2  * libwebsockets - small server side websockets and web server implementation
4  * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
25 #include "private-lib-core.h"
26 #include "private-lib-tls-openssl.h"
39 	int np = -1;  in lws_openssl_describe_cipher()
40 	SSL *s = wsi->tls.ssl;  in lws_openssl_describe_cipher()
55 	if (!wsi->tls.ssl)  in lws_ssl_get_error()
58 	m = SSL_get_error(wsi->tls.ssl, n);  in lws_ssl_get_error()
59        lwsl_debug("%s: %p %d -> %d (errno %d)\n", __func__, wsi->tls.ssl, n, m, LWS_ERRNO);  in lws_ssl_get_error()
76 	strncpy(buf, info->ssl_private_key_password, (unsigned int)size);  in lws_context_init_ssl_pem_passwd_cb()
77 	buf[size - 1] = '\0';  in lws_context_init_ssl_pem_passwd_cb()
90 	const char *p = info->ssl_private_key_password;  in lws_context_init_ssl_pem_passwd_client_cb()
92 	if (info->client_ssl_private_key_password)  in lws_context_init_ssl_pem_passwd_client_cb()
93 		p = info->client_ssl_private_key_password;  in lws_context_init_ssl_pem_passwd_client_cb()
96 	buf[size - 1] = '\0';  in lws_context_init_ssl_pem_passwd_client_cb()
108 		!info->ssl_private_key_password  in lws_ssl_bind_passphrase()
114 	    !info->client_ssl_private_key_password  in lws_ssl_bind_passphrase()
142 	if (vhost->tls.user_supplied_ssl_ctx || !vhost->tls.ssl_client_ctx)  in lws_ssl_destroy_client_ctx()
145 	if (vhost->tls.tcr && --vhost->tls.tcr->refcount)  in lws_ssl_destroy_client_ctx()
148 	SSL_CTX_free(vhost->tls.ssl_client_ctx);  in lws_ssl_destroy_client_ctx()
149 	vhost->tls.ssl_client_ctx = NULL;  in lws_ssl_destroy_client_ctx()
151 	vhost->context->tls.count_client_contexts--;  in lws_ssl_destroy_client_ctx()
153 	if (vhost->tls.tcr) {  in lws_ssl_destroy_client_ctx()
154 		lws_dll2_remove(&vhost->tls.tcr->cc_list);  in lws_ssl_destroy_client_ctx()
155 		lws_free(vhost->tls.tcr);  in lws_ssl_destroy_client_ctx()
156 		vhost->tls.tcr = NULL;  in lws_ssl_destroy_client_ctx()
163 	if (!lws_check_opt(vhost->context->options,  in lws_ssl_destroy()
167 	if (vhost->tls.ssl_ctx)  in lws_ssl_destroy()
168 		SSL_CTX_free(vhost->tls.ssl_ctx);  in lws_ssl_destroy()
173 // after 1.1.0 no need  in lws_ssl_destroy()
201 	struct lws_context *context = wsi->a.context;  in lws_ssl_capable_read()
202 	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];  in lws_ssl_capable_read()
205 	if (!wsi->tls.ssl)  in lws_ssl_capable_read()
214 	n = SSL_read(wsi->tls.ssl, buf, (int)(ssize_t)len);  in lws_ssl_capable_read()
225 	 * 2018-09-10: https://github.com/openssl/openssl/issues/1903  in lws_ssl_capable_read()
227 	 * So, in summary, if you get a 0 or -1 return from SSL_read() /  in lws_ssl_capable_read()
230 	 *  - If you get back SSL_ERROR_RETURN_ZERO then you know the connection  in lws_ssl_capable_read()
235 	 *  - If you get back SSL_ERROR_SSL then some kind of internal or  in lws_ssl_capable_read()
241 	 *    SSL_ERROR_SSL is considered fatal - you should not call  in lws_ssl_capable_read()
244 	 *  - If you get back SSL_ERROR_SYSCALL then some kind of fatal (i.e.  in lws_ssl_capable_read()
245 	 *    non-retryable) error has occurred in a system call.  in lws_ssl_capable_read()
260 			wsi->socket_is_permanently_unusable = 1;  in lws_ssl_capable_read()
263 		if (wsi->a.vhost)  in lws_ssl_capable_read()
264 			lws_metric_event(wsi->a.vhost->mt_traffic_rx,  in lws_ssl_capable_read()
272 		if (SSL_want_read(wsi->tls.ssl)) {  in lws_ssl_capable_read()
277 		if (SSL_want_write(wsi->tls.ssl)) {  in lws_ssl_capable_read()
280 			wsi->tls_read_wanted_write = 1;  in lws_ssl_capable_read()
