1// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15 16#include "private-lib-core.h" 17 18#include "ssl_lib.h" 19#include "ssl_pkey.h" 20#include "ssl_x509.h" 21#include "ssl_cert.h" 22#include "ssl_dbg.h" 23#include "ssl_port.h" 24 25char * 26lws_strncpy(char *dest, const char *src, size_t size); 27 28#define SSL_SEND_DATA_MAX_LENGTH 1460 29 30/** 31 * @brief create a new SSL session object 32 */ 33static SSL_SESSION* SSL_SESSION_new(void) 34{ 35 SSL_SESSION *session; 36 37 session = ssl_mem_zalloc(sizeof(SSL_SESSION)); 38 if (!session) { 39 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)"); 40 goto failed1; 41 } 42 43 session->peer = X509_new(); 44 if (!session->peer) { 45 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); 46 goto failed2; 47 } 48 49 return session; 50 51failed2: 52 ssl_mem_free(session); 53failed1: 54 return NULL; 55} 56 57/** 58 * @brief free a new SSL session object 59 */ 60static void SSL_SESSION_free(SSL_SESSION *session) 61{ 62 X509_free(session->peer); 63 ssl_mem_free(session); 64} 65 66/** 67 * @brief Discover whether the current connection is in the error state 68 */ 69int ossl_statem_in_error(const SSL *ssl) 70{ 71 SSL_ASSERT1(ssl); 72 73 if (ssl->statem.state == MSG_FLOW_ERROR) 74 return 1; 75 76 return 0; 77} 78 79/** 80 * @brief get the SSL specifical statement 81 */ 82int SSL_want(const SSL *ssl) 83{ 84 SSL_ASSERT1(ssl); 85 86 return ssl->rwstate; 87} 88 89/** 90 * @brief check if SSL want nothing 91 */ 92int SSL_want_nothing(const SSL *ssl) 93{ 94 SSL_ASSERT1(ssl); 95 96 if (ssl->err) 97 return 1; 98 99 return (SSL_want(ssl) == SSL_NOTHING); 100} 101 102/** 103 * @brief check if SSL want to read 104 */ 105int SSL_want_read(const SSL *ssl) 106{ 107 SSL_ASSERT1(ssl); 108 109 if (ssl->err) 110 return 0; 111 112 return (SSL_want(ssl) == SSL_READING); 113} 114 115/** 116 * @brief check if SSL want to write 117 */ 118int SSL_want_write(const SSL *ssl) 119{ 120 SSL_ASSERT1(ssl); 121 122 if (ssl->err) 123 return 0; 124 125 return (SSL_want(ssl) == SSL_WRITING); 126} 127 128/** 129 * @brief check if SSL want to lookup X509 certification 130 */ 131int SSL_want_x509_lookup(const SSL *ssl) 132{ 133 SSL_ASSERT1(ssl); 134 135 return (SSL_want(ssl) == SSL_WRITING); 136} 137 138/** 139 * @brief get SSL error code 140 */ 141int SSL_get_error(const SSL *ssl, int ret_code) 142{ 143 int ret = SSL_ERROR_SYSCALL; 144 145 SSL_ASSERT1(ssl); 146 147 if (ret_code > 0) 148 ret = SSL_ERROR_NONE; 149 else if (ret_code < 0) 150 { 151 if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl)) 152 ret = SSL_ERROR_WANT_READ; 153 else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl)) 154 ret = SSL_ERROR_WANT_WRITE; 155 else 156 ret = SSL_ERROR_SYSCALL; //unknown 157 } 158 else // ret_code == 0 159 { 160 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) 161 ret = SSL_ERROR_ZERO_RETURN; 162 else 163 ret = SSL_ERROR_SYSCALL; 164 } 165 166 return ret; 167} 168 169/** 170 * @brief get the SSL state 171 */ 172OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) 173{ 174 OSSL_HANDSHAKE_STATE state; 175 176 SSL_ASSERT1(ssl); 177 178 state = SSL_METHOD_CALL(get_state, ssl); 179 180 return state; 181} 182 183const char *mbedtls_client_preload_filepath; 184 185/** 186 * @brief create a SSL context 187 */ 188SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx) 189{ 190 SSL_CTX *ctx; 191 CERT *cert; 192 X509 *client_ca; 193#if