2 * libwebsockets - small server side websockets and web server implementation
4 * Copyright (C) 2010-2016 Andy Green <andy@warmcat.com>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation:
9 * version 2.1 of the License.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
22 #include "private-libwebsockets.h"
24 #if defined(LWS_USE_POLARSSL)
25 static const int ciphers[] =
27 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
28 TLS_RSA_WITH_AES_256_CBC_SHA,
29 TLS_RSA_WITH_AES_128_CBC_SHA,
33 static int urandom_bytes(void *ctx, unsigned char *dest, size_t len)
36 int fd = open("/dev/urandom", O_RDONLY);
39 cur = read(fd, dest, len);
49 static void pssl_debug(void *ctx, int level, const char *str)
51 lwsl_err("PolarSSL [level %d]: %s", level, str);
56 int openssl_websocket_private_data_index,
57 openssl_SSL_CTX_private_data_index;
59 int lws_ssl_get_error(struct lws *wsi, int n)
61 #if defined(LWS_USE_POLARSSL)
62 #define ERR_error_string(a, b) ""
65 #if defined(LWS_USE_MBEDTLS)
68 return SSL_get_error(wsi->ssl, n);
74 lws_ssl_elaborate_error(void)
76 #if defined(LWS_USE_POLARSSL)
78 #if defined(LWS_USE_MBEDTLS)
84 while ((err = ERR_get_error()) != 0) {
85 ERR_error_string_n(err, buf, sizeof(buf));
86 lwsl_err("*** %s\n", buf);
93 #if defined(LWS_USE_POLARSSL)
95 #if defined(LWS_USE_MBEDTLS)
98 lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata)
100 struct lws_context_creation_info * info =
101 (struct lws_context_creation_info *)userdata;
103 strncpy(buf, info->ssl_private_key_password, size);
104 buf[size - 1] = '\0';
112 lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info)
114 if (!info->ssl_private_key_password)
116 #if defined(LWS_USE_POLARSSL)
118 #if defined(LWS_USE_MBEDTLS)
121 * password provided, set ssl callback and user data
122 * for checking password which will be trigered during
123 * SSL_CTX_use_PrivateKey_file function
125 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info);
126 SSL_CTX_set_default_passwd_cb(ssl_ctx, lws_context_init_ssl_pem_passwd_cb);
132 lws_context_init_ssl_library(struct lws_context_creation_info *info)
135 #ifdef USE_OLD_CYASSL
136 lwsl_notice(" Compiled with CyaSSL support\n");
138 lwsl_notice(" Compiled with wolfSSL support\n");
141 #if defined(LWS_USE_POLARSSL)
142 lwsl_notice(" Compiled with PolarSSL support\n");
144 #if defined(LWS_USE_MBEDTLS)
145 lwsl_notice(" Compiled with mbedTLS support\n");
147 lwsl_notice(" Compiled with OpenSSL support\n");
152 if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
153 lwsl_notice(" SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
157 /* basic openssl init */
159 #if defined(LWS_USE_POLARSSL)
161 #if defined(LWS_USE_MBEDTLS)
165 OpenSSL_add_all_algorithms();
166 SSL_load_error_strings();
168 openssl_websocket_private_data_index =
169 SSL_get_ex_new_index(0, "lws", NULL, NULL, NULL);
171 openssl_SSL_CTX_private_data_index = SSL_CTX_get_ex_new_index(0,
172 NULL, NULL, NULL, NULL);
181 lws_ssl_destroy(struct lws_vhost *vhost)
183 if (!lws_check_opt(vhost->context->options,
184 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
187 #if defined(LWS_USE_POLARSSL)
189 #if defined(LWS_USE_MBEDTLS)
193 SSL_CTX_free(vhost->ssl_ctx);
194 if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
195 SSL_CTX_free(vhost->ssl_client_ctx);
197 #if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL)
200 #if (OPENSSL_VERSION_NUMBER >= 0x10100005L) && \
201 !defined(LIBRESSL_VERSION_NUMBER) && \
202 !defined(OPENSSL_IS_BORINGSSL)
203 ERR_remove_thread_state();
