lib/tls/mbedtls/ssl.c

   1 /*
   2  * libwebsockets - mbedTLS-specific lws apis
   3  *
   4  * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
   5  *
   6  *  This library is free software; you can redistribute it and/or
   7  *  modify it under the terms of the GNU Lesser General Public
   8  *  License as published by the Free Software Foundation:
   9  *  version 2.1 of the License.
  10  *
  11  *  This library is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  *  Lesser General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU Lesser General Public
  17  *  License along with this library; if not, write to the Free Software
  18  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  19  *  MA  02110-1301  USA
  20  */
  21
  22 #include "core/private.h"
  23 #include "tls/mbedtls/private.h"
  24
  25
  26 LWS_VISIBLE void
  27 lws_ssl_destroy(struct lws_vhost *vhost)
  28 {
  29         if (!lws_check_opt(vhost->context->options,
  30                            LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
  31                 return;
  32
  33         if (vhost->tls.ssl_ctx)
  34                 SSL_CTX_free(vhost->tls.ssl_ctx);
  35         if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
  36                 SSL_CTX_free(vhost->tls.ssl_client_ctx);
  37
  38         if (vhost->tls.x509_client_CA)
  39                 X509_free(vhost->tls.x509_client_CA);
  40 }
  41
  42 LWS_VISIBLE int
  43 lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
  44 {
  45         struct lws_context *context = wsi->context;
  46         struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
  47         int n = 0, m;
  48
  49         if (!wsi->tls.ssl)
  50                 return lws_ssl_capable_read_no_ssl(wsi, buf, len);
  51
  52         lws_stats_bump(pt, LWSSTATS_C_API_READ, 1);
  53
  54         errno = 0;
  55         n = SSL_read(wsi->tls.ssl, buf, len);
  56 #if defined(LWS_WITH_ESP32)
  57         if (!n && errno == LWS_ENOTCONN) {
  58                 lwsl_debug("%p: SSL_read ENOTCONN\n", wsi);
  59                 return LWS_SSL_CAPABLE_ERROR;
  60         }
  61 #endif
  62 #if defined(LWS_WITH_STATS)
  63         if (!wsi->seen_rx && wsi->accept_start_us) {
  64                 lws_stats_bump(pt, LWSSTATS_US_SSL_RX_DELAY_AVG,
  65                         lws_now_usecs() - wsi->accept_start_us);
  66                 lws_stats_bump(pt, LWSSTATS_C_SSL_CONNS_HAD_RX, 1);
  67                 wsi->seen_rx = 1;
  68         }
  69 #endif
  70
  71
  72         lwsl_debug("%p: SSL_read says %d\n", wsi, n);
  73         /* manpage: returning 0 means connection shut down */
  74         if (!n) {
  75                 wsi->socket_is_permanently_unusable = 1;
  76
  77                 return LWS_SSL_CAPABLE_ERROR;
  78         }
  79
  80         if (n < 0) {
  81                 m = SSL_get_error(wsi->tls.ssl, n);
  82                 lwsl_debug("%p: ssl err %d errno %d\n", wsi, m, errno);
  83                 if (errno == LWS_ENOTCONN) {
  84                         /* If the socket isn't connected anymore, bail out. */
  85                         wsi->socket_is_permanently_unusable = 1;
  86                         return LWS_SSL_CAPABLE_ERROR;
  87                 }
  88                 if (m == SSL_ERROR_ZERO_RETURN ||
  89                     m == SSL_ERROR_SYSCALL)
  90                         return LWS_SSL_CAPABLE_ERROR;
  91
  92                 if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
  93                         lwsl_debug("%s: WANT_READ\n", __func__);
  94                         lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
  95                         return LWS_SSL_CAPABLE_MORE_SERVICE;
  96                 }
  97                 if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
  98                         lwsl_debug("%s: WANT_WRITE\n", __func__);
  99                         lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
 100                         return LWS_SSL_CAPABLE_MORE_SERVICE;
 101                 }
 102                 wsi->socket_is_permanently_unusable = 1;
 103
 104                 return LWS_SSL_CAPABLE_ERROR;
 105         }
 106
 107         lws_stats_bump(pt, LWSSTATS_B_READ, n);
 108
 109         if (wsi->vhost)
 110                 wsi->vhost->conn_stats.rx += n;
 111
 112         /*
 113          * if it was our buffer that limited what we read,
 114          * check if SSL has additional data pending inside SSL buffers.
