godotengine/godot
1
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-11-23 15:16:17 +00:00
Code Releases Wiki Activity

Update libwebsockets to 3.1 (plus UWP patch)

Browse Source
This commit is contained in:
Fabio Alessandrelli
2019-03-06 01:07:13 +01:00
parent f43ee4aff8
commit 90210c4862
140 changed files with 16943 additions and 12437 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
thirdparty/libwebsockets/lib/tls/mbedtls/lws-genhash.c vendored Normal file
View File

@@ -0,0 +1,202 @@
/*
* libwebsockets - generic hash and HMAC api hiding the backend
*
* Copyright (C) 2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*
* lws_genhash provides a hash / hmac abstraction api in lws that works the
* same whether you are using openssl or mbedtls hash functions underneath.
*/
#include "libwebsockets.h"
#include <mbedtls/version.h>
#if (MBEDTLS_VERSION_NUMBER >= 0x02070000)
#define MBA(fn) fn##_ret
#else
#define MBA(fn) fn
#endif
size_t
lws_genhash_size(enum lws_genhash_types type)
{
switch(type) {
case LWS_GENHASH_TYPE_SHA1:
return 20;
case LWS_GENHASH_TYPE_SHA256:
return 32;
case LWS_GENHASH_TYPE_SHA384:
return 48;
case LWS_GENHASH_TYPE_SHA512:
return 64;
}
return 0;
}
int
lws_genhash_init(struct lws_genhash_ctx *ctx, enum lws_genhash_types type)
{
ctx->type = type;
switch (ctx->type) {
case LWS_GENHASH_TYPE_SHA1:
mbedtls_sha1_init(&ctx->u.sha1);
MBA(mbedtls_sha1_starts)(&ctx->u.sha1);
break;
case LWS_GENHASH_TYPE_SHA256:
mbedtls_sha256_init(&ctx->u.sha256);
MBA(mbedtls_sha256_starts)(&ctx->u.sha256, 0);
break;
case LWS_GENHASH_TYPE_SHA384:
mbedtls_sha512_init(&ctx->u.sha512);
MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 1 /* is384 */);
break;
case LWS_GENHASH_TYPE_SHA512:
mbedtls_sha512_init(&ctx->u.sha512);
MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 0);
break;
default:
return 1;
}
return 0;
}
int
lws_genhash_update(struct lws_genhash_ctx *ctx, const void *in, size_t len)
{
switch (ctx->type) {
case LWS_GENHASH_TYPE_SHA1:
MBA(mbedtls_sha1_update)(&ctx->u.sha1, in, len);
break;
case LWS_GENHASH_TYPE_SHA256:
MBA(mbedtls_sha256_update)(&ctx->u.sha256, in, len);
break;
case LWS_GENHASH_TYPE_SHA384:
MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len);
break;
case LWS_GENHASH_TYPE_SHA512:
MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len);
break;
}
return 0;
}
int
lws_genhash_destroy(struct lws_genhash_ctx *ctx, void *result)
{
switch (ctx->type) {
case LWS_GENHASH_TYPE_SHA1:
MBA(mbedtls_sha1_finish)(&ctx->u.sha1, result);
mbedtls_sha1_free(&ctx->u.sha1);
break;
case LWS_GENHASH_TYPE_SHA256:
MBA(mbedtls_sha256_finish)(&ctx->u.sha256, result);
mbedtls_sha256_free(&ctx->u.sha256);
break;
case LWS_GENHASH_TYPE_SHA384:
MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result);
mbedtls_sha512_free(&ctx->u.sha512);
break;
case LWS_GENHASH_TYPE_SHA512:
MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result);
mbedtls_sha512_free(&ctx->u.sha512);
break;
}
return 0;
}
size_t
lws_genhmac_size(enum lws_genhmac_types type)
{
switch(type) {
case LWS_GENHMAC_TYPE_SHA256:
return 32;
case LWS_GENHMAC_TYPE_SHA384:
return 48;
case LWS_GENHMAC_TYPE_SHA512:
return 64;
}
return 0;
}
int
lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type,
const uint8_t *key, size_t key_len)
{
int t;
ctx->type = type;
switch (type) {
case LWS_GENHMAC_TYPE_SHA256:
t = MBEDTLS_MD_SHA256;
break;
case LWS_GENHMAC_TYPE_SHA384:
t = MBEDTLS_MD_SHA384;
break;
case LWS_GENHMAC_TYPE_SHA512:
t = MBEDTLS_MD_SHA512;
break;
default:
return -1;
}
ctx->hmac = mbedtls_md_info_from_type(t);
if (!ctx->hmac)
return -1;
if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac))
return -1;
if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len)) {
mbedtls_md_free(&ctx->ctx);
ctx->hmac = NULL;
return -1;
}
return 0;
}
int
lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len)
{
if (mbedtls_md_hmac_update(&ctx->ctx, in, len))
return -1;
return 0;
}
int
lws_genhmac_destroy(struct lws_genhmac_ctx *ctx, void *result)
{
int n = 0;
if (result)
n = mbedtls_md_hmac_finish(&ctx->ctx, result);
mbedtls_md_free(&ctx->ctx);
ctx->hmac = NULL;
if (n)
return -1;
return 0;
}

329
thirdparty/libwebsockets/lib/tls/mbedtls/lws-genrsa.c vendored Normal file
View File

@@ -0,0 +1,329 @@
/*
* libwebsockets - generic RSA api hiding the backend
*
* Copyright (C) 2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*
* lws_genhash provides a hash / hmac abstraction api in lws that works the
* same whether you are using openssl or mbedtls hash functions underneath.