205 ERR_remove_thread_state(NULL);
210 CRYPTO_cleanup_all_ex_data();
216 lws_decode_ssl_error(void)
218 #if defined(LWS_USE_POLARSSL)
220 #if defined(LWS_USE_MBEDTLS)
224 while ((err = ERR_get_error()) != 0) {
225 ERR_error_string_n(err, buf, sizeof(buf));
226 lwsl_err("*** %lu %s\n", err, buf);
233 lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi)
235 struct lws_context *context = wsi->context;
236 struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
238 if (!wsi->pending_read_list_prev &&
239 !wsi->pending_read_list_next &&
240 pt->pending_read_list != wsi)
241 /* we are not on the list */
244 /* point previous guy's next to our next */
245 if (!wsi->pending_read_list_prev)
246 pt->pending_read_list = wsi->pending_read_list_next;
248 wsi->pending_read_list_prev->pending_read_list_next =
249 wsi->pending_read_list_next;
251 /* point next guy's previous to our previous */
252 if (wsi->pending_read_list_next)
253 wsi->pending_read_list_next->pending_read_list_prev =
254 wsi->pending_read_list_prev;
256 wsi->pending_read_list_prev = NULL;
257 wsi->pending_read_list_next = NULL;
261 lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
263 struct lws_context *context = wsi->context;
264 struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
268 return lws_ssl_capable_read_no_ssl(wsi, buf, len);
270 #if defined(LWS_USE_POLARSSL)
272 #if defined(LWS_USE_MBEDTLS)
274 n = SSL_read(wsi->ssl, buf, len);
278 /* manpage: returning 0 means connection shut down */
280 return LWS_SSL_CAPABLE_ERROR;
283 n = lws_ssl_get_error(wsi, n);
284 if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE)
285 return LWS_SSL_CAPABLE_MORE_SERVICE;
287 return LWS_SSL_CAPABLE_ERROR;
294 * if it was our buffer that limited what we read,
295 * check if SSL has additional data pending inside SSL buffers.
297 * Because these won't signal at the network layer with POLLIN
298 * and if we don't realize, this data will sit there forever
304 #if defined(LWS_USE_POLARSSL)
305 if (ssl_get_bytes_avail(wsi->ssl) <= 0)
308 #if defined(LWS_USE_MBEDTLS)
310 if (!SSL_pending(wsi->ssl))
314 if (wsi->pending_read_list_next)
316 if (wsi->pending_read_list_prev)
318 if (pt->pending_read_list == wsi)
321 /* add us to the linked list of guys with pending ssl */
322 if (pt->pending_read_list)
323 pt->pending_read_list->pending_read_list_prev = wsi;
325 wsi->pending_read_list_next = pt->pending_read_list;
326 wsi->pending_read_list_prev = NULL;
327 pt->pending_read_list = wsi;
331 lws_ssl_remove_wsi_from_buffered_list(wsi);
337 lws_ssl_pending(struct lws *wsi)
341 #if defined(LWS_USE_POLARSSL)
342 return ssl_get_bytes_avail(wsi->ssl) > 0;
344 #if defined(LWS_USE_MBEDTLS)
345 return ssl_get_bytes_avail(wsi->ssl) > 0;;
347 return SSL_pending(wsi->ssl);
353 lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
358 return lws_ssl_capable_write_no_ssl(wsi, buf, len);
360 #if defined(LWS_USE_POLARSSL)
361 n = ssl_write(wsi->ssl, buf, len);
363 #if defined(LWS_USE_MBEDTLS)
365 n = SSL_write(wsi->ssl, buf, len);
371 n = lws_ssl_get_error(wsi, n);
372 if (n == SSL_ERROR_WANT_READ || n == SSL_ERROR_WANT_WRITE) {
373 if (n == SSL_ERROR_WANT_WRITE)
374 lws_set_blocking_send(wsi);
375 return LWS_SSL_CAPABLE_MORE_SERVICE;
378 return LWS_SSL_CAPABLE_ERROR;
382 lws_ssl_close(struct lws *wsi)
387 return 0; /* not handled */
389 #if defined(LWS_USE_POLARSSL)
390 ssl_close_notify(wsi->ssl);
391 (void)n; /* we need to close the fd? */
394 #if defined(LWS_USE_MBEDTLS)
396 n = SSL_get_fd(wsi->ssl);
397 SSL_shutdown(wsi->ssl);
