support openssl info callback

[platform/upstream/libwebsockets.git] / lib / ssl-client.c

diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index b204495..dea9538 100644 (file)
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -29,12 +29,18 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info
 
 extern int lws_ssl_get_error(struct lws *wsi, int n);
 
-#ifdef USE_WOLFSSL
+#if defined(USE_WOLFSSL)
 #else
 
 static int
 OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
+#if defined(LWS_WITH_ESP32)
+//     long gvr = ssl_pm_get_verify_result(
+       lwsl_notice("%s\n", __func__);
+
+       return 0;
+#else
        SSL *ssl;
        int n;
        struct lws *wsi;
@@ -87,6 +93,7 @@ OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
        }
        /* convert callback return code from 0 = OK to verify callback return value 1 = OK */
        return !n;
+#endif
 }
 #endif
 
@@ -119,10 +126,15 @@ lws_ssl_client_bio_create(struct lws *wsi)
        if (!wsi->ssl) {
                lwsl_err("SSL_new failed: %s\n",
                         ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
-               lws_decode_ssl_error();
+               lws_ssl_elaborate_error();
                return -1;
        }
 
+#if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
+       if (wsi->vhost->ssl_info_event_mask)
+               SSL_set_info_callback(wsi->ssl, lws_ssl_info_callback);
+#endif
+
 #if defined LWS_HAVE_X509_VERIFY_PARAM_set1_host
        X509_VERIFY_PARAM *param;
        (void)param;
@@ -137,14 +149,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
 
 #endif
 
-#ifndef USE_WOLFSSL
+#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
 #ifndef USE_OLD_CYASSL
        /* OpenSSL_client_verify_callback will be called @ SSL_connect() */
        SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
 #endif
 #endif
 
-#ifndef USE_WOLFSSL
+#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
        SSL_set_mode(wsi->ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 #endif
        /*
@@ -162,10 +174,17 @@ lws_ssl_client_bio_create(struct lws *wsi)
 #endif
 #endif
 #else
+#if defined(LWS_WITH_ESP32)
+// esp-idf openssl shim does not seem ready for this
+//     SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
+       SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
+
+#else
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
        SSL_set_tlsext_host_name(wsi->ssl, hostname);
 #endif
 #endif
+#endif
 
 #ifdef USE_WOLFSSL
        /*
@@ -184,8 +203,12 @@ lws_ssl_client_bio_create(struct lws *wsi)
 #endif
 #endif /* USE_WOLFSSL */
 
-       wsi->client_bio = BIO_new_socket(wsi->sock, BIO_NOCLOSE);
+#if !defined(LWS_WITH_ESP32)
+       wsi->client_bio = BIO_new_socket(wsi->desc.sockfd, BIO_NOCLOSE);
        SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
+#else
+       SSL_set_fd(wsi->ssl, wsi->desc.sockfd);
+#endif
 
 #ifdef USE_WOLFSSL
 #ifdef USE_OLD_CYASSL
@@ -194,15 +217,26 @@ lws_ssl_client_bio_create(struct lws *wsi)
        wolfSSL_set_using_nonblock(wsi->ssl, 1);
 #endif
 #else
+#if !defined(LWS_WITH_ESP32)
        BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
 #endif
+#endif
 
+#if !defined(LWS_WITH_ESP32)
        SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index,
                        wsi);
+#endif
 
        return 0;
 }
 
+#if defined(LWS_WITH_ESP32)
+int ERR_get_error(void)
+{
+       return 0;
+}
+#endif
+
 int
 lws_ssl_client_connect1(struct lws *wsi)
 {
@@ -289,7 +323,7 @@ lws_ssl_client_connect2(struct lws *wsi)
        if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {
                lws_latency_pre(context, wsi);
                n = SSL_connect(wsi->ssl);
-               lwsl_notice("%s: SSL_connect says %d\n", __func__, n);
+               lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
 
                lws_latency(context, wsi,
                            "SSL_connect LWSCM_WSCL_WAITING_SSL", n, n > 0);
@@ -343,6 +377,19 @@ lws_ssl_client_connect2(struct lws *wsi)
                }
        }
 
+#if defined(LWS_WITH_ESP32)
+       {
+               X509 *peer = SSL_get_peer_certificate(wsi->ssl);
+
+               if (!peer) {
+                       lwsl_notice("peer did not provide cert\n");
+
+                       return -1;
+               }
+               lwsl_notice("peer provided cert\n");
+       }
+#endif
+
 #ifndef USE_WOLFSSL
        /*
         * See comment above about wolfSSL certificate
@@ -353,6 +400,8 @@ lws_ssl_client_connect2(struct lws *wsi)
        lws_latency(context, wsi,
                "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);
 
+       lwsl_debug("get_verify says %d\n", n);
+
        if (n != X509_V_OK) {
                if ((n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
                     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
@@ -382,13 +431,15 @@ lws_ssl_client_connect2(struct lws *wsi)
 int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                                struct lws_vhost *vhost)
 {
-       SSL_METHOD *method;
+       SSL_METHOD *method = NULL;
        struct lws wsi;
        unsigned long error;
+#if !defined(LWS_WITH_ESP32)
        const char *cipher_list = info->ssl_cipher_list;
        const char *ca_filepath = info->ssl_ca_filepath;
-       const char *cert_filepath = info->ssl_cert_filepath;
        const char *private_key_filepath = info->ssl_private_key_filepath;
+       const char *cert_filepath = info->ssl_cert_filepath;
+
        int n;
 
        /*
@@ -403,6 +454,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                cert_filepath = info->client_ssl_cert_filepath;
        if (info->client_ssl_private_key_filepath)
                private_key_filepath = info->client_ssl_private_key_filepath;
+#endif
 
        if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
                return 0;
@@ -421,7 +473,15 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 
        /* basic openssl init already happened in context init */
 
+
+       /* choose the most recent spin of the api */
+#if defined(LWS_HAVE_TLS_CLIENT_METHOD)
+       method = (SSL_METHOD *)TLS_client_method();
+#elif defined(LWS_HAVE_TLSV1_2_CLIENT_METHOD)
+       method = (SSL_METHOD *)TLSv1_2_client_method();
+#else
        method = (SSL_METHOD *)SSLv23_client_method();
+#endif
        if (!method) {
                error = ERR_get_error();
                lwsl_err("problem creating ssl method %lu: %s\n",
@@ -442,8 +502,11 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 #ifdef SSL_OP_NO_COMPRESSION
        SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
 #endif
+
+#if !defined(LWS_WITH_ESP32)
        SSL_CTX_set_options(vhost->ssl_client_ctx,
                            SSL_OP_CIPHER_SERVER_PREFERENCE);
+
        if (cipher_list)
                SSL_CTX_set_cipher_list(vhost->ssl_client_ctx, cipher_list);
 
@@ -474,11 +537,12 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                }
                else
                        lwsl_info("loaded ssl_ca_filepath\n");
-
+#endif
        /*
         * callback allowing user code to load extra verification certs
         * helping the client to verify server identity
         */
+#if !defined(LWS_WITH_ESP32)
 
        /* support for client-side certificate authentication */
        if (cert_filepath) {
@@ -493,7 +557,6 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                }
                lwsl_notice("Loaded client cert %s\n", cert_filepath);
        }
-
        if (private_key_filepath) {
                lwsl_notice("%s: doing private key filepath\n", __func__);
                lws_ssl_bind_passphrase(vhost->ssl_client_ctx, info);
@@ -514,7 +577,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                        return 1;
                }
        }
-
+#endif
        /*
         * give him a fake wsi with context set, so he can use
         * lws_get_context() in the callback