*/
#include "core/private.h"
LWS_VISIBLE void
lws_jwk_destroy_genrsa_elements(struct lws_genrsa_elements *el)
{
int n;
for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
if (el->e[n].buf)
lws_free_set_NULL(el->e[n].buf);
}
LWS_VISIBLE int
lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_genrsa_elements *el)
{
memset(ctx, 0, sizeof(*ctx));
ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
if (!ctx->ctx)
return 1;
mbedtls_rsa_init(ctx->ctx, MBEDTLS_RSA_PKCS_V15, 0);
{
int n;
mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
&ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
&ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
&ctx->ctx->QP,
};
for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
if (el->e[n].buf &&
mbedtls_mpi_read_binary(mpi[n], el->e[n].buf,
el->e[n].len)) {
lwsl_notice("mpi load failed\n");
lws_free_set_NULL(ctx->ctx);
return -1;
}
}
ctx->ctx->len = el->e[JWK_KEY_N].len;
return 0;
}
static int
_rngf(void *context, unsigned char *buf, size_t len)
{
if ((size_t)lws_get_random(context, buf, len) == len)
return 0;
return -1;
}
LWS_VISIBLE int
lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx,
struct lws_genrsa_elements *el, int bits)
{
int n;
memset(ctx, 0, sizeof(*ctx));
ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
if (!ctx->ctx)
return -1;
mbedtls_rsa_init(ctx->ctx, MBEDTLS_RSA_PKCS_V15, 0);
n = mbedtls_rsa_gen_key(ctx->ctx, _rngf, context, bits, 65537);
if (n) {
lwsl_err("mbedtls_rsa_gen_key failed 0x%x\n", -n);
goto cleanup_1;
}
{
mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
&ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
&ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
&ctx->ctx->QP,
};
for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
if (mbedtls_mpi_size(mpi[n])) {
el->e[n].buf = lws_malloc(
mbedtls_mpi_size(mpi[n]), "genrsakey");
if (!el->e[n].buf)
goto cleanup;
el->e[n].len = mbedtls_mpi_size(mpi[n]);
mbedtls_mpi_write_binary(mpi[n], el->e[n].buf,
el->e[n].len);
}
}
return 0;
cleanup:
for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
if (el->e[n].buf)
lws_free_set_NULL(el->e[n].buf);
cleanup_1:
lws_free(ctx->ctx);
return -1;
}
LWS_VISIBLE int
lws_genrsa_public_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
size_t in_len, uint8_t *out, size_t out_max)
{
size_t olen = 0;
int n;
ctx->ctx->len = in_len;
n = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx->ctx, NULL, NULL,
MBEDTLS_RSA_PUBLIC,
&olen, in, out, out_max);
if (n) {
lwsl_notice("%s: -0x%x\n", __func__, -n);
return -1;
}
return olen;
}
LWS_VISIBLE int
lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
size_t in_len, uint8_t *out)
{
int n;
ctx->ctx->len = in_len;
n = mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx->ctx, NULL, NULL,
MBEDTLS_RSA_PRIVATE,
in_len, in, out);
if (n) {
lwsl_notice("%s: -0x%x\n", __func__, -n);
return -1;
}
return 0;
}
static int
lws_genrsa_genrsa_hash_to_mbed_hash(enum lws_genhash_types hash_type)
{
int h = -1;
switch (hash_type) {
case LWS_GENHASH_TYPE_SHA1:
h = MBEDTLS_MD_SHA1;
break;
case LWS_GENHASH_TYPE_SHA256:
h = MBEDTLS_MD_SHA256;
break;
case LWS_GENHASH_TYPE_SHA384:
h = MBEDTLS_MD_SHA384;
break;
case LWS_GENHASH_TYPE_SHA512:
h = MBEDTLS_MD_SHA512;
break;
}
return h;
}
LWS_VISIBLE int
lws_genrsa_public_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in,
enum lws_genhash_types hash_type, const uint8_t *sig,
size_t sig_len)
{
int n, h = lws_genrsa_genrsa_hash_to_mbed_hash(hash_type);
if (h < 0)
return -1;
n = mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx->ctx, NULL, NULL,
MBEDTLS_RSA_PUBLIC,
h, 0, in, sig);
if (n < 0) {
lwsl_notice("%s: -0x%x\n", __func__, -n);
return -1;
}
return n;
}
LWS_VISIBLE int
lws_genrsa_public_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
enum lws_genhash_types hash_type, uint8_t *sig,
size_t sig_len)
{
int n, h = lws_genrsa_genrsa_hash_to_mbed_hash(hash_type);
if (h < 0)
return -1;
/*
* The "sig" buffer must be as large as the size of ctx->N
* (eg. 128 bytes if RSA-1024 is used).
