1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
7 // http://www.apache.org/licenses/LICENSE-2.0
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
22 #include "core/private.h"
25 lws_strncpy(char *dest, const char *src, size_t size);
27 #define SSL_SEND_DATA_MAX_LENGTH 1460
30 * @brief create a new SSL session object
32 static SSL_SESSION* SSL_SESSION_new(void)
36 session = ssl_mem_zalloc(sizeof(SSL_SESSION));
38 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
42 session->peer = X509_new();
44 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
51 ssl_mem_free(session);
57 * @brief free a new SSL session object
59 static void SSL_SESSION_free(SSL_SESSION *session)
61 X509_free(session->peer);
62 ssl_mem_free(session);
66 * @brief Discover whether the current connection is in the error state
68 int ossl_statem_in_error(const SSL *ssl)
72 if (ssl->statem.state == MSG_FLOW_ERROR)
79 * @brief get the SSL specifical statement
81 int SSL_want(const SSL *ssl)
89 * @brief check if SSL want nothing
91 int SSL_want_nothing(const SSL *ssl)
98 return (SSL_want(ssl) == SSL_NOTHING);
102 * @brief check if SSL want to read
104 int SSL_want_read(const SSL *ssl)
111 return (SSL_want(ssl) == SSL_READING);
115 * @brief check if SSL want to write
117 int SSL_want_write(const SSL *ssl)
124 return (SSL_want(ssl) == SSL_WRITING);
128 * @brief check if SSL want to lookup X509 certification
130 int SSL_want_x509_lookup(const SSL *ssl)
134 return (SSL_want(ssl) == SSL_WRITING);
138 * @brief get SSL error code
140 int SSL_get_error(const SSL *ssl, int ret_code)
142 int ret = SSL_ERROR_SYSCALL;
147 ret = SSL_ERROR_NONE;
148 else if (ret_code < 0)
150 if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl))
151 ret = SSL_ERROR_WANT_READ;
152 else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl))
153 ret = SSL_ERROR_WANT_WRITE;
155 ret = SSL_ERROR_SYSCALL; //unknown
157 else // ret_code == 0
159 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
160 ret = SSL_ERROR_ZERO_RETURN;
162 ret = SSL_ERROR_SYSCALL;
169 * @brief get the SSL state
171 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
173 OSSL_HANDSHAKE_STATE state;
177 state = SSL_METHOD_CALL(get_state, ssl);
183 * @brief create a SSL context
185 SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
192 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
196 client_ca = X509_new();
198 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
202 cert = ssl_cert_new();
204 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
208 ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
210 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
214 ctx->method = method;
215 ctx->client_CA = client_ca;
218 ctx->version = method->version;
225 X509_free(client_ca);
231 * @brief free a SSL context
233 void SSL_CTX_free(SSL_CTX* ctx)
237 ssl_cert_free(ctx->cert);
239 X509_free(ctx->client_CA);
241 if (ctx->alpn_protos)
242 ssl_mem_free(ctx->alpn_protos);
248 * @brief set the SSL context version
250 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
257 ctx->version = meth->version;
263 * @brief get the SSL context current method
265 const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
273 * @brief create a SSL
275 SSL *SSL_new(SSL_CTX *ctx)
281 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
285 ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
287 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
291 ssl->session = SSL_SESSION_new();
293 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
297 ssl->cert = __ssl_cert_new(ctx->cert);
299 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
303 ssl->client_CA = __X509_new(ctx->client_CA);
304 if (!ssl->client_CA) {
305 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
310 ssl->method = ctx->method;
312 ssl->version = ctx->version;