defined(LWS_HAVE_mbedtls_x509_crt_parse_file) 194 int n; 195#endif 196 197 if (!method) { 198 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method"); 199 return NULL; 200 } 201 202 client_ca = X509_new(); 203 if (!client_ca) { 204 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); 205 goto failed1; 206 } 207 208 cert = ssl_cert_new(rngctx); 209 if (!cert) { 210 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL"); 211 goto failed2; 212 } 213 214 ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX)); 215 if (!ctx) { 216 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)"); 217 goto failed3; 218 } 219 220 ctx->method = method; 221 ctx->client_CA = client_ca; 222 ctx->cert = cert; 223 ctx->rngctx = rngctx; 224 225 ctx->version = method->version; 226 227#if defined(LWS_HAVE_mbedtls_x509_crt_parse_file) 228 if (mbedtls_client_preload_filepath) { 229 mbedtls_x509_crt **px = (mbedtls_x509_crt **)ctx->client_CA->x509_pm; 230 231 *px = malloc(sizeof(**px)); 232 mbedtls_x509_crt_init(*px); 233 n = mbedtls_x509_crt_parse_file(*px, mbedtls_client_preload_filepath); 234 if (n < 0) 235 lwsl_err("%s: unable to load cert bundle 0x%x\n", __func__, -n); 236 else 237 lwsl_info("%s: loaded cert bundle %d\n", __func__, n); 238 } 239#endif 240 241 return ctx; 242 243failed3: 244 ssl_cert_free(cert); 245failed2: 246 X509_free(client_ca); 247failed1: 248 return NULL; 249} 250 251/** 252 * @brief free a SSL context 253 */ 254void SSL_CTX_free(SSL_CTX* ctx) 255{ 256 SSL_ASSERT3(ctx); 257 258 ssl_cert_free(ctx->cert); 259 260 X509_free(ctx->client_CA); 261 262 if (ctx->alpn_protos) { 263 ssl_mem_free((void *)ctx->alpn_protos); 264 ctx->alpn_protos = NULL; 265 } 266 267 ssl_mem_free(ctx); 268} 269 270/** 271 * @brief set the SSL context version 272 */ 273int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) 274{ 275 SSL_ASSERT1(ctx); 276 SSL_ASSERT1(meth); 277 278 ctx->method = meth; 279 280 ctx->version = meth->version; 281 282 return 1; 283} 284 285/** 286 * @brief get the SSL context current method 287 */ 288const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) 289{ 290 SSL_ASSERT2(ctx); 291 292 return ctx->method; 293} 294 295/** 296 * @brief create a SSL 297 */ 298SSL *SSL_new(SSL_CTX *ctx) 299{ 300 int ret = 0; 301 SSL *ssl; 302 303 if (!ctx) { 304 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx"); 305 return NULL; 306 } 307 308 ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL)); 309 if (!ssl) { 310 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)"); 311 goto failed1; 312 } 313 314 ssl->session = SSL_SESSION_new(); 315 if (!ssl->session) { 316 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL"); 317 goto failed2; 318 } 319 320 ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx); 321 if (!ssl->cert) { 322 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL"); 323 goto failed3; 324 } 325 326 ssl->client_CA = __X509_new(ctx->client_CA); 327 if (!ssl->client_CA) { 328 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL"); 329 goto failed4; 330 } 331 332 ssl->ctx = ctx; 333 ssl->method = ctx->method; 334 335 ssl->version = ctx->version; 336 ssl->options = ctx->options; 337 338 ssl->verify_mode = ctx->verify_mode; 339 340 ret = SSL_METHOD_CALL(new, ssl); 341 if (ret) { 342 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); 343 goto failed5; 344 } 345 346 _ssl_set_alpn_list(ssl); 347 348 ssl->rwstate = SSL_NOTHING; 349 350 