*/
if (sig_len < ctx->ctx->len)
return -1;
n = mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx->ctx, NULL, NULL,
MBEDTLS_RSA_PRIVATE, h, 0, in,
sig);
if (n < 0) {
lwsl_notice("%s: -0x%x\n", __func__, -n);
return -1;
}
return ctx->ctx->len;
}
LWS_VISIBLE int
lws_genrsa_render_pkey_asn1(struct lws_genrsa_ctx *ctx, int _private,
uint8_t *pkey_asn1, size_t pkey_asn1_len)
{
uint8_t *p = pkey_asn1, *totlen, *end = pkey_asn1 + pkey_asn1_len - 1;
mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
&ctx->ctx->N, &ctx->ctx->E, &ctx->ctx->D, &ctx->ctx->P,
&ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
&ctx->ctx->QP,
};
int n;
/* 30 82 - sequence
* 09 29 <-- length(0x0929) less 4 bytes
* 02 01 <- length (1)
* 00
* 02 82
* 02 01 <- length (513) N
* ...
*
* 02 03 <- length (3) E
* 01 00 01
*
* 02 82
* 02 00 <- length (512) D P Q EXP1 EXP2 COEFF
*
* */
*p++ = 0x30;
*p++ = 0x82;
totlen = p;
p += 2;
*p++ = 0x02;
*p++ = 0x01;
*p++ = 0x00;
for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++) {
int m = mbedtls_mpi_size(mpi[n]);
uint8_t *elen;
*p++ = 0x02;
elen = p;
if (m < 0x7f)
*p++ = m;
else {
*p++ = 0x82;
*p++ = m >> 8;
*p++ = m & 0xff;
}
if (p + m > end)
return -1;
mbedtls_mpi_write_binary(mpi[n], p, m);
if (p[0] & 0x80) {
p[0] = 0x00;
mbedtls_mpi_write_binary(mpi[n], &p[1], m);
m++;
}
if (m < 0x7f)
*elen = m;
else {
*elen++ = 0x82;
*elen++ = m >> 8;
*elen = m & 0xff;
}
p += m;
}
n = lws_ptr_diff(p, pkey_asn1);
*totlen++ = (n - 4) >> 8;
*totlen = (n - 4) & 0xff;
return n;
}
LWS_VISIBLE void
lws_genrsa_destroy(struct lws_genrsa_ctx *ctx)
{
if (!ctx->ctx)
return;
mbedtls_rsa_free(ctx->ctx);
lws_free(ctx->ctx);
ctx->ctx = NULL;
}

245
thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-client.c vendored Normal file
View File

@@ -0,0 +1,245 @@
/*
* libwebsockets - mbedtls-specific client TLS code
*
* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*/
#include "core/private.h"
static int
OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
return 0;
}
int
lws_ssl_client_bio_create(struct lws *wsi)
{
char hostname[128], *p;
const char *alpn_comma = wsi->context->tls.alpn_default;
struct alpn_ctx protos;
if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
_WSI_TOKEN_CLIENT_HOST) <= 0) {
lwsl_err("%s: Unable to get hostname\n", __func__);
return -1;
}
/*
* remove any :port part on the hostname... necessary for network
* connection but typical certificates do not contain it
*/
p = hostname;
while (*p) {
if (*p == ':') {
*p = '\0';
break;
}
p++;
}
wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx);
if (!wsi->tls.ssl)
return -1;
if (wsi->vhost->tls.ssl_info_event_mask)
SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
/* Enable automatic hostname checks */
// X509_VERIFY_PARAM_set_hostflags(param,
// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
}
if (wsi->vhost->tls.alpn)
alpn_comma = wsi->vhost->tls.alpn;
if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
_WSI_TOKEN_CLIENT_ALPN) > 0)
alpn_comma = hostname;
lwsl_info("%s: %p: client conn sending ALPN list '%s'\n",
__func__, wsi, alpn_comma);
protos.len = lws_alpn_comma_to_openssl(alpn_comma, protos.data,
sizeof(protos.data) - 1);
/* with mbedtls, protos is not pointed to after exit from this call */
SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
/*
* use server name indication (SNI), if supported,
* when establishing connection
*/
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
OpenSSL_client_verify_callback);
SSL_set_fd(wsi->tls.ssl, wsi->desc.sockfd);
return 0;
}
int ERR_get_error(void)
{
return 0;
}
enum lws_ssl_capable_status
lws_tls_client_connect(struct lws *wsi)
{
int m, n = SSL_connect(wsi->tls.ssl);
const unsigned char *prot;
unsigned int len;
if (n == 1) {
SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
lws_role_call_alpn_negotiated(wsi, (const char *)prot);
lwsl_info("client connect OK\n");
return LWS_SSL_CAPABLE_DONE;
}
m = SSL_get_error(wsi->tls.ssl, n);
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
if (!n) /* we don't know what he wants, but he says to retry */
return LWS_SSL_CAPABLE_MORE_SERVICE;