 115          *
 116          * Because these won't signal at the network layer with POLLIN
 117          * and if we don't realize, this data will sit there forever
 118          */
 119         if (n != len)
 120                 goto bail;
 121         if (!wsi->tls.ssl)
 122                 goto bail;
 123
 124         if (SSL_pending(wsi->tls.ssl) &&
 125             lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
 126                 lws_dll2_add_head(&wsi->tls.dll_pending_tls,
 127                                  &pt->tls.dll_pending_tls_owner);
 128
 129         return n;
 130 bail:
 131         lws_ssl_remove_wsi_from_buffered_list(wsi);
 132
 133         return n;
 134 }
 135
 136 LWS_VISIBLE int
 137 lws_ssl_pending(struct lws *wsi)
 138 {
 139         if (!wsi->tls.ssl)
 140                 return 0;
 141
 142         return SSL_pending(wsi->tls.ssl);
 143 }
 144
 145 LWS_VISIBLE int
 146 lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
 147 {
 148         int n, m;
 149
 150         if (!wsi->tls.ssl)
 151                 return lws_ssl_capable_write_no_ssl(wsi, buf, len);
 152
 153         n = SSL_write(wsi->tls.ssl, buf, len);
 154         if (n > 0)
 155                 return n;
 156
 157         m = SSL_get_error(wsi->tls.ssl, n);
 158         if (m != SSL_ERROR_SYSCALL) {
 159                 if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
 160                         lwsl_notice("%s: want read\n", __func__);
 161
 162                         return LWS_SSL_CAPABLE_MORE_SERVICE;
 163                 }
 164
 165                 if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
 166                         lws_set_blocking_send(wsi);
 167                         lwsl_debug("%s: want write\n", __func__);
 168
 169                         return LWS_SSL_CAPABLE_MORE_SERVICE;
 170                 }
 171         }
 172
 173         lwsl_debug("%s failed: %d\n",__func__, m);
 174         wsi->socket_is_permanently_unusable = 1;
 175
 176         return LWS_SSL_CAPABLE_ERROR;
 177 }
 178
 179 int openssl_SSL_CTX_private_data_index;
 180
 181 void
 182 lws_ssl_info_callback(const SSL *ssl, int where, int ret)
 183 {
 184         struct lws *wsi;
 185         struct lws_context *context;
 186         struct lws_ssl_info si;
 187
 188         context = (struct lws_context *)SSL_CTX_get_ex_data(
 189                                         SSL_get_SSL_CTX(ssl),
 190                                         openssl_SSL_CTX_private_data_index);
 191         if (!context)
 192                 return;
 193         wsi = wsi_from_fd(context, SSL_get_fd(ssl));
 194         if (!wsi)
 195                 return;
 196
 197         if (!(where & wsi->vhost->tls.ssl_info_event_mask))
 198                 return;
 199
 200         si.where = where;
 201         si.ret = ret;
 202
 203         if (user_callback_handle_rxflow(wsi->protocol->callback,
 204                                         wsi, LWS_CALLBACK_SSL_INFO,
 205                                         wsi->user_space, &si, 0))
 206                 lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
 207 }
 208
 209
 210 LWS_VISIBLE int
 211 lws_ssl_close(struct lws *wsi)
 212 {
 213         lws_sockfd_type n;
 214
 215         if (!wsi->tls.ssl)
 216                 return 0; /* not handled */
 217
 218 #if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
 219         /* kill ssl callbacks, becausse we will remove the fd from the