return ssl; 351 352failed5: 353 X509_free(ssl->client_CA); 354failed4: 355 ssl_cert_free(ssl->cert); 356failed3: 357 SSL_SESSION_free(ssl->session); 358failed2: 359 ssl_mem_free(ssl); 360failed1: 361 return NULL; 362} 363 364/** 365 * @brief free the SSL 366 */ 367void SSL_free(SSL *ssl) 368{ 369 SSL_ASSERT3(ssl); 370 371 SSL_METHOD_CALL(free, ssl); 372 373 X509_free(ssl->client_CA); 374 375 ssl_cert_free(ssl->cert); 376 377 SSL_SESSION_free(ssl->session); 378 379 if (ssl->alpn_protos) { 380 ssl_mem_free((void *)ssl->alpn_protos); 381 ssl->alpn_protos = NULL; 382 } 383 384 ssl_mem_free(ssl); 385} 386 387/** 388 * @brief perform the SSL handshake 389 */ 390int SSL_do_handshake(SSL *ssl) 391{ 392 int ret; 393 394 SSL_ASSERT1(ssl); 395 396 ret = SSL_METHOD_CALL(handshake, ssl); 397 398 return ret; 399} 400 401/** 402 * @brief connect to the remote SSL server 403 */ 404int SSL_connect(SSL *ssl) 405{ 406 SSL_ASSERT1(ssl); 407 408 return SSL_do_handshake(ssl); 409} 410 411/** 412 * @brief accept the remote connection 413 */ 414int SSL_accept(SSL *ssl) 415{ 416 SSL_ASSERT1(ssl); 417 418 return SSL_do_handshake(ssl); 419} 420 421/** 422 * @brief shutdown the connection 423 */ 424int SSL_shutdown(SSL *ssl) 425{ 426 int ret; 427 428 SSL_ASSERT1(ssl); 429 430 if (SSL_get_state(ssl) != TLS_ST_OK) return 1; 431 432 ret = SSL_METHOD_CALL(shutdown, ssl); 433 434 return ret; 435} 436 437/** 438 * @brief reset the SSL 439 */ 440int SSL_clear(SSL *ssl) 441{ 442 int ret; 443 444 SSL_ASSERT1(ssl); 445 446 ret = SSL_shutdown(ssl); 447 if (1 != ret) { 448 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); 449 goto failed1; 450 } 451 452 SSL_METHOD_CALL(free, ssl); 453 454 ret = SSL_METHOD_CALL(new, ssl); 455 if (!ret) { 456 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); 457 goto failed1; 458 } 459 460 return 1; 461 462failed1: 463 return ret; 464} 465 466/** 467 * @brief read data from to remote 468 */ 469int SSL_read(SSL *ssl, void *buffer, int len) 470{ 471 int ret; 472 473 SSL_ASSERT1(ssl); 474 SSL_ASSERT1(buffer); 475 SSL_ASSERT1(len); 476 477 ssl->rwstate = SSL_READING; 478 479 ret = SSL_METHOD_CALL(read, ssl, buffer, len); 480 481 if (ret == len) 482 ssl->rwstate = SSL_NOTHING; 483 484 return ret; 485} 486 487/** 488 * @brief send the data to remote 489 */ 490int SSL_write(SSL *ssl, const void *buffer, int len) 491{ 492 int ret; 493 int send_bytes, bytes; 494 const unsigned char *pbuf; 495 496 SSL_ASSERT1(ssl); 497 SSL_ASSERT1(buffer); 498 SSL_ASSERT1(len); 499 500 ssl->rwstate = SSL_WRITING; 501 502 send_bytes = len; 503 pbuf = (const unsigned char *)buffer; 504 505 do { 506 if (send_bytes > SSL_SEND_DATA_MAX_LENGTH) 507 bytes = SSL_SEND_DATA_MAX_LENGTH; 508 else 509 bytes = send_bytes; 510 511 if (ssl->interrupted_remaining_write) { 512 bytes = ssl->interrupted_remaining_write; 513 ssl->interrupted_remaining_write = 0; 514 } 515 516 ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes); 517 //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes); 518 /* the return is a NEGATIVE OpenSSL error code, or the length sent */ 519 if (ret > 0) { 520 pbuf += ret; 521 send_bytes -= ret; 522 } else 523 ssl->interrupted_remaining_write = bytes; 524 } while (ret > 0 && send_bytes && ret == bytes); 525 526 if (ret >= 0) { 527 ret = len - send_bytes; 528 if (!ret) 529 ssl->rwstate = SSL_NOTHING; 530 } else { 531 if (send_bytes == len) 532 ret = -1; 533 else 534 ret = len - send_bytes; 535 } 536 537 return ret; 538} 539 540/** 541 * @brief get SSL context of the SSL 542 */ 543SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 544{ 545 SSL_ASSERT2(ssl); 546 547 return ssl->ctx; 548} 549 550/** 551 * @brief get the SSL current method 552 */ 553const SSL_METHOD *SSL_get_ssl_method(SSL *ssl) 554{ 555 SSL_ASSERT2(ssl); 556 557 return ssl->method; 558} 559 560/** 561 * @brief set the SSL method 562 */ 563int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method) 564{ 565 int ret; 566 567 SSL_ASSERT1(ssl); 568 SSL_ASSERT1(method); 569 570 if (ssl->version != method->version) { 571 572 ret = SSL_shutdown(ssl); 573 if (1 != ret) { 574 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); 575 goto failed1; 576 } 577 578 SSL_METHOD_CALL(free, ssl); 579 580 ssl->method = method; 581 582 ret = SSL_METHOD_CALL(new, ssl); 583 if (!ret) { 584 SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); 585 goto failed1; 586 } 587 } else { 588 ssl->method = method; 589 } 590 591 592 return 1; 593 594failed1: 595 return ret; 596} 597 598/** 599 * @brief get SSL shutdown mode 600 */ 601int SSL_get_shutdown(const SSL *ssl) 602{ 603 SSL_ASSERT1(ssl); 604 605 return ssl->shutdown; 606} 607 608/** 609 * @brief set SSL shutdown mode 610 */ 611void SSL_set_shutdown(SSL *ssl, int mode) 612{ 613 SSL_ASSERT3(ssl); 614 615 ssl->shutdown = mode; 616} 617 618 619/** 620 * @brief get the number of the bytes to be read 621 */ 622int SSL_pending(const SSL *ssl) 623{ 624 int ret; 625 626 SSL_ASSERT1(ssl); 627 628 ret = SSL_METHOD_CALL(pending, ssl); 629 630 return ret; 631} 632 633/** 634 * @brief check if some data can be read 635 */ 636int SSL_has_pending(const SSL *ssl) 637{ 638 int ret; 639 640 SSL_ASSERT1(ssl); 641 642 if (SSL_pending(ssl)) 643 ret = 1; 644 else 645 ret = 0; 646 647 return ret; 648} 649 650/** 651 * @brief clear the SSL context option bit of "op" 652 */ 653unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) 654{ 655 SSL_ASSERT1(ctx); 656 657 return ctx->options &= ~op; 658} 659 660/** 661 * @brief get the SSL context option 662 */ 663unsigned long SSL_CTX_get_options(SSL_CTX *ctx) 664{ 665 SSL_ASSERT1(ctx); 666 667 return ctx->options; 668} 669 670/** 671 * @brief set the option of the SSL context 672 */ 673unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt) 674{ 675 SSL_ASSERT1(ctx); 676 677 return ctx->options |= opt; 678} 679 680/** 681 * @brief clear SSL option 682 */ 683unsigned long SSL_clear_options(SSL *ssl, unsigned long op) 684{ 685 SSL_ASSERT1(ssl); 686 687 return ssl->options & ~op; 688} 689 690/** 691 * @brief get SSL option 692 */ 693unsigned long SSL_get_options(SSL *ssl) 694{ 695 SSL_ASSERT1(ssl); 696 697 return ssl->options; 698} 699 700/** 701 * @brief clear SSL option 702 */ 703unsigned long SSL_set_options(SSL *ssl, unsigned long op) 704{ 705 SSL_ASSERT1(ssl); 706 707 return ssl->options |= op; 708} 709 710/** 711 * @brief get the socket handle of the SSL 712 */ 713int SSL_get_fd(const SSL *ssl) 714{ 715 int ret; 716 717 SSL_ASSERT1(ssl); 718 719 ret = SSL_METHOD_CALL(get_fd, ssl, 0); 720 721 return ret; 722} 723 724/** 725 * @brief get the read only socket handle of the SSL 726 */ 727int SSL_get_rfd(const SSL *ssl) 728{ 729 int ret; 730 731 SSL_ASSERT1(ssl); 732 733 ret = SSL_METHOD_CALL(get_fd, ssl, 0); 734 735 return ret; 736} 737 738/** 739 * @brief get the write only socket handle of the