xref: /third_party/libwebsockets/lib/tls/openssl/openssl-client.c

44 int lws_openssl_describe_cipher(struct lws *wsi);
64 	struct lws *wsi = (struct lws *)got_opaque;
73 	xs = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(wsi->tls.ssl));
96 	struct lws *wsi;
105 			wsi = SSL_get_ex_data(ssl,
107 			if (!wsi) {
108 				lwsl_err("%s: can't get wsi from ssl privdata\n",
116 			     wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
123 			    wsi->tls.use_ssl & LCCSCF_ALLOW_INSECURE) {
129 				    wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED) {
146 	wsi = SSL_get_ex_data(ssl, openssl_websocket_private_data_index);
147 	if (!wsi) {
148 		lwsl_err("%s: can't get wsi from ssl privdata\n",  __func__);
162 				    wsi->tls.kid_chain.count !=
163 				     LWS_ARRAY_SIZE(wsi->tls.kid_chain.akid); n++) {
170 						&wsi->tls.kid_chain.skid[
171 						     wsi->tls.kid_chain.count]);
177 						 &wsi->tls.kid_chain.akid[
178 						     wsi->tls.kid_chain.count]);
180 				wsi->tls.kid_chain.count++;
186 		lws_tls_jit_trust_sort_kids(wsi, &wsi->tls.kid_chain);
190 	n = lws_get_context_protocol(wsi->a.context, 0).callback(wsi,
206 			lws_strncpy(wsi->tls.err_helper, msg,
207 				    sizeof(wsi->tls.err_helper));
218 				lws_metrics_hist_bump_describe_wsi(wsi,
219 					lws_metrics_priv_to_pub(wsi->a.context->mth_conn_failures),
236 lws_ssl_client_bio_create(struct lws *wsi)
242 	const char *alpn_comma = wsi->a.context->tls.alpn_default;
246 	if (wsi->stash) {
247 		lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
250 		alpn_comma = wsi->stash->cis[CIS_ALPN];
254 		if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
277 	wsi->tls.ssl = SSL_new(wsi->a.vhost->tls.ssl_client_ctx);
278 	if (!wsi->tls.ssl) {
285 	lws_ssl_get_error(wsi, 0), NULL);
292 	if (!(wsi->a.vhost->options & LWS_SERVER_OPTION_DISABLE_TLS_SESSION_CACHE))
293 		lws_tls_reuse_session(wsi);
297 	if (wsi->a.vhost->tls.ssl_info_event_mask)
298 		SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
302 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
305 		X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
318 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
329 	SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
335 	SSL_set_mode(wsi->tls.ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
344 	CyaSSL_UseSNI(wsi->tls.ssl, CYASSL_SNI_HOST_NAME, hostname,
349 	wolfSSL_UseSNI(wsi->tls.ssl, WOLFSSL_SNI_HOST_NAME, hostname,
355 	SSL_set_tlsext_host_name(wsi->tls.ssl, hostname);
368 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)
369 		CyaSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);
371 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)
372 		wolfSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);
376 	wsi->tls.client_bio = BIO_new_socket((int)(lws_intptr_t)wsi->desc.sockfd,
378 	SSL_set_bio(wsi->tls.ssl, wsi->tls.client_bio, wsi->tls.client_bio);
382 	CyaSSL_set_using_nonblock(wsi->tls.ssl, 1);
384 	wolfSSL_set_using_nonblock(wsi->tls.ssl, 1);
387 	BIO_set_nbio(wsi->tls.client_bio, 1); /* nonblocking */
392 	if (wsi->a.vhost->tls.alpn)
393 		alpn_comma = wsi->a.vhost->tls.alpn;
394 	if (wsi->stash)
395 		alpn_comma = wsi->stash->cis[CIS_ALPN];
397 	if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
402 	lwsl_info("%s client conn using alpn list '%s'\n", wsi->role_ops->name, alpn_comma);
407 	SSL_set_alpn_protos(wsi->tls.ssl, openssl_alpn, (unsigned int)n);
410 	SSL_set_ex_data(wsi->tls.ssl, openssl_websocket_private_data_index,
411 			wsi);
413 	if (wsi->sys_tls_client_cert) {
414 		lws_system_blob_t *b = lws_system_get_blob(wsi->a.context,
416 					wsi->sys_tls_client_cert - 1);
434 		if (SSL_use_certificate_ASN1(wsi->tls.ssl,
450 		b = lws_system_get_blob(wsi->a.context,
452 					wsi->sys_tls_client_cert - 1);
463 		if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, wsi->tls.ssl,
475 		    SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, wsi->tls.ssl,
491 		if (SSL_check_private_key(wsi->tls.ssl) != 1) {
498 				wsi->sys_tls_client_cert - 1);
505 			wsi->sys_tls_client_cert - 1);
511 lws_tls_client_connect(struct lws *wsi, char *errbuf, size_t elen)
526 	wsi->tls.err_helper[0] = '\0';
527 	n = SSL_connect(wsi->tls.ssl);
530 	m = lws_ssl_get_error(wsi, n);
546 		n = lws_snprintf(errbuf, elen, "tls: %s", wsi->tls.err_helper);
547 		if (!wsi->tls.err_helper[0])
553 	if (SSL_session_reused(wsi->tls.ssl)) {
555 		sess = SSL_get_session(wsi->tls.ssl);
566 	if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
569 	if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
575 		SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
582 		lws_role_call_alpn_negotiated(wsi, (const char *)a);
585 		lws_sul_schedule(wsi->a.context, wsi->tsi,
586 				 &wsi->tls.sul_cb_synth,
591 		lws_openssl_describe_cipher(wsi);
604 lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, size_t ebuf_len)
607 	struct lws_context_per_thread *pt = &wsi->a.context->pt[(int)wsi->tsi];
616 	n = SSL_get_verify_result(wsi->tls.ssl);
648 	lws_metrics_hist_bump_describe_wsi(wsi,
649 			lws_metrics_priv_to_pub(wsi->a.context->mth_conn_failures), type);
652 	if (wsi->tls.use_ssl & avoid) {

Indexes created Thu Nov 07 10:32:03 CST 2024