 220          * table linking it to the wsi
 221          */
 222         if (wsi->vhost->tls.ssl_info_event_mask)
 223                 SSL_set_info_callback(wsi->tls.ssl, NULL);
 224 #endif
 225
 226         n = SSL_get_fd(wsi->tls.ssl);
 227         if (!wsi->socket_is_permanently_unusable)
 228                 SSL_shutdown(wsi->tls.ssl);
 229         compatible_close(n);
 230         SSL_free(wsi->tls.ssl);
 231         wsi->tls.ssl = NULL;
 232
 233         if (!lwsi_role_client(wsi) &&
 234             wsi->context->simultaneous_ssl_restriction &&
 235             wsi->context->simultaneous_ssl-- ==
 236                             wsi->context->simultaneous_ssl_restriction)
 237                 /* we made space and can do an accept */
 238                 lws_gate_accepts(wsi->context, 1);
 239
 240 #if defined(LWS_WITH_STATS)
 241         wsi->context->updated = 1;
 242 #endif
 243
 244         return 1; /* handled */
 245 }
 246
 247 void
 248 lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
 249 {
 250         if (vhost->tls.ssl_ctx)
 251                 SSL_CTX_free(vhost->tls.ssl_ctx);
 252
 253         if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
 254                 SSL_CTX_free(vhost->tls.ssl_client_ctx);
 255 #if defined(LWS_WITH_ACME)
 256         lws_tls_acme_sni_cert_destroy(vhost);
 257 #endif
 258 }
 259
 260 void
 261 lws_ssl_context_destroy(struct lws_context *context)
 262 {
 263 }
 264
 265 lws_tls_ctx *
 266 lws_tls_ctx_from_wsi(struct lws *wsi)
 267 {
 268         if (!wsi->tls.ssl)
 269                 return NULL;
 270
 271         return SSL_get_SSL_CTX(wsi->tls.ssl);
 272 }
 273
 274 enum lws_ssl_capable_status
 275 __lws_tls_shutdown(struct lws *wsi)
 276 {
 277         int n = SSL_shutdown(wsi->tls.ssl);
 278
 279         lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
 280
 281         switch (n) {
 282         case 1: /* successful completion */
 283                 n = shutdown(wsi->desc.sockfd, SHUT_WR);
 284                 return LWS_SSL_CAPABLE_DONE;
 285
 286         case 0: /* needs a retry */
 287                 __lws_change_pollfd(wsi, 0, LWS_POLLIN);
 288                 return LWS_SSL_CAPABLE_MORE_SERVICE;
 289
 290         default: /* fatal error, or WANT */
 291                 n = SSL_get_error(wsi->tls.ssl, n);
 292                 if (n != SSL_ERROR_SYSCALL && n != SSL_ERROR_SSL) {
 293                         if (SSL_want_read(wsi->tls.ssl)) {
 294                                 lwsl_debug("(wants read)\n");
 295                                 __lws_change_pollfd(wsi, 0, LWS_POLLIN);
 296                                 return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
 297                         }
 298                         if (SSL_want_write(wsi->tls.ssl)) {
 299                                 lwsl_debug("(wants write)\n");
 300                                 __lws_change_pollfd(wsi, 0, LWS_POLLOUT);
 301                                 return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
 302                         }
 303                 }
 304                 return LWS_SSL_CAPABLE_ERROR;
 305         }
 306 }
 307
 308
 309 static int
 310 tops_fake_POLLIN_for_buffered_mbedtls(struct lws_context_per_thread *pt)
 311 {
 312         return lws_tls_fake_POLLIN_for_buffered(pt);
 313 }
 314
 315 const struct lws_tls_ops tls_ops_mbedtls = {
 316         /* fake_POLLIN_for_buffered */  tops_fake_POLLIN_for_buffered_mbedtls,
 317 };