xref: /third_party/libwebsockets/lib/tls/openssl/openssl-client.c

35 #include "private-lib-tls-openssl.h"
73 	xs = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(wsi->tls.ssl));
116 			     wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
123 			    wsi->tls.use_ssl & LCCSCF_ALLOW_INSECURE) {
129 				    wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED) {
162 				    wsi->tls.kid_chain.count !=
163 				     LWS_ARRAY_SIZE(wsi->tls.kid_chain.akid); n++) {
170 						&wsi->tls.kid_chain.skid[
171 						     wsi->tls.kid_chain.count]);
177 						 &wsi->tls.kid_chain.akid[
178 						     wsi->tls.kid_chain.count]);
180 				wsi->tls.kid_chain.count++;
186 		lws_tls_jit_trust_sort_kids(wsi, &wsi->tls.kid_chain);
206 			lws_strncpy(wsi->tls.err_helper, msg,
207 				    sizeof(wsi->tls.err_helper));
217 					     "tls=\"%s\"", msg);
242 	const char *alpn_comma = wsi->a.context->tls.alpn_default;
277 	wsi->tls.ssl = SSL_new(wsi->a.vhost->tls.ssl_client_ctx);
278 	if (!wsi->tls.ssl) {
297 	if (wsi->a.vhost->tls.ssl_info_event_mask)
298 		SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
302 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
305 		X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
318 	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
319 		lwsl_err("%s: your tls lib is too old to have "
320 			 "X509_VERIFY_PARAM_set1_host, failing all client tls\n",
329 	SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
335 	SSL_set_mode(wsi->tls.ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
344 	CyaSSL_UseSNI(wsi->tls.ssl, CYASSL_SNI_HOST_NAME, hostname,
349 	wolfSSL_UseSNI(wsi->tls.ssl, WOLFSSL_SNI_HOST_NAME, hostname,
355 	SSL_set_tlsext_host_name(wsi->tls.ssl, hostname);
368 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)
369 		CyaSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);
371 	if (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)
372 		wolfSSL_set_verify(wsi->tls.ssl, SSL_VERIFY_NONE, NULL);
376 	wsi->tls.client_bio = BIO_new_socket((int)(lws_intptr_t)wsi->desc.sockfd,
378 	SSL_set_bio(wsi->tls.ssl, wsi->tls.client_bio, wsi->tls.client_bio);
382 	CyaSSL_set_using_nonblock(wsi->tls.ssl, 1);
384 	wolfSSL_set_using_nonblock(wsi->tls.ssl, 1);
387 	BIO_set_nbio(wsi->tls.client_bio, 1); /* nonblocking */
392 	if (wsi->a.vhost->tls.alpn)
393 		alpn_comma = wsi->a.vhost->tls.alpn;
407 	SSL_set_alpn_protos(wsi->tls.ssl, openssl_alpn, (unsigned int)n);
410 	SSL_set_ex_data(wsi->tls.ssl, openssl_websocket_private_data_index,
434 		if (SSL_use_certificate_ASN1(wsi->tls.ssl,
463 		if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, wsi->tls.ssl,
475 		    SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, wsi->tls.ssl,
491 		if (SSL_check_private_key(wsi->tls.ssl) != 1) {
526 	wsi->tls.err_helper[0] = '\0';
527 	n = SSL_connect(wsi->tls.ssl);
546 		n = lws_snprintf(errbuf, elen, "tls: %s", wsi->tls.err_helper);
547 		if (!wsi->tls.err_helper[0])
553 	if (SSL_session_reused(wsi->tls.ssl)) {
555 		sess = SSL_get_session(wsi->tls.ssl);
566 	if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
569 	if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
575 		SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
586 				 &wsi->tls.sul_cb_synth,
616 	n = SSL_get_verify_result(wsi->tls.ssl);
623 		type = "tls=hostname";
630 		type = "tls=invalidca";
635 		type = "tls=notyetvalid";
640 		type = "tls=expired";
652 	if (wsi->tls.use_ssl & avoid) {
696 	st = SSL_CTX_get_cert_store(vh->tls.ssl_client_ctx);
833 			 lws_dll2_get_head(&vh->context->tls.cc_owner)) {
841 			vh->tls.ssl_client_ctx = tcr->ssl_client_ctx;
842 			vh->tls.tcr = tcr;
856 	vh->tls.ssl_client_ctx = SSL_CTX_new(method);
857 	if (!vh->tls.ssl_client_ctx) {
873 	SSL_CTX_set_ex_data(vh->tls.ssl_client_ctx,
881 		SSL_CTX_free(vh->tls.ssl_client_ctx);
885 	tcr->ssl_client_ctx = vh->tls.ssl_client_ctx;
888 	tcr->index = vh->context->tls.count_client_contexts++;
889 	lws_dll2_add_head(&tcr->cc_list, &vh->context->tls.cc_owner);
896 	vh->tls.tcr = tcr;
905 	SSL_CTX_set_options(vh->tls.ssl_client_ctx, SSL_OP_NO_COMPRESSION);
908 	SSL_CTX_set_options(vh->tls.ssl_client_ctx,
911 	SSL_CTX_set_mode(vh->tls.ssl_client_ctx,
945 		SSL_CTX_set_options(vh->tls.ssl_client_ctx, ssl_client_options_set_value);
975 		SSL_CTX_clear_options(vh->tls.ssl_client_ctx, ssl_client_options_clear_value);
979 		SSL_CTX_set_cipher_list(vh->tls.ssl_client_ctx, cipher_list);
983 		SSL_CTX_set_ciphersuites(vh->tls.ssl_client_ctx,
990 		SSL_CTX_set_default_verify_paths(vh->tls.ssl_client_ctx);
997                 (!SSL_CTX_load_verify_locations(vh->tls.ssl_client_ctx, NULL, info->client_ssl_ca_dirs[i]))) {
1010 			vh->tls.ssl_client_ctx, LWS_OPENSSL_CLIENT_CERTS))
1013 			vh->tls.ssl_client_ctx, NULL, LWS_OPENSSL_CLIENT_CERTS))
1022 			vh->tls.ssl_client_ctx, ca_filepath)) {
1025 			vh->tls.ssl_client_ctx, ca_filepath, NULL)) {
1068 				SSL_CTX_set_cert_store(vh->tls.ssl_client_ctx,
1094 		n = SSL_CTX_use_certificate_chain_file(vh->tls.ssl_client_ctx,
1115 		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
1136 		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, 1, info);
1138 		if (SSL_CTX_use_PrivateKey_file(vh->tls.ssl_client_ctx,
1149 		if (!SSL_CTX_check_private_key(vh->tls.ssl_client_ctx)) {
1166 		n = SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, vh->tls.ssl_client_ctx, p,
1175 							vh->tls.ssl_client_ctx, p,

Indexes created Thu Nov 07 10:32:03 CST 2024