2  * libwebsockets - small server side websockets and web server implementation
4  * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
25 #include "private-lib-core.h"
35 	lws_tls_check_all_cert_lifetimes(pt->context);  in lws_sul_tls_cb()
37 	__lws_sul_insert_us(&pt->pt_sul_owner[LWSSULLI_MISS_IF_SUSPENDED],  in lws_sul_tls_cb()
38 			    &pt->sul_tls,  in lws_sul_tls_cb()
46 	struct lws_context *context = vhost->context;  in lws_context_init_server_ssl()
47 	lws_fakewsi_def_plwsa(&vhost->context->pt[0]);  in lws_context_init_server_ssl()
49 	lws_fakewsi_prep_plwsa_ctx(vhost->context);  in lws_context_init_server_ssl()
51 	if (!lws_check_opt(info->options,  in lws_context_init_server_ssl()
53 		vhost->tls.use_ssl = 0;  in lws_context_init_server_ssl()
66 	if (info->ssl_cert_filepath || info->server_ssl_cert_mem)  in lws_context_init_server_ssl()
67 		vhost->options |= LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX;  in lws_context_init_server_ssl()
69 	if (info->port != CONTEXT_PORT_NO_LISTEN) {  in lws_context_init_server_ssl()
71 		vhost->tls.use_ssl = lws_check_opt(vhost->options,  in lws_context_init_server_ssl()
74 		if (vhost->tls.use_ssl && info->ssl_cipher_list)  in lws_context_init_server_ssl()
76 						info->ssl_cipher_list);  in lws_context_init_server_ssl()
79 			    vhost->name, vhost->tls.use_ssl ? "" : "non-");  in lws_context_init_server_ssl()
86 	plwsa->vhost = vhost; /* not a real bound wsi */  in lws_context_init_server_ssl()
92 	if (lws_check_opt(info->options,  in lws_context_init_server_ssl()
94 		/* Normally SSL listener rejects non-ssl, optionally allow */  in lws_context_init_server_ssl()
95 		vhost->tls.allow_non_ssl_on_ssl_port = 1;  in lws_context_init_server_ssl()
101 	if (vhost->tls.use_ssl) {  in lws_context_init_server_ssl()
103 			return -1;  in lws_context_init_server_ssl()
107 		if (vhost->protocols[0].callback((struct lws *)plwsa,  in lws_context_init_server_ssl()
109 			    vhost->tls.ssl_ctx, vhost, 0))  in lws_context_init_server_ssl()
110 			return -1;  in lws_context_init_server_ssl()
113 	if (vhost->tls.use_ssl)  in lws_context_init_server_ssl()
118 	context->pt[0].sul_tls.cb = lws_sul_tls_cb;  in lws_context_init_server_ssl()
119 	__lws_sul_insert_us(&context->pt[0].pt_sul_owner[LWSSULLI_MISS_IF_SUSPENDED],  in lws_context_init_server_ssl()
120 			    &context->pt[0].sul_tls,  in lws_context_init_server_ssl()
130 	struct lws_context *context = wsi->a.context;  in lws_server_socket_service_ssl()
131 	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];  in lws_server_socket_service_ssl()
136 	if (!LWS_SSL_ENABLED(wsi->a.vhost))  in lws_server_socket_service_ssl()
142 		if (wsi->tls.ssl)  in lws_server_socket_service_ssl()
175 				(int)context->timeout_secs);  in lws_server_socket_service_ssl()
188 		if (wsi->a.vhost->tls.allow_non_ssl_on_ssl_port && !wsi->skip_fallback) {  in lws_server_socket_service_ssl()
194 			s = recv(wsi->desc.sockfd, (char *)pt->serv_buf,  in lws_server_socket_service_ssl()
195 				 context->pt_serv_buf_size, MSG_PEEK);  in lws_server_socket_service_ssl()
198 			 * this just means don't hang up on him because of no  in lws_server_socket_service_ssl()
199 			 * tls hello... what happens next is driven by  in lws_server_socket_service_ssl()
205 			 *     Destroy the TLS, issue a redirect using plaintext  in lws_server_socket_service_ssl()
211 			 *     Destroy the TLS, continue and serve normally  in lws_server_socket_service_ssl()
215 			 *     Destroy the TLS, apply whatever role and protocol  in lws_server_socket_service_ssl()
221 			if (s >= 1 && pt->serv_buf[0] >= ' ') {  in lws_server_socket_service_ssl()
223 				* TLS content-type for Handshake is 0x16, and  in lws_server_socket_service_ssl()
226 				* A non-ssl session will start with the HTTP  in lws_server_socket_service_ssl()
232 				wsi->tls.use_ssl = 0;  in lws_server_socket_service_ssl()
236 				 * care... this creates wsi with no ssl when ssl  in lws_server_socket_service_ssl()
239 				wsi->tls.ssl = NULL;  in lws_server_socket_service_ssl()
241 				if (lws_check_opt(wsi->a.vhost->options,  in lws_server_socket_service_ssl()
245 					wsi->tls.redirect_to_https = 1;  in lws_server_socket_service_ssl()
249 				if (lws_check_opt(wsi->a.vhost->options,  in lws_server_socket_service_ssl()
252 						  "http service on tls port\n",  in lws_server_socket_service_ssl()
257 				if (lws_check_opt(wsi->a.vhost->options,  in lws_server_socket_service_ssl()
261 					lwsl_info("%s: allowing non-tls "  in lws_server_socket_service_ssl()
267 					    "tls hello (default vhost %s)\n",  in lws_server_socket_service_ssl()
268 					    __func__, wsi->a.vhost->name);  in lws_server_socket_service_ssl()
300 				 * well, we get no way to know ssl or not  in lws_server_socket_service_ssl()
308 					return -1;  in lws_server_socket_service_ssl()
328 	                		__func__, wsi->desc.sockfd, n);  in lws_server_socket_service_ssl()
329 			wsi->socket_is_permanently_unusable = 1;  in lws_server_socket_service_ssl()
337 		vh = context->vhost_list;  in lws_server_socket_service_ssl()
339 			if (!vh->being_destroyed && wsi->tls.ssl &&  in lws_server_socket_service_ssl()
340 			    vh->tls.ssl_ctx == lws_tls_ctx_from_wsi(wsi)) {  in lws_server_socket_service_ssl()
341 				lwsl_info("setting wsi to vh %s\n", vh->name);  in lws_server_socket_service_ssl()
345 			vh = vh->vhost_next;  in lws_server_socket_service_ssl()
350 				(int)context->timeout_secs);  in lws_server_socket_service_ssl()