return LWS_SSL_CAPABLE_ERROR;
}
int
lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)
{
int n;
X509 *peer = SSL_get_peer_certificate(wsi->tls.ssl);
struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
char *sb = (char *)&pt->serv_buf[0];
if (!peer) {
lwsl_info("peer did not provide cert\n");
return -1;
}
lwsl_info("peer provided cert\n");
n = SSL_get_verify_result(wsi->tls.ssl);
lws_latency(wsi->context, wsi,
"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);
lwsl_debug("get_verify says %d\n", n);
if (n == X509_V_OK)
return 0;
if (n == X509_V_ERR_HOSTNAME_MISMATCH &&
(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
lwsl_info("accepting certificate for invalid hostname\n");
return 0;
}
if (n == X509_V_ERR_INVALID_CA &&
(wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)) {
lwsl_info("accepting certificate from untrusted CA\n");
return 0;
}
if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
n == X509_V_ERR_CERT_HAS_EXPIRED) &&
(wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED)) {
lwsl_info("accepting expired or not yet valid certificate\n");
return 0;
}
lws_snprintf(ebuf, ebuf_len,
"server's cert didn't look good, X509_V_ERR = %d: %s\n",
n, ERR_error_string(n, sb));
lwsl_info("%s\n", ebuf);
lws_ssl_elaborate_error();
return -1;
}
int
lws_tls_client_create_vhost_context(struct lws_vhost *vh,
const struct lws_context_creation_info *info,
const char *cipher_list,
const char *ca_filepath,
const void *ca_mem,
unsigned int ca_mem_len,
const char *cert_filepath,
const char *private_key_filepath)
{
X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
SSL_METHOD *method = (SSL_METHOD *)TLS_client_method();
unsigned long error;
lws_filepos_t len;
uint8_t *buf;
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)vh->context->pt[0].serv_buf));
return 1;
}
/* create context */
vh->tls.ssl_client_ctx = SSL_CTX_new(method);
if (!vh->tls.ssl_client_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)vh->context->pt[0].serv_buf));
return 1;
}
if (!ca_filepath && (!ca_mem || !ca_mem_len))
return 0;
if (ca_filepath) {
if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
lwsl_err("Load CA cert file %s failed\n", ca_filepath);
return 1;
}
vh->tls.x509_client_CA = d2i_X509(NULL, buf, len);
free(buf);
} else {
vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len);
}
if (!vh->tls.x509_client_CA) {
lwsl_err("client CA: x509 parse failed\n");
return 1;
}
if (!vh->tls.ssl_ctx)
SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
else
SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
lwsl_notice("client loaded CA for verification %s\n", ca_filepath);
return 0;
}

699
thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-server.c vendored Normal file
View File

@@ -0,0 +1,699 @@
/*
* libwebsockets - mbedTLS-specific server functions
*
* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*/
#include "core/private.h"
#include <mbedtls/x509_csr.h>
int
lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
{
int verify_options = SSL_VERIFY_PEER;
/* as a server, are we requiring clients to identify themselves? */
if (!lws_check_opt(vh->options,
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
lwsl_notice("no client cert required\n");
return 0;
}
/*
* The wrapper has this messed-up mapping:
*
* else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
* mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
*
* ie the meaning is inverted. So where we should test for ! we don't
*/
if (lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
verify_options);
SSL_CTX_set_verify(vh->tls.ssl_ctx, verify_options, NULL);
return 0;
}
static int
lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx,
const unsigned char *servername, size_t len)
{
SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx);
struct lws_context *context = (struct lws_context *)arg;
struct lws_vhost *vhost, *vh;
lwsl_notice("%s: %s\n", __func__, servername);
/*
* We can only get ssl accepted connections by using a vhost's ssl_ctx
* find out which listening one took us and only match vhosts on the
* same port.