404 return 1; /* handled */
407 /* leave all wsi close processing to the caller */
410 lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
412 struct lws_context *context = wsi->context;
413 struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
415 #if !defined(USE_WOLFSSL) && !defined(LWS_USE_POLARSSL) && !defined(LWS_USE_MBEDTLS)
419 if (!LWS_SSL_ENABLED(wsi->vhost))
426 lwsl_err("%s: leaking ssl\n", __func__);
427 if (accept_fd == LWS_SOCK_INVALID)
430 #if defined(LWS_USE_POLARSSL)
435 wsi->ssl = lws_zalloc(sizeof(ssl_context));
436 ssn = lws_zalloc(sizeof(ssl_session));
438 rc = ssl_init(wsi->ssl);
440 lwsl_err("ssl_init failed\n");
444 ssl_set_endpoint(wsi->ssl, SSL_IS_SERVER);
445 ssl_set_authmode(wsi->ssl, SSL_VERIFY_OPTIONAL);
446 ssl_set_rng(wsi->ssl, urandom_bytes, NULL);
447 ssl_set_dbg(wsi->ssl, pssl_debug, NULL);
448 ssl_set_bio(wsi->ssl, net_recv, &wsi->sock, net_send, &wsi->sock);
450 ssl_set_ciphersuites(wsi->ssl, ciphers);
452 ssl_set_session(wsi->ssl, ssn);
454 ssl_set_ca_chain(wsi->ssl, &wsi->vhost->ssl_ctx->ca,
457 ssl_set_own_cert_rsa(wsi->ssl,
458 &wsi->vhost->ssl_ctx->certificate,
459 &wsi->vhost->ssl_ctx->key);
461 // ssl_set_dh_param(wsi->ssl, my_dhm_P, my_dhm_G);
463 lwsl_err("%s: polarssl init done\n", __func__);
466 #if defined(LWS_USE_MBEDTLS)
468 wsi->ssl = SSL_new(wsi->vhost->ssl_ctx);
469 if (wsi->ssl == NULL) {
470 lwsl_err("SSL_new failed: %s\n",
471 ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
472 lws_decode_ssl_error();
473 if (accept_fd != LWS_SOCK_INVALID)
474 compatible_close(accept_fd);
478 SSL_set_ex_data(wsi->ssl,
479 openssl_websocket_private_data_index, wsi->vhost);
481 SSL_set_fd(wsi->ssl, accept_fd);
486 #ifdef USE_OLD_CYASSL
487 CyaSSL_set_using_nonblock(wsi->ssl, 1);
489 wolfSSL_set_using_nonblock(wsi->ssl, 1);
492 #if defined(LWS_USE_POLARSSL)
495 #if defined(LWS_USE_MBEDTLS)
497 SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
498 bio = SSL_get_rbio(wsi->ssl);
500 BIO_set_nbio(bio, 1); /* nonblocking */
502 lwsl_notice("NULL rbio\n");
503 bio = SSL_get_wbio(wsi->ssl);
505 BIO_set_nbio(bio, 1); /* nonblocking */
507 lwsl_notice("NULL rbio\n");
513 * we are not accepted yet, but we need to enter ourselves
514 * as a live connection. That way we can retry when more
515 * pieces come if we're not sorted yet
518 wsi->mode = LWSCM_SSL_ACK_PENDING;
519 if (insert_wsi_socket_into_fds(context, wsi)) {
520 lwsl_err("%s: failed to insert into fds\n", __func__);
524 lws_set_timeout(wsi, PENDING_TIMEOUT_SSL_ACCEPT,
525 context->timeout_secs);
527 lwsl_info("inserted SSL accept into fds, trying SSL_accept\n");
531 case LWSCM_SSL_ACK_PENDING:
533 if (lws_change_pollfd(wsi, LWS_POLLOUT, 0)) {
534 lwsl_err("%s: lws_change_pollfd failed\n", __func__);
538 lws_latency_pre(context, wsi);
540 n = recv(wsi->sock, (char *)pt->serv_buf, LWS_MAX_SOCKET_IO_BUF,
544 * optionally allow non-SSL connect on SSL listening socket
545 * This is disabled by default, if enabled it goes around any
546 * SSL-level access control (eg, client-side certs) so leave
547 * it disabled unless you know it's not a problem for you
550 if (wsi->vhost->allow_non_ssl_on_ssl_port) {
551 if (n >= 1 && pt->serv_buf[0] >= ' ') {
553 * TLS content-type for Handshake is 0x16, and
554 * for ChangeCipherSpec Record, it's 0x14
556 * A non-ssl session will start with the HTTP
557 * method in ASCII. If we see it's not a legit
558 * SSL handshake kill the SSL for this
559 * connection and try to handle as a HTTP
560 * connection upgrade directly.