SSL 740 */ 741int SSL_get_wfd(const SSL *ssl) 742{ 743 int ret; 744 745 SSL_ASSERT1(ssl); 746 747 ret = SSL_METHOD_CALL(get_fd, ssl, 0); 748 749 return ret; 750} 751 752/** 753 * @brief bind the socket file description into the SSL 754 */ 755int SSL_set_fd(SSL *ssl, int fd) 756{ 757 SSL_ASSERT1(ssl); 758 SSL_ASSERT1(fd >= 0); 759 760 SSL_METHOD_CALL(set_fd, ssl, fd, 0); 761 762 return 1; 763} 764 765/** 766 * @brief bind the read only socket file description into the SSL 767 */ 768int SSL_set_rfd(SSL *ssl, int fd) 769{ 770 SSL_ASSERT1(ssl); 771 SSL_ASSERT1(fd >= 0); 772 773 SSL_METHOD_CALL(set_fd, ssl, fd, 0); 774 775 return 1; 776} 777 778/** 779 * @brief bind the write only socket file description into the SSL 780 */ 781int SSL_set_wfd(SSL *ssl, int fd) 782{ 783 SSL_ASSERT1(ssl); 784 SSL_ASSERT1(fd >= 0); 785 786 SSL_METHOD_CALL(set_fd, ssl, fd, 0); 787 788 return 1; 789} 790 791/** 792 * @brief get SSL version 793 */ 794int SSL_version(const SSL *ssl) 795{ 796 SSL_ASSERT1(ssl); 797 798 return ssl->version; 799} 800 801/** 802 * @brief get the SSL version string 803 */ 804static const char* ssl_protocol_to_string(int version) 805{ 806 const char *str; 807 808 if (version == TLS1_2_VERSION) 809 str = "TLSv1.2"; 810 else if (version == TLS1_1_VERSION) 811 str = "TLSv1.1"; 812 else if (version == TLS1_VERSION) 813 str = "TLSv1"; 814 else if (version == SSL3_VERSION) 815 str = "SSLv3"; 816 else 817 str = "unknown"; 818 819 return str; 820} 821 822/** 823 * @brief get the SSL current version 824 */ 825const char *SSL_get_version(const SSL *ssl) 826{ 827 SSL_ASSERT2(ssl); 828 829 return ssl_protocol_to_string(SSL_version(ssl)); 830} 831 832/** 833 * @brief get alert type string 834 */ 835const char *SSL_alert_type_string(int value) 836{ 837 const char *str; 838 839 switch (value >> 8) 840 { 841 case SSL3_AL_WARNING: 842 str = "W"; 843 break; 844 case SSL3_AL_FATAL: 845 str = "F"; 846 break; 847 default: 848 str = "U"; 849 break; 850 } 851 852 return str; 853} 854 855/** 856 * @brief set the SSL context read buffer length 857 */ 858void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) 859{ 860 SSL_ASSERT3(ctx); 861 862 ctx->read_buffer_len = (int)len; 863} 864 865/** 866 * @brief set the SSL read buffer length 867 */ 868void SSL_set_default_read_buffer_len(SSL *ssl, size_t len) 869{ 870 SSL_ASSERT3(ssl); 871 SSL_ASSERT3(len); 872 873 SSL_METHOD_CALL(set_bufflen, ssl, (int)len); 874} 875 876/** 877 * @brief set the SSL information callback function 878 */ 879void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val)) 880{ 881 SSL_ASSERT3(ssl); 882 883 ssl->info_callback = cb; 884} 885 886/** 887 * @brief add SSL context reference count by '1' 888 */ 889int SSL_CTX_up_ref(SSL_CTX *ctx) 890{ 891 SSL_ASSERT1(ctx); 892 893 /** 894 * no support multi-thread SSL here 895 */ 896 ctx->references++; 897 898 return 1; 899} 900 901/** 902 * @brief set the SSL security level 903 */ 904void SSL_set_security_level(SSL *ssl, int level) 905{ 906 SSL_ASSERT3(ssl); 907 908 ssl->cert->sec_level = level; 909} 910 911/** 912 * @brief get the SSL security level 913 */ 914int SSL_get_security_level(const SSL *ssl) 915{ 916 SSL_ASSERT1(ssl); 917 918 return ssl->cert->sec_level; 919} 920 921/** 922 * @brief get the SSL verifying mode of the SSL context 923 */ 924int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 925{ 926 SSL_ASSERT1(ctx); 927 928 return ctx->verify_mode; 929} 