*/
vh = context->vhost_list;
while (vh) {
if (!vh->being_destroyed &&
vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
if (!vh) {
assert(vh); /* can't match the incoming vh? */
return 0;
}
vhost = lws_select_vhost(context, vh->listen_port,
(const char *)servername);
if (!vhost) {
lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);
return 0;
}
lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername,
vh->listen_port, vhost->name);
/* select the ssl ctx from the selected vhost for this conn */
SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx);
return 0;
}
int
lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
const char *cert, const char *private_key,
const char *mem_cert, size_t len_mem_cert,
const char *mem_privkey, size_t mem_privkey_len)
{
int n, f = 0;
const char *filepath = private_key;
uint8_t *mem = NULL, *p = NULL;
size_t mem_len = 0;
lws_filepos_t flen;
long err;
if ((!cert || !private_key) && (!mem_cert || !mem_privkey)) {
lwsl_notice("%s: no usable input\n", __func__);
return 0;
}
n = lws_tls_generic_cert_checks(vhost, cert, private_key);
if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
return 0;
/*
* we can't read the root-privs files. But if mem_cert is provided,
* we should use that.
*/
if (n == LWS_TLS_EXTANT_NO)
n = LWS_TLS_EXTANT_ALTERNATIVE;
if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey))
return 1; /* no alternative */
if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
/*
* Although we have prepared update certs, we no longer have
* the rights to read our own cert + key we saved.
*
* If we were passed copies in memory buffers, use those
* instead.
*
* The passed memory-buffer cert image is in DER, and the
* memory-buffer private key image is PEM.
*/
/* mem cert is already DER */
p = (uint8_t *)mem_cert;
flen = len_mem_cert;
/* mem private key is PEM, so go through the motions */
mem = (uint8_t *)mem_privkey;
mem_len = mem_privkey_len;
filepath = NULL;
} else {
if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, NULL,
0, &p, &flen)) {
lwsl_err("couldn't find cert file %s\n", cert);
return 1;
}
f = 1;
}
err = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, flen, p);
if (!err) {
free(p);
lwsl_err("Problem loading cert\n");
return 1;
}
if (f)
free(p);
p = NULL;
if (private_key || n == LWS_TLS_EXTANT_ALTERNATIVE) {
if (lws_tls_alloc_pem_to_der_file(vhost->context, filepath,
(char *)mem, mem_len, &p,
&flen)) {
lwsl_err("couldn't find private key file %s\n",
private_key);
return 1;
}
err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, p, flen);
if (!err) {
free(p);
lwsl_err("Problem loading key\n");
return 1;
}
}
if (p && !mem_privkey) {
free(p);
p = NULL;
}
if (!private_key && !mem_privkey &&
vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->tls.ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
vhost->tls.skipped_certs = 0;
return 0;
}
int
lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
struct lws_vhost *vhost, struct lws *wsi)
{
const SSL_METHOD *method = TLS_server_method();
uint8_t *p;
lws_filepos_t flen;
int n;
vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->tls.ssl_ctx) {
lwsl_err("problem creating ssl context\n");
return 1;
}
if (!vhost->tls.use_ssl || !info->ssl_cert_filepath)
return 0;
if (info->ssl_ca_filepath) {
lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__,
vhost->name, info->ssl_ca_filepath);
if (lws_tls_alloc_pem_to_der_file(vhost->context,
info->ssl_ca_filepath, NULL, 0, &p, &flen)) {
lwsl_err("couldn't find client CA file %s\n",
info->ssl_ca_filepath);
return 1;
}
if (SSL_CTX_add_client_CA_ASN1(vhost->tls.ssl_ctx, (int)flen, p) != 1) {
lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n",
__func__);
free(p);
return 1;
}
free(p);
}
n = lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
info->ssl_private_key_filepath, NULL,
0, NULL, 0);
if (n)
return n;
return 0;
}
int
lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd)
{
errno = 0;
wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx);
if (wsi->tls.ssl == NULL) {
lwsl_err("SSL_new failed: errno %d\n", errno);
lws_ssl_elaborate_error();
return 1;
}
SSL_set_fd(wsi->tls.ssl, accept_fd);
if (wsi->vhost->tls.ssl_info_event_mask)
SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
SSL_set_sni_callback(wsi->tls.ssl, lws_mbedtls_sni_cb, wsi->context);
return 0;
}
int
lws_tls_server_abort_connection(struct lws *wsi)
{
__lws_tls_shutdown(wsi);
SSL_free(wsi->tls.ssl);
return 0;
}
enum lws_ssl_capable_status
lws_tls_server_accept(struct lws *wsi)
{
union lws_tls_cert_info_results ir;
int m, n;
n = SSL_accept(wsi->tls.ssl);
if (n == 1) {
if (strstr(wsi->vhost->name, ".invalid")) {
lwsl_notice("%s: vhost has .invalid, "
"rejecting accept\n", __func__);
return LWS_SSL_CAPABLE_ERROR;
}
n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME,
&ir, sizeof(ir.ns.name));
if (!n)
lwsl_notice("%s: client cert CN '%s'\n",
__func__, ir.ns.name);
else
lwsl_info("%s: couldn't get client cert CN\n",
__func__);
return LWS_SSL_CAPABLE_DONE;
}
m = SSL_get_error(wsi->tls.ssl, n);
lwsl_debug("%s: %p: accept SSL_get_error %d errno %d\n", __func__,
wsi, m, errno);
// mbedtls wrapper only
if (m == SSL_ERROR_SYSCALL && errno == 11)
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL)
return LWS_SSL_CAPABLE_ERROR;
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
lwsl_info("%s: WANT_READ change_pollfd failed\n",
__func__);
return LWS_SSL_CAPABLE_ERROR;
}
lwsl_info("SSL_ERROR_WANT_READ\n");
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
}
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
lwsl_debug("%s: WANT_WRITE\n", __func__);
if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) {
lwsl_info("%s: WANT_WRITE change_pollfd failed\n",
__func__);
return LWS_SSL_CAPABLE_ERROR;
}
return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
}
return LWS_SSL_CAPABLE_ERROR;
}
#if defined(LWS_WITH_ACME)
/*
* mbedtls doesn't support SAN for cert creation. So we use a known-good
* tls-sni-01 cert from OpenSSL that worked on Let's Encrypt, and just replace
* the pubkey n part and the signature part.