313 ssl->options = ctx->options;
315 ssl->verify_mode = ctx->verify_mode;
317 ret = SSL_METHOD_CALL(new, ssl);
319 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
323 _ssl_set_alpn_list(ssl);
325 ssl->rwstate = SSL_NOTHING;
330 X509_free(ssl->client_CA);
332 ssl_cert_free(ssl->cert);
334 SSL_SESSION_free(ssl->session);
342 * @brief free the SSL
344 void SSL_free(SSL *ssl)
348 SSL_METHOD_CALL(free, ssl);
350 X509_free(ssl->client_CA);
352 ssl_cert_free(ssl->cert);
354 SSL_SESSION_free(ssl->session);
356 if (ssl->alpn_protos)
357 ssl_mem_free(ssl->alpn_protos);
363 * @brief perform the SSL handshake
365 int SSL_do_handshake(SSL *ssl)
371 ret = SSL_METHOD_CALL(handshake, ssl);
377 * @brief connect to the remote SSL server
379 int SSL_connect(SSL *ssl)
383 return SSL_do_handshake(ssl);
387 * @brief accept the remote connection
389 int SSL_accept(SSL *ssl)
393 return SSL_do_handshake(ssl);
397 * @brief shutdown the connection
399 int SSL_shutdown(SSL *ssl)
405 if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
407 ret = SSL_METHOD_CALL(shutdown, ssl);
413 * @brief reset the SSL
415 int SSL_clear(SSL *ssl)
421 ret = SSL_shutdown(ssl);
423 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
427 SSL_METHOD_CALL(free, ssl);
429 ret = SSL_METHOD_CALL(new, ssl);
431 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
442 * @brief read data from to remote
444 int SSL_read(SSL *ssl, void *buffer, int len)
452 ssl->rwstate = SSL_READING;
454 ret = SSL_METHOD_CALL(read, ssl, buffer, len);
457 ssl->rwstate = SSL_NOTHING;
463 * @brief send the data to remote
465 int SSL_write(SSL *ssl, const void *buffer, int len)
468 int send_bytes, bytes;
469 const unsigned char *pbuf;
475 ssl->rwstate = SSL_WRITING;
478 pbuf = (const unsigned char *)buffer;
481 if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
482 bytes = SSL_SEND_DATA_MAX_LENGTH;
486 if (ssl->interrupted_remaining_write) {
487 bytes = ssl->interrupted_remaining_write;
488 ssl->interrupted_remaining_write = 0;
491 ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
492 //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes);
493 /* the return is a NEGATIVE OpenSSL error code, or the length sent */
498 ssl->interrupted_remaining_write = bytes;
499 } while (ret > 0 && send_bytes && ret == bytes);
502 ret = len - send_bytes;
504 ssl->rwstate = SSL_NOTHING;
506 if (send_bytes == len)
509 ret = len - send_bytes;
516 * @brief get SSL context of the SSL
518 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
526 * @brief get the SSL current method
528 const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
536 * @brief set the SSL method
538 int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
545 if (ssl->version != method->version) {
547 ret = SSL_shutdown(ssl);
549 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
553 SSL_METHOD_CALL(free, ssl);
555 ssl->method = method;
557 ret = SSL_METHOD_CALL(new, ssl);
559 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
563 ssl->method = method;
574 * @brief get SSL shutdown mode
576 int SSL_get_shutdown(const SSL *ssl)
580 return ssl->shutdown;
584 * @brief set SSL shutdown mode
586 void SSL_set_shutdown(SSL *ssl, int mode)
590 ssl->shutdown = mode;
595 * @brief get the number of the bytes to be read
597 int SSL_pending(const SSL *ssl)
603 ret = SSL_METHOD_CALL(pending, ssl);
609 * @brief check if some data can be read
611 int SSL_has_pending(const SSL *ssl)
617 if (SSL_pending(ssl))
626 * @brief clear the SSL context option bit of "op"
628 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
632 return ctx->options &= ~op;
636 * @brief get the SSL context option
638 unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
646 * @brief set the option of the SSL context
648 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