930 931/** 932 * @brief set the session timeout time 933 */ 934long SSL_CTX_set_timeout(SSL_CTX *ctx, long t) 935{ 936 long l; 937 938 SSL_ASSERT1(ctx); 939 940 l = ctx->session_timeout; 941 ctx->session_timeout = t; 942 943 return l; 944} 945 946/** 947 * @brief get the session timeout time 948 */ 949long SSL_CTX_get_timeout(const SSL_CTX *ctx) 950{ 951 SSL_ASSERT1(ctx); 952 953 return ctx->session_timeout; 954} 955 956/** 957 * @brief set the SSL if we can read as many as data 958 */ 959void SSL_set_read_ahead(SSL *ssl, int yes) 960{ 961 SSL_ASSERT3(ssl); 962 963 ssl->rlayer.read_ahead = yes; 964} 965 966/** 967 * @brief set the SSL context if we can read as many as data 968 */ 969void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) 970{ 971 SSL_ASSERT3(ctx); 972 973 ctx->read_ahead = yes; 974} 975 976/** 977 * @brief get the SSL ahead signal if we can read as many as data 978 */ 979int SSL_get_read_ahead(const SSL *ssl) 980{ 981 SSL_ASSERT1(ssl); 982 983 return ssl->rlayer.read_ahead; 984} 985 986/** 987 * @brief get the SSL context ahead signal if we can read as many as data 988 */ 989long SSL_CTX_get_read_ahead(SSL_CTX *ctx) 990{ 991 SSL_ASSERT1(ctx); 992 993 return ctx->read_ahead; 994} 995 996/** 997 * @brief check if the SSL context can read as many as data 998 */ 999long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx) 1000{ 1001 SSL_ASSERT1(ctx); 1002 1003 return ctx->read_ahead; 1004} 1005 1006/** 1007 * @brief set SSL session time 1008 */ 1009long SSL_set_time(SSL *ssl, long t) 1010{ 1011 SSL_ASSERT1(ssl); 1012 1013 ssl->session->time = t; 1014 1015 return t; 1016} 1017 1018/** 1019 * @brief set SSL session timeout time 1020 */ 1021long SSL_set_timeout(SSL *ssl, long t) 1022{ 1023 SSL_ASSERT1(ssl); 1024 1025 ssl->session->timeout = t; 1026 1027 return t; 1028} 1029 1030/** 1031 * @brief get the verifying result of the SSL certification 1032 */ 1033long SSL_get_verify_result(const SSL *ssl) 1034{ 1035 SSL_ASSERT1(ssl); 1036 1037 return SSL_METHOD_CALL(get_verify_result, ssl); 1038} 1039 1040/** 1041 * @brief get the SSL verifying depth of the SSL context 1042 */ 1043int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 1044{ 1045 SSL_ASSERT1(ctx); 1046 1047 return ctx->param.depth; 1048} 1049 1050/** 1051 * @brief set the SSL verify depth of the SSL context 1052 */ 1053void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) 1054{ 1055 SSL_ASSERT3(ctx); 1056 1057 ctx->param.depth = depth; 1058} 1059 1060/** 1061 * @brief get the SSL verifying depth of the SSL 1062 */ 1063int SSL_get_verify_depth(const SSL *ssl) 1064{ 1065 SSL_ASSERT1(ssl); 1066 1067 return ssl->param.depth; 1068} 1069 1070/** 1071 * @brief set the SSL verify depth of the SSL 1072 */ 1073void SSL_set_verify_depth(SSL *ssl, int depth) 1074{ 1075 SSL_ASSERT3(ssl); 1076 1077 ssl->param.depth = depth; 1078} 1079 1080/** 1081 * @brief set the SSL context verifying of the SSL context 1082 */ 1083void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(SSL *, mbedtls_x509_crt *)) 1084{ 1085 SSL_ASSERT3(ctx); 1086 1087 ctx->verify_mode = mode; 1088 ctx->default_verify_callback = verify_callback; 1089} 1090 1091/** 1092 * @brief set the SSL verifying of the SSL context 1093 */ 1094void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(SSL *, mbedtls_x509_crt *)) 1095{ 1096 SSL_ASSERT3(ssl); 1097 1098 ssl->verify_mode = mode; 1099 ssl->verify_callback = verify_callback; 