563 #if defined(LWS_USE_POLARSSL)
564 ssl_close_notify(wsi->ssl);
567 #if defined(LWS_USE_MBEDTLS)
569 SSL_shutdown(wsi->ssl);
574 if (lws_check_opt(context->options,
575 LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS))
576 wsi->redirect_to_https = 1;
580 * connection is gone, or nothing to read
581 * if it's gone, we will timeout on
582 * PENDING_TIMEOUT_SSL_ACCEPT
585 if (n < 0 && (LWS_ERRNO == LWS_EAGAIN ||
586 LWS_ERRNO == LWS_EWOULDBLOCK)) {
588 * well, we get no way to know ssl or not
589 * so go around again waiting for something
590 * to come and give us a hint, or timeout the
593 m = SSL_ERROR_WANT_READ;
598 /* normal SSL connection processing path */
599 #if defined(LWS_USE_POLARSSL)
600 n = ssl_handshake(wsi->ssl);
602 #if defined(LWS_USE_MBEDTLS)
604 n = SSL_accept(wsi->ssl);
607 lws_latency(context, wsi,
608 "SSL_accept LWSCM_SSL_ACK_PENDING\n", n, n == 1);
613 m = lws_ssl_get_error(wsi, n);
614 lwsl_debug("SSL_accept failed %d / %s\n",
615 m, ERR_error_string(m, NULL));
617 if (m == SSL_ERROR_WANT_READ) {
618 if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
619 lwsl_err("%s: WANT_READ change_pollfd failed\n", __func__);
623 lwsl_info("SSL_ERROR_WANT_READ\n");
626 if (m == SSL_ERROR_WANT_WRITE) {
627 if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) {
628 lwsl_err("%s: WANT_WRITE change_pollfd failed\n", __func__);
634 lwsl_err("SSL_accept failed skt %u: %s\n",
635 wsi->sock, ERR_error_string(m, NULL));
637 lws_ssl_elaborate_error();
641 /* OK, we are accepted... give him some time to negotiate */
642 lws_set_timeout(wsi, PENDING_TIMEOUT_ESTABLISH_WITH_SERVER,
643 context->timeout_secs);
645 wsi->mode = LWSCM_HTTP_SERVING;
647 lws_http2_configure_if_upgraded(wsi);
649 lwsl_debug("accepted new SSL conn\n");
660 lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
662 if (vhost->ssl_ctx) {
663 #if defined(LWS_USE_POLARSSL)
664 lws_free(vhost->ssl_ctx);
666 #if defined(LWS_USE_MBEDTLS)
668 SSL_CTX_free(vhost->ssl_ctx);
672 if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx) {
673 #if defined(LWS_USE_POLARSSL)
674 lws_free(vhost->ssl_client_ctx);
676 #if defined(LWS_USE_MBEDTLS)
678 SSL_CTX_free(vhost->ssl_client_ctx);
685 lws_ssl_context_destroy(struct lws_context *context)
687 #if defined(LWS_USE_POLARSSL)
689 #if defined(LWS_USE_MBEDTLS)
691 #if (OPENSSL_VERSION_NUMBER < 0x01000000) || defined(USE_WOLFSSL)
694 #if (OPENSSL_VERSION_NUMBER >= 0x10100005L) && \
695 !defined(LIBRESSL_VERSION_NUMBER) && \
696 !defined(OPENSSL_IS_BORINGSSL)
697 ERR_remove_thread_state();
699 ERR_remove_thread_state(NULL);
704 CRYPTO_cleanup_all_ex_data();
projects / platform / upstream / libwebsockets.git / blob