652 return ctx->options |= opt;
656 * @brief clear SSL option
658 unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
662 return ssl->options & ~op;
666 * @brief get SSL option
668 unsigned long SSL_get_options(SSL *ssl)
676 * @brief clear SSL option
678 unsigned long SSL_set_options(SSL *ssl, unsigned long op)
682 return ssl->options |= op;
686 * @brief get the socket handle of the SSL
688 int SSL_get_fd(const SSL *ssl)
694 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
700 * @brief get the read only socket handle of the SSL
702 int SSL_get_rfd(const SSL *ssl)
708 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
714 * @brief get the write only socket handle of the SSL
716 int SSL_get_wfd(const SSL *ssl)
722 ret = SSL_METHOD_CALL(get_fd, ssl, 0);
728 * @brief bind the socket file description into the SSL
730 int SSL_set_fd(SSL *ssl, int fd)
733 SSL_ASSERT1(fd >= 0);
735 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
741 * @brief bind the read only socket file description into the SSL
743 int SSL_set_rfd(SSL *ssl, int fd)
746 SSL_ASSERT1(fd >= 0);
748 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
754 * @brief bind the write only socket file description into the SSL
756 int SSL_set_wfd(SSL *ssl, int fd)
759 SSL_ASSERT1(fd >= 0);
761 SSL_METHOD_CALL(set_fd, ssl, fd, 0);
767 * @brief get SSL version
769 int SSL_version(const SSL *ssl)
777 * @brief get the SSL version string
779 static const char* ssl_protocol_to_string(int version)
783 if (version == TLS1_2_VERSION)
785 else if (version == TLS1_1_VERSION)
787 else if (version == TLS1_VERSION)
789 else if (version == SSL3_VERSION)
798 * @brief get the SSL current version
800 const char *SSL_get_version(const SSL *ssl)
804 return ssl_protocol_to_string(SSL_version(ssl));
808 * @brief get alert description string
810 const char* SSL_alert_desc_string(int value)
814 switch (value & 0xff)
816 case SSL3_AD_CLOSE_NOTIFY:
819 case SSL3_AD_UNEXPECTED_MESSAGE:
822 case SSL3_AD_BAD_RECORD_MAC:
825 case SSL3_AD_DECOMPRESSION_FAILURE:
828 case SSL3_AD_HANDSHAKE_FAILURE:
831 case SSL3_AD_NO_CERTIFICATE:
834 case SSL3_AD_BAD_CERTIFICATE:
837 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
840 case SSL3_AD_CERTIFICATE_REVOKED:
843 case SSL3_AD_CERTIFICATE_EXPIRED:
846 case SSL3_AD_CERTIFICATE_UNKNOWN:
849 case SSL3_AD_ILLEGAL_PARAMETER:
852 case TLS1_AD_DECRYPTION_FAILED:
855 case TLS1_AD_RECORD_OVERFLOW:
858 case TLS1_AD_UNKNOWN_CA:
861 case TLS1_AD_ACCESS_DENIED:
864 case TLS1_AD_DECODE_ERROR:
867 case TLS1_AD_DECRYPT_ERROR:
870 case TLS1_AD_EXPORT_RESTRICTION:
873 case TLS1_AD_PROTOCOL_VERSION:
876 case TLS1_AD_INSUFFICIENT_SECURITY:
879 case TLS1_AD_INTERNAL_ERROR:
882 case TLS1_AD_USER_CANCELLED:
885 case TLS1_AD_NO_RENEGOTIATION:
888 case TLS1_AD_UNSUPPORTED_EXTENSION:
891 case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
894 case TLS1_AD_UNRECOGNIZED_NAME:
897 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
900 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
903 case TLS1_AD_UNKNOWN_PSK_IDENTITY:
915 * @brief get alert description long string
917 const char* SSL_alert_desc_string_long(int value)
921 switch (value & 0xff)
923 case SSL3_AD_CLOSE_NOTIFY:
924 str = "close notify";
926 case SSL3_AD_UNEXPECTED_MESSAGE:
927 str = "unexpected_message";
929 case SSL3_AD_BAD_RECORD_MAC:
930 str = "bad record mac";
932 case SSL3_AD_DECOMPRESSION_FAILURE:
933 str = "decompression failure";
935 case SSL3_AD_HANDSHAKE_FAILURE:
936 str = "handshake failure";
938 case SSL3_AD_NO_CERTIFICATE:
939 str = "no certificate";
941 case SSL3_AD_BAD_CERTIFICATE:
942 str = "bad certificate";
944 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
945 str = "unsupported certificate";
947 case SSL3_AD_CERTIFICATE_REVOKED:
948 str = "certificate revoked";
950 case SSL3_AD_CERTIFICATE_EXPIRED:
951 str = "certificate expired";
953 case SSL3_AD_CERTIFICATE_UNKNOWN:
954 str = "certificate unknown";
956 case SSL3_AD_ILLEGAL_PARAMETER:
957 str = "illegal parameter";
959 case TLS1_AD_DECRYPTION_FAILED:
960 str = "decryption failed";
962 case TLS1_AD_RECORD_OVERFLOW:
963 str = "record overflow";
965 case TLS1_AD_UNKNOWN_CA:
968 case TLS1_AD_ACCESS_DENIED:
969 str = "access denied";
971 case TLS1_AD_DECODE_ERROR:
972 str = "decode error";
974 case TLS1_AD_DECRYPT_ERROR:
975 str = "decrypt error";
977 case TLS1_AD_EXPORT_RESTRICTION:
978 str = "export restriction";
980 case TLS1_AD_PROTOCOL_VERSION:
981 str = "protocol version";
983 case TLS1_AD_INSUFFICIENT_SECURITY:
984 str = "insufficient security";
986 case TLS1_AD_INTERNAL_ERROR:
987 str = "internal error";
989 case TLS1_AD_USER_CANCELLED:
990 str = "user canceled";
992 case TLS1_AD_NO_RENEGOTIATION:
993 str = "no renegotiation";
995 case TLS1_AD_UNSUPPORTED_EXTENSION:
996 str = "unsupported extension";
998 case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
999 str = "certificate unobtainable";
1001 case TLS1_AD_UNRECOGNIZED_NAME:
1002 str = "unrecognized name";
1004 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
1005 str = "bad certificate status response";
1007 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
1008 str = "bad certificate hash value";
1010 case TLS1_AD_UNKNOWN_PSK_IDENTITY:
1011 str = "unknown PSK identity";
1022 * @brief get alert type string
1024 const char *SSL_alert_type_string(int value)
1030 case SSL3_AL_WARNING:
1045 * @brief get alert type long string
1047 const char *SSL_alert_type_string_long(int value)
1053 case SSL3_AL_WARNING:
1068 * @brief get the state string where SSL is reading
1070 const char *SSL_rstate_string(SSL *ssl)
1076 switch (ssl->rlayer.rstate)
1078 case SSL_ST_READ_HEADER:
1081 case SSL_ST_READ_BODY:
1084 case SSL_ST_READ_DONE:
1096 * @brief get the statement long string where SSL is reading
1098 const char *SSL_rstate_string_long(SSL *ssl)
1100 const char *str = "unknown";
1104 switch (ssl->rlayer.rstate)
1106 case SSL_ST_READ_HEADER:
1107 str = "read header";
1109 case SSL_ST_READ_BODY:
1112 case SSL_ST_READ_DONE:
1123 * @brief get SSL statement string
1125 char *SSL_state_string(const SSL *ssl)
1127 char *str = "UNKWN ";
1131 if (ossl_statem_in_error(ssl))
1135 switch (SSL_get_state(ssl))
1143 case TLS_ST_CW_CLNT_HELLO:
1146 case TLS_ST_CR_SRVR_HELLO:
1149 case TLS_ST_CR_CERT:
1152 case TLS_ST_CR_KEY_EXCH:
1155 case TLS_ST_CR_CERT_REQ:
1158 case TLS_ST_CR_SRVR_DONE:
1161 case TLS_ST_CW_CERT:
1164 case TLS_ST_CW_KEY_EXCH:
1167 case TLS_ST_CW_CERT_VRFY:
1170 case TLS_ST_SW_CHANGE:
1171 case TLS_ST_CW_CHANGE:
1174 case TLS_ST_SW_FINISHED:
1175 case TLS_ST_CW_FINISHED:
1178 case TLS_ST_SR_CHANGE:
1179 case TLS_ST_CR_CHANGE:
1182 case TLS_ST_SR_FINISHED:
1183 case TLS_ST_CR_FINISHED:
1186 case TLS_ST_SW_HELLO_REQ:
1189 case TLS_ST_SR_CLNT_HELLO:
1192 case TLS_ST_SW_SRVR_HELLO:
1195 case TLS_ST_SW_CERT:
1198 case TLS_ST_SW_KEY_EXCH:
1201 case TLS_ST_SW_CERT_REQ:
1204 case TLS_ST_SW_SRVR_DONE:
1207 case TLS_ST_SR_CERT:
1210 case TLS_ST_SR_KEY_EXCH:
1213 case TLS_ST_SR_CERT_VRFY:
1216 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1219 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
1231 * @brief get SSL statement long string
1233 char *SSL_state_string_long(const SSL *ssl)
1235 char *str = "UNKWN ";
1239 if (ossl_statem_in_error(ssl))
1243 switch (SSL_get_state(ssl))
1246 str = "before SSL initialization";
1249 str = "SSL negotiation finished successfully";
1251 case TLS_ST_CW_CLNT_HELLO:
1252 str = "SSLv3/TLS write client hello";
1254 case TLS_ST_CR_SRVR_HELLO:
1255 str = "SSLv3/TLS read server hello";
1257 case TLS_ST_CR_CERT:
1258 str = "SSLv3/TLS read server certificate";
1260 case TLS_ST_CR_KEY_EXCH:
1261 str = "SSLv3/TLS read server key exchange";
1263 case TLS_ST_CR_CERT_REQ:
1264 str = "SSLv3/TLS read server certificate request";
1266 case TLS_ST_CR_SESSION_TICKET:
1267 str = "SSLv3/TLS read server session ticket";
1269 case TLS_ST_CR_SRVR_DONE:
1270 str = "SSLv3/TLS read server done";
1272 case TLS_ST_CW_CERT:
1273 str = "SSLv3/TLS write client certificate";
1275 case TLS_ST_CW_KEY_EXCH:
1276 str = "SSLv3/TLS write client key exchange";
1278 case TLS_ST_CW_CERT_VRFY:
1279 str = "SSLv3/TLS write certificate verify";
1281 case TLS_ST_CW_CHANGE:
1282 case TLS_ST_SW_CHANGE:
1283 str = "SSLv3/TLS write change cipher spec";
1285 case TLS_ST_CW_FINISHED:
1286 case TLS_ST_SW_FINISHED:
1287 str = "SSLv3/TLS write finished";
1289 case TLS_ST_CR_CHANGE:
1290 case TLS_ST_SR_CHANGE:
1291 str = "SSLv3/TLS read change cipher spec";
1293 case TLS_ST_CR_FINISHED:
1294 case TLS_ST_SR_FINISHED:
1295 str = "SSLv3/TLS read finished";
1297 case TLS_ST_SR_CLNT_HELLO:
1298 str = "SSLv3/TLS read client hello";
1300 case TLS_ST_SW_HELLO_REQ:
1301 str = "SSLv3/TLS write hello request";
1303 case TLS_ST_SW_SRVR_HELLO:
1304 str = "SSLv3/TLS write server hello";
1306 case TLS_ST_SW_CERT:
1307 str = "SSLv3/TLS write certificate";
1309 case TLS_ST_SW_KEY_EXCH:
1310 str = "SSLv3/TLS write key exchange";
1312 case TLS_ST_SW_CERT_REQ:
1313 str = "SSLv3/TLS write certificate request";
1315 case TLS_ST_SW_SESSION_TICKET:
1316 str = "SSLv3/TLS write session ticket";
1318 case TLS_ST_SW_SRVR_DONE:
1319 str = "SSLv3/TLS write server done";
1321 case TLS_ST_SR_CERT:
1322 str = "SSLv3/TLS read client certificate";
1324 case TLS_ST_SR_KEY_EXCH:
1325 str = "SSLv3/TLS read client key exchange";
1327 case TLS_ST_SR_CERT_VRFY:
1328 str = "SSLv3/TLS read certificate verify";
1330 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1331 str = "DTLS1 read hello verify request";
1333 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
1334 str = "DTLS1 write hello verify request";
1345 * @brief set the SSL context read buffer length
1347 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
1351 ctx->read_buffer_len = len;
1355 * @brief set the SSL read buffer length
1357 void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
1362 SSL_METHOD_CALL(set_bufflen, ssl, len);
1366 * @brief set the SSL information callback function
1368 void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
1372 ssl->info_callback = cb;
1376 * @brief add SSL context reference count by '1'
1378 int SSL_CTX_up_ref(SSL_CTX *ctx)
1383 * no support multi-thread SSL here
1391 * @brief set the SSL security level
1393 void SSL_set_security_level(SSL *ssl, int level)
1397 ssl->cert->sec_level = level;
1401 * @brief get the SSL security level
1403 int SSL_get_security_level(const SSL *ssl)
1407 return ssl->cert->sec_level;
1411 * @brief get the SSL verifying mode of the SSL context
1413 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1417 return ctx->verify_mode;
1421 * @brief set the session timeout time
1423 long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
1429 l = ctx->session_timeout;
1430 ctx->session_timeout = t;
1436 * @brief get the session timeout time
1438 long SSL_CTX_get_timeout(const SSL_CTX *ctx)
1442 return ctx->session_timeout;
1446 * @brief set the SSL if we can read as many as data
1448 void SSL_set_read_ahead(SSL *ssl, int yes)
1452 ssl->rlayer.read_ahead = yes;
1456 * @brief set the SSL context if we can read as many as data
1458 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
1462 ctx->read_ahead = yes;
1466 * @brief get the SSL ahead signal if we can read as many as data
1468 int SSL_get_read_ahead(const SSL *ssl)
1472 return ssl->rlayer.read_ahead;
1476 * @brief get the SSL context ahead signal if we can read as many as data
1478 long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