1100} 1101 1102void ERR_error_string_n(unsigned long e, char *buf, size_t len) 1103{ 1104 lws_strncpy(buf, "unknown", len); 1105} 1106 1107void ERR_free_strings(void) 1108{ 1109} 1110 1111char *ERR_error_string(unsigned long e, char *buf) 1112{ 1113 if (!buf) 1114 return "unknown"; 1115 1116 switch(e) { 1117 case X509_V_ERR_INVALID_CA: 1118 strcpy(buf, "CA is not trusted"); 1119 break; 1120 case X509_V_ERR_HOSTNAME_MISMATCH: 1121 strcpy(buf, "Hostname mismatch"); 1122 break; 1123 case X509_V_ERR_CA_KEY_TOO_SMALL: 1124 strcpy(buf, "CA key too small"); 1125 break; 1126 case X509_V_ERR_CA_MD_TOO_WEAK: 1127 strcpy(buf, "MD key too weak"); 1128 break; 1129 case X509_V_ERR_CERT_NOT_YET_VALID: 1130 strcpy(buf, "Cert from the future"); 1131 break; 1132 case X509_V_ERR_CERT_HAS_EXPIRED: 1133 strcpy(buf, "Cert expired"); 1134 break; 1135 default: 1136 strcpy(buf, "unknown"); 1137 break; 1138 } 1139 1140 return buf; 1141} 1142 1143void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) 1144{ 1145 return NULL; 1146} 1147 1148/* 1149 * Openssl wants the valid protocol names supplied like this: 1150 * 1151 * (unsigned char *)"\x02h2\x08http/1.1", 6 + 9 1152 * 1153 * Mbedtls wants this: 1154 * 1155 * Pointer to a NULL-terminated list of supported protocols, in decreasing 1156 * preference order. The pointer to the list is recorded by the library for 1157 * later reference as required, so the lifetime of the table must be at least 1158 * as long as the lifetime of the SSL configuration structure. 1159 * 1160 * So accept the OpenSSL style and convert to mbedtls style 1161 */ 1162 1163 1164static void 1165_openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos) 1166{ 1167 unsigned char *p = ac->data, *q; 1168 unsigned char len; 1169 char **alpn_protos; 1170 int count = 0; 1171 1172 /* find out how many entries he gave us */ 1173 1174 if (ac->len) { 1175 len = *p++; 1176 if (len) 1177 count++; 1178 while (p - ac->data < ac->len) { 1179 if (len--) { 1180 p++; 1181 continue; 1182 } 1183 len = *p++; 1184 if (!len) 1185 break; 1186 count++; 1187 } 1188 } 1189 1190 if (!count) 1191 return; 1192 1193 /* allocate space for count + 1 pointers and the data afterwards */ 1194 1195 alpn_protos = ssl_mem_zalloc((unsigned int)(count + 1) * sizeof(char *) + ac->len + 1); 1196 if (!alpn_protos) 1197 return; 1198 1199 *palpn_protos = alpn_protos; 1200 1201 /* convert to mbedtls format */ 1202 1203 q = (unsigned char *)alpn_protos + (unsigned int)(count + 1) * sizeof(char *); 1204 p = ac->data; 1205 count = 0; 1206 1207 len = *p++; 1208 alpn_protos[count] = (char *)q; 1209 while (p - ac->data < ac->len) { 1210 if (len--) { 1211 *q++ = *p++; 1212 continue; 1213 } 1214 *q++ = '\0'; 1215 count++; 1216 len = *p++; 1217 alpn_protos[count] = (char *)q; 1218 if (!len) 1219 break; 1220 } 1221 if (!len) { 1222 *q++ = '\0'; 1223 count++; 1224 /* len = *p++; */ 1225 alpn_protos[count] = (char *)q; 1226 } 1227 alpn_protos[count] = NULL; /* last pointer ends list with NULL */ 1228} 1229 1230void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg) 1231{ 1232 struct alpn_ctx *ac = arg; 1233 1234 ctx->alpn_cb = cb; 1235 1236 _openssl_alpn_to_mbedtls(ac, (char ***)&ctx->alpn_protos); 1237} 1238 1239void SSL_set_alpn_select_cb(SSL *ssl, void *arg) 1240{ 1241 struct alpn_ctx *ac = arg; 1242 1243 _openssl_alpn_to_mbedtls(ac, (char ***)&ssl->alpn_protos); 1244 1245 _ssl_set_alpn_list(ssl); 1246} 1247