*
* This will need redoing for tls-sni-02...
*/
static uint8_t ss_cert_leadin[] = {
0x30, 0x82,
0x05, 0x56, /* total length: LEN1 (+2 / +3) (correct for 513 + 512)*/
0x30, 0x82, /* length: LEN2 (+6 / +7) (correct for 513) */
0x03, 0x3e,
/* addition: v3 cert (+5 bytes)*/
0xa0, 0x03,
0x02, 0x01, 0x02,
0x02, 0x01, 0x01,
0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3f,
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47,
0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b,
0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31,
0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x74, 0x65,
0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61,
0x6c, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d,
/* from 2017-10-29 ... */
0x31, 0x37, 0x31, 0x30, 0x32, 0x39, 0x31, 0x31, 0x34, 0x39, 0x34, 0x35,
0x5a, 0x17, 0x0d,
/* thru 2049-10-29 we immediately discard the private key, no worries */
0x34, 0x39, 0x31, 0x30, 0x32, 0x39, 0x31, 0x32, 0x34, 0x39, 0x34, 0x35,
0x5a,
0x30, 0x3f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x47, 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x0c, 0x0b, 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e,
0x79, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11,
0x74, 0x65, 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e,
0x76, 0x61, 0x6c, 0x69, 0x64, 0x30,
0x82,
0x02, 0x22, /* LEN3 (+C3 / C4) */
0x30, 0x0d, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
0x03,
0x82,
0x02, 0x0f, /* LEN4 (+D6 / D7) */
0x00, 0x30, 0x82,
0x02, 0x0a, /* LEN5 (+ DB / DC) */
0x02, 0x82,
//0x02, 0x01, /* length of n in bytes (including leading 00 if any) */
},
/* 1 + (keybits / 8) bytes N */
ss_cert_san_leadin[] = {
/* e - fixed */
0x02, 0x03, 0x01, 0x00, 0x01,
0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x59, 0x06, 0x03, 0x55, 0x1d,
0x11, 0x04, 0x52, 0x30, 0x50, /* <-- SAN length + 2 */
0x82, 0x4e, /* <-- SAN length */
},
/* 78 bytes of SAN (tls-sni-01)
0x61, 0x64, 0x34, 0x31, 0x61, 0x66, 0x62, 0x65, 0x30, 0x63, 0x61, 0x34,
0x36, 0x34, 0x32, 0x66, 0x30, 0x61, 0x34, 0x34, 0x39, 0x64, 0x39, 0x63,
0x61, 0x37, 0x36, 0x65, 0x62, 0x61, 0x61, 0x62, 0x2e, 0x32, 0x38, 0x39,
0x34, 0x64, 0x34, 0x31, 0x36, 0x63, 0x39, 0x38, 0x33, 0x66, 0x31, 0x32,
0x65, 0x64, 0x37, 0x33, 0x31, 0x61, 0x33, 0x30, 0x66, 0x35, 0x63, 0x34,
0x34, 0x37, 0x37, 0x66, 0x65, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69,
0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, */
/* end of LEN2 area */
ss_cert_sig_leadin[] = {
/* it's saying that the signature is SHA256 + RSA */
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
0x82,
0x02, 0x01,
0x00,
};
/* (keybits / 8) bytes signature to end of LEN1 area */
#define SAN_A_LENGTH 78
LWS_VISIBLE int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
int buflen = 0x560;
uint8_t *buf = lws_malloc(buflen, "tmp cert buf"), *p = buf, *pkey_asn1;
struct lws_genrsa_ctx ctx;
struct lws_genrsa_elements el;
uint8_t digest[32];
struct lws_genhash_ctx hash_ctx;
int pkey_asn1_len = 3 * 1024;
int n, m, keybits = lws_plat_recommended_rsa_bits(), adj;
if (!buf)
return 1;
n = lws_genrsa_new_keypair(vhost->context, &ctx, &el, keybits);
if (n < 0) {
lws_jwk_destroy_genrsa_elements(&el);
goto bail1;
}
n = sizeof(ss_cert_leadin);
memcpy(p, ss_cert_leadin, n);
p += n;
adj = (0x0556 - 0x401) + (keybits / 4) + 1;
buf[2] = adj >> 8;
buf[3] = adj & 0xff;
adj = (0x033e - 0x201) + (keybits / 8) + 1;
buf[6] = adj >> 8;
buf[7] = adj & 0xff;
adj = (0x0222 - 0x201) + (keybits / 8) + 1;
buf[0xc3] = adj >> 8;
buf[0xc4] = adj & 0xff;