1482 return ctx->read_ahead;
1486 * @brief check if the SSL context can read as many as data
1488 long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
1492 return ctx->read_ahead;
1496 * @brief set SSL session time
1498 long SSL_set_time(SSL *ssl, long t)
1502 ssl->session->time = t;
1508 * @brief set SSL session timeout time
1510 long SSL_set_timeout(SSL *ssl, long t)
1514 ssl->session->timeout = t;
1520 * @brief get the verifying result of the SSL certification
1522 long SSL_get_verify_result(const SSL *ssl)
1526 return SSL_METHOD_CALL(get_verify_result, ssl);
1530 * @brief get the SSL verifying depth of the SSL context
1532 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1536 return ctx->param.depth;
1540 * @brief set the SSL verify depth of the SSL context
1542 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
1546 ctx->param.depth = depth;
1550 * @brief get the SSL verifying depth of the SSL
1552 int SSL_get_verify_depth(const SSL *ssl)
1556 return ssl->param.depth;
1560 * @brief set the SSL verify depth of the SSL
1562 void SSL_set_verify_depth(SSL *ssl, int depth)
1566 ssl->param.depth = depth;
1570 * @brief set the SSL context verifying of the SSL context
1572 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
1576 ctx->verify_mode = mode;
1577 ctx->default_verify_callback = verify_callback;
1581 * @brief set the SSL verifying of the SSL context
1583 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
1587 ssl->verify_mode = mode;
1588 ssl->verify_callback = verify_callback;
1591 void ERR_error_string_n(unsigned long e, char *buf, size_t len)
1593 lws_strncpy(buf, "unknown", len);
1596 void ERR_free_strings(void)
1600 char *ERR_error_string(unsigned long e, char *buf)
1606 case X509_V_ERR_INVALID_CA:
1607 strcpy(buf, "CA is not trusted");
1609 case X509_V_ERR_HOSTNAME_MISMATCH:
1610 strcpy(buf, "Hostname mismatch");
1612 case X509_V_ERR_CA_KEY_TOO_SMALL:
1613 strcpy(buf, "CA key too small");
1615 case X509_V_ERR_CA_MD_TOO_WEAK:
1616 strcpy(buf, "MD key too weak");
1618 case X509_V_ERR_CERT_NOT_YET_VALID:
1619 strcpy(buf, "Cert from the future");
1621 case X509_V_ERR_CERT_HAS_EXPIRED:
1622 strcpy(buf, "Cert expired");
1625 strcpy(buf, "unknown");
1632 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
1638 * Openssl wants the valid protocol names supplied like this:
1640 * (unsigned char *)"\x02h2\x08http/1.1", 6 + 9
1642 * Mbedtls wants this:
1644 * Pointer to a NULL-terminated list of supported protocols, in decreasing
1645 * preference order. The pointer to the list is recorded by the library for
1646 * later reference as required, so the lifetime of the table must be at least
1647 * as long as the lifetime of the SSL configuration structure.
1649 * So accept the OpenSSL style and convert to mbedtls style
1654 _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)
1656 unsigned char *p = ac->data, *q;
1661 /* find out how many entries he gave us */
1664 while (p - ac->data < ac->len) {
1681 /* allocate space for count + 1 pointers and the data afterwards */
1683 alpn_protos = ssl_mem_zalloc((count + 1) * sizeof(char *) + ac->len + 1);
1687 *palpn_protos = alpn_protos;
1689 /* convert to mbedtls format */
1691 q = (unsigned char *)alpn_protos + (count + 1) * sizeof(char *);
1696 alpn_protos[count] = (char *)q;
1697 while (p - ac->data < ac->len) {
1705 alpn_protos[count] = (char *)q;
1713 alpn_protos[count] = (char *)q;
1715 alpn_protos[count] = NULL; /* last pointer ends list with NULL */
1718 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg)
1720 struct alpn_ctx *ac = arg;
1724 _openssl_alpn_to_mbedtls(ac, (char ***)&ctx->alpn_protos);
1727 void SSL_set_alpn_select_cb(SSL *ssl, void *arg)
1729 struct alpn_ctx *ac = arg;
1731 _openssl_alpn_to_mbedtls(ac, (char ***)&ssl->alpn_protos);
1733 _ssl_set_alpn_list(ssl);