wsi->tls.ssl);  in lws_tls_client_connect()
562 	if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))  in lws_tls_client_connect()
565 	if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))  in lws_tls_client_connect()
571 		SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);  in lws_tls_client_connect()
582 				 &wsi->tls.sul_cb_synth,  in lws_tls_client_connect()
612 	n = SSL_get_verify_result(wsi->tls.ssl);  in lws_tls_client_confirm_peer_cert()
619 		type = "tls=hostname";  in lws_tls_client_confirm_peer_cert()
626 		type = "tls=invalidca";  in lws_tls_client_confirm_peer_cert()
631 		type = "tls=notyetvalid";  in lws_tls_client_confirm_peer_cert()
636 		type = "tls=expired";  in lws_tls_client_confirm_peer_cert()
648 	if (wsi->tls.use_ssl & avoid) {  in lws_tls_client_confirm_peer_cert()
692 	st = SSL_CTX_get_cert_store(vh->tls.ssl_client_ctx);  in lws_tls_client_vhost_extra_cert_mem()
829 			 lws_dll2_get_head(&vh->context->tls.cc_owner)) {
837 			vh->tls.ssl_client_ctx = tcr->ssl_client_ctx;
838 			vh->tls.tcr = tcr;
852 	vh->tls.ssl_client_ctx = SSL_CTX_new(method);
853 	if (!vh->tls.ssl_client_ctx) {
873 		SSL_CTX_free(vh->tls.ssl_client_ctx);
877 	tcr->ssl_client_ctx = vh->tls.ssl_client_ctx;
880 	tcr->index = vh->context->tls.count_client_contexts++;
881 	lws_dll2_add_head(&tcr->cc_list, &vh->context->tls.cc_owner);
888 	vh->tls.tcr = tcr;
897 	SSL_CTX_set_options(vh->tls.ssl_client_ctx, SSL_OP_NO_COMPRESSION);
900 	SSL_CTX_set_options(vh->tls.ssl_client_ctx,
903 	SSL_CTX_set_mode(vh->tls.ssl_client_ctx,
908 		SSL_CTX_set_options(vh->tls.ssl_client_ctx,
926 		SSL_CTX_clear_options(vh->tls.ssl_client_ctx,
941 		SSL_CTX_set_cipher_list(vh->tls.ssl_client_ctx, cipher_list);
945 		SSL_CTX_set_ciphersuites(vh->tls.ssl_client_ctx,
952 		SSL_CTX_set_default_verify_paths(vh->tls.ssl_client_ctx);
959 			vh->tls.ssl_client_ctx, LWS_OPENSSL_CLIENT_CERTS))
962 			vh->tls.ssl_client_ctx, NULL, LWS_OPENSSL_CLIENT_CERTS))
971 			vh->tls.ssl_client_ctx, ca_filepath)) {
974 			vh->tls.ssl_client_ctx, ca_filepath, NULL)) {
1017 				SSL_CTX_set_cert_store(vh->tls.ssl_client_ctx,
1043 		n = SSL_CTX_use_certificate_chain_file(vh->tls.ssl_client_ctx,
1064 		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
1085 		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, 1, info);
1087 		if (SSL_CTX_use_PrivateKey_file(vh->tls.ssl_client_ctx,
1098 		if (!SSL_CTX_check_private_key(vh->tls.ssl_client_ctx)) {
1115 		n = SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, vh->tls.ssl_client_ctx, p,
1124 							vh->tls.ssl_client_ctx, p,