290 	 * If using openssl type tls library, this is the earliest point for all  in lws_ssl_capable_read()
291 	 * paths to dump what was received as decrypted data from the tls tunnel  in lws_ssl_capable_read()
298 	if (wsi->a.vhost)  in lws_ssl_capable_read()
299 		lws_metric_event(wsi->a.vhost->mt_traffic_rx, METRES_GO, (u_mt_t)n);  in lws_ssl_capable_read()
311 	if (!wsi->tls.ssl)  in lws_ssl_capable_read()
314 	if (SSL_pending(wsi->tls.ssl)) {  in lws_ssl_capable_read()
315 		if (lws_dll2_is_detached(&wsi->tls.dll_pending_tls))  in lws_ssl_capable_read()
316 			lws_dll2_add_head(&wsi->tls.dll_pending_tls,  in lws_ssl_capable_read()
317 					  &pt->tls.dll_pending_tls_owner);  in lws_ssl_capable_read()
331 	if (!wsi->tls.ssl)  in lws_ssl_pending()
334 	return SSL_pending(wsi->tls.ssl);  in lws_ssl_pending()
345 	 * If using OpenSSL type tls library, this is the last point for all  in lws_ssl_capable_write()
346 	 * paths before sending data into the tls tunnel, where you can dump it  in lws_ssl_capable_write()
353 	if (!wsi->tls.ssl)  in lws_ssl_capable_write()
358 	n = SSL_write(wsi->tls.ssl, buf, (int)(ssize_t)len);  in lws_ssl_capable_write()
361 		if (wsi->a.vhost)  in lws_ssl_capable_write()
362 			lws_metric_event(wsi->a.vhost->mt_traffic_tx,  in lws_ssl_capable_write()
370 		if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {  in lws_ssl_capable_write()
376 		if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {  in lws_ssl_capable_write()
388 	wsi->socket_is_permanently_unusable = 1;  in lws_ssl_capable_write()
391 		if (wsi->a.vhost)  in lws_ssl_capable_write()
392 			lws_metric_event(wsi->a.vhost->mt_traffic_tx,  in lws_ssl_capable_write()
420 	if (fd < 0 || (fd - lws_plat_socket_offset()) < 0)  in lws_ssl_info_callback()
427 	if (!(where & wsi->a.vhost->tls.ssl_info_event_mask))  in lws_ssl_info_callback()
433 	if (user_callback_handle_rxflow(wsi->a.protocol->callback,  in lws_ssl_info_callback()
435 					wsi->user_space, &si, 0))  in lws_ssl_info_callback()
436 		lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);  in lws_ssl_info_callback()
445 	if (!wsi->tls.ssl)  in lws_ssl_close()
452 	if (wsi->a.vhost->tls.ssl_info_event_mask)  in lws_ssl_close()
453 		SSL_set_info_callback(wsi->tls.ssl, NULL);  in lws_ssl_close()
457 	lws_sul_cancel(&wsi->tls.sul_cb_synth);  in lws_ssl_close()
462 	lws_sess_cache_synth_cb(&wsi->tls.sul_cb_synth);  in lws_ssl_close()
465 	n = SSL_get_fd(wsi->tls.ssl);  in lws_ssl_close()
466 	if (!wsi->socket_is_permanently_unusable)  in lws_ssl_close()
467 		SSL_shutdown(wsi->tls.ssl);  in lws_ssl_close()
469 	SSL_free(wsi->tls.ssl);  in lws_ssl_close()
470 	wsi->tls.ssl = NULL;  in lws_ssl_close()
475 	//		wsi->a.context->simultaneous_ssl_restriction,  in lws_ssl_close()
476 	//		wsi->a.context->simultaneous_ssl);  in lws_ssl_close()
484 	if (vhost->tls.ssl_ctx)  in lws_ssl_SSL_CTX_destroy()
485 		SSL_CTX_free(vhost->tls.ssl_ctx);  in lws_ssl_SSL_CTX_destroy()
499 // after 1.1.0 no need  in lws_ssl_context_destroy()
513 	// after 1.1.0 no need  in lws_ssl_context_destroy()
526 	if (!wsi->tls.ssl)  in lws_tls_ctx_from_wsi()
529 	return SSL_get_SSL_CTX(wsi->tls.ssl);  in lws_tls_ctx_from_wsi()
543 	n = SSL_shutdown(wsi->tls.ssl);  in __lws_tls_shutdown()
544 	lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);  in __lws_tls_shutdown()
547 		n = shutdown(wsi->desc.sockfd, SHUT_WR);  in __lws_tls_shutdown()
555 		n = SSL_get_error(wsi->tls.ssl, n);  in __lws_tls_shutdown()
557 			if (SSL_want_read(wsi->tls.ssl)) {  in __lws_tls_shutdown()
562 			if (SSL_want_write(wsi->tls.ssl)) {  in __lws_tls_shutdown()