adj = (0x020f - 0x201) + (keybits / 8) + 1;
buf[0xd6] = adj >> 8;
buf[0xd7] = adj & 0xff;
adj = (0x020a - 0x201) + (keybits / 8) + 1;
buf[0xdb] = adj >> 8;
buf[0xdc] = adj & 0xff;
*p++ = ((keybits / 8) + 1) >> 8;
*p++ = ((keybits / 8) + 1) & 0xff;
/* we need to drop 1 + (keybits / 8) bytes of n in here, 00 + key */
*p++ = 0x00;
memcpy(p, el.e[JWK_KEY_N].buf, el.e[JWK_KEY_N].len);
p += el.e[JWK_KEY_N].len;
memcpy(p, ss_cert_san_leadin, sizeof(ss_cert_san_leadin));
p += sizeof(ss_cert_san_leadin);
/* drop in 78 bytes of san_a */
memcpy(p, san_a, SAN_A_LENGTH);
p += SAN_A_LENGTH;
memcpy(p, ss_cert_sig_leadin, sizeof(ss_cert_sig_leadin));
p[17] = ((keybits / 8) + 1) >> 8;
p[18] = ((keybits / 8) + 1) & 0xff;
p += sizeof(ss_cert_sig_leadin);
/* hash the cert plaintext */
if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256))
goto bail2;
if (lws_genhash_update(&hash_ctx, buf, lws_ptr_diff(p, buf))) {
lws_genhash_destroy(&hash_ctx, NULL);
goto bail2;
}
if (lws_genhash_destroy(&hash_ctx, digest))
goto bail2;
/* sign the hash */
n = lws_genrsa_public_sign(&ctx, digest, LWS_GENHASH_TYPE_SHA256, p,
buflen - lws_ptr_diff(p, buf));
if (n < 0)
goto bail2;
p += n;
pkey_asn1 = lws_malloc(pkey_asn1_len, "mbed crt tmp");
if (!pkey_asn1)
goto bail2;
m = lws_genrsa_render_pkey_asn1(&ctx, 1, pkey_asn1, pkey_asn1_len);
if (m < 0) {
lws_free(pkey_asn1);
goto bail2;
}
// lwsl_hexdump_level(LLL_DEBUG, buf, lws_ptr_diff(p, buf));
n = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx,
lws_ptr_diff(p, buf), buf);
if (n != 1) {
lws_free(pkey_asn1);
lwsl_err("%s: generated cert failed to load 0x%x\n",
__func__, -n);
} else {
//lwsl_debug("private key\n");
//lwsl_hexdump_level(LLL_DEBUG, pkey_asn1, n);
/* and to use our generated private key */
n = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx,
pkey_asn1, m);
lws_free(pkey_asn1);
if (n != 1) {
lwsl_err("%s: SSL_CTX_use_PrivateKey_ASN1 failed\n",
__func__);
}
}
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
lws_free(buf);
return n != 1;
bail2:
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
bail1:
lws_free(buf);
return -1;
}
void
lws_tls_acme_sni_cert_destroy(struct lws_vhost *vhost)
{
}
#if defined(LWS_WITH_JWS)
static int
_rngf(void *context, unsigned char *buf, size_t len)
{
if ((size_t)lws_get_random(context, buf, len) == len)
return 0;
return -1;
}
static const char *x5[] = { "C", "ST", "L", "O", "CN" };
/*
* CSR is output formatted as b64url(DER)
* Private key is output as a PEM in memory
*/
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[],
uint8_t *dcsr, size_t csr_len, char **privkey_pem,
size_t *privkey_len)
{
mbedtls_x509write_csr csr;
mbedtls_pk_context mpk;
int buf_size = 4096, n;
char subject[200], *p = subject, *end = p + sizeof(subject) - 1;
uint8_t *buf = malloc(buf_size); /* malloc because given to user code */
if (!buf)
return -1;
mbedtls_x509write_csr_init(&csr);
mbedtls_pk_init(&mpk);
if (mbedtls_pk_setup(&mpk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))) {
lwsl_notice("%s: pk_setup failed\n", __func__);
goto fail;
}
n = mbedtls_rsa_gen_key(mbedtls_pk_rsa(mpk), _rngf, context,
lws_plat_recommended_rsa_bits(), 65537);
if (n) {
lwsl_notice("%s: failed to generate keys\n", __func__);
goto fail1;
}
/* subject must be formatted like "C=TW,O=warmcat,CN=myserver" */
for (n = 0; n < (int)LWS_ARRAY_SIZE(x5); n++) {
if (p != subject)
*p++ = ',';
if (elements[n])
p += lws_snprintf(p, end - p, "%s=%s", x5[n],
elements[n]);
}
if (mbedtls_x509write_csr_set_subject_name(&csr, subject))
goto fail1;
mbedtls_x509write_csr_set_key(&csr, &mpk);
mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);
/*
* data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*/
n = mbedtls_x509write_csr_der(&csr, buf, buf_size, _rngf, context);
if (n < 0) {
lwsl_notice("%s: write csr der failed\n", __func__);
goto fail1;
}
/* we have it in DER, we need it in b64URL */
n = lws_jws_base64_enc((char *)(buf + buf_size) - n, n,
(char *)dcsr, csr_len);
if (n < 0)
goto fail1;
/*
* okay, the CSR is done, last we need the private key in PEM
* re-use the DER CSR buf as the result buffer since we cn do it in
* one step
*/
if (mbedtls_pk_write_key_pem(&mpk, buf, buf_size)) {
lwsl_notice("write key pem failed\n");
goto fail1;
}
*privkey_pem = (char *)buf;
*privkey_len = strlen((const char *)buf);
mbedtls_pk_free(&mpk);
mbedtls_x509write_csr_free(&csr);
return n;
fail1:
mbedtls_pk_free(&mpk);
fail:
mbedtls_x509write_csr_free(&csr);
free(buf);
return -1;
}
#endif
#endif

509
thirdparty/libwebsockets/lib/tls/mbedtls/ssl.c vendored Normal file
View File

@@ -0,0 +1,509 @@
/*
* libwebsockets - mbedTLS-specific lws apis
*
* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*/
#include "core/private.h"
#include <mbedtls/oid.h>
void
lws_ssl_elaborate_error(void)
{
}
int
lws_context_init_ssl_library(const struct lws_context_creation_info *info)
{
lwsl_info(" Compiled with MbedTLS support\n");
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
lwsl_info(" SSL disabled: no "
"LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
return 0;
}
LWS_VISIBLE void
lws_ssl_destroy(struct lws_vhost *vhost)
{
if (!lws_check_opt(vhost->context->options,
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
return;
if (vhost->tls.ssl_ctx)
SSL_CTX_free(vhost->tls.ssl_ctx);
if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
SSL_CTX_free(vhost->tls.ssl_client_ctx);
if (vhost->tls.x509_client_CA)
X509_free(vhost->tls.x509_client_CA);
}
LWS_VISIBLE int
lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
{
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n = 0, m;
if (!wsi->tls.ssl)
return lws_ssl_capable_read_no_ssl(wsi, buf, len);
lws_stats_atomic_bump(context, pt, LWSSTATS_C_API_READ, 1);
errno = 0;
n = SSL_read(wsi->tls.ssl, buf, len);
#if defined(LWS_WITH_ESP32)
if (!n && errno == LWS_ENOTCONN) {
lwsl_debug("%p: SSL_read ENOTCONN\n", wsi);
return LWS_SSL_CAPABLE_ERROR;
}
#endif
#if defined(LWS_WITH_STATS)
if (!wsi->seen_rx && wsi->accept_start_us) {
lws_stats_atomic_bump(wsi->context, pt,
LWSSTATS_MS_SSL_RX_DELAY,
lws_time_in_microseconds() -
wsi->accept_start_us);
lws_stats_atomic_bump(wsi->context, pt,
LWSSTATS_C_SSL_CONNS_HAD_RX, 1);
wsi->seen_rx = 1;
}
#endif
lwsl_debug("%p: SSL_read says %d\n", wsi, n);
/* manpage: returning 0 means connection shut down */
if (!n) {
wsi->socket_is_permanently_unusable = 1;
return LWS_SSL_CAPABLE_ERROR;
}
if (n < 0) {
m = SSL_get_error(wsi->tls.ssl, n);
lwsl_debug("%p: ssl err %d errno %d\n", wsi, m, errno);
if (m == SSL_ERROR_ZERO_RETURN ||
m == SSL_ERROR_SYSCALL)
return LWS_SSL_CAPABLE_ERROR;
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
lwsl_debug("%s: WANT_READ\n", __func__);
lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
return LWS_SSL_CAPABLE_MORE_SERVICE;
}
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
lwsl_debug("%s: WANT_WRITE\n", __func__);
lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
return LWS_SSL_CAPABLE_MORE_SERVICE;
}
wsi->socket_is_permanently_unusable = 1;
return LWS_SSL_CAPABLE_ERROR;
}
lws_stats_atomic_bump(context, pt, LWSSTATS_B_READ, n);
if (wsi->vhost)
wsi->vhost->conn_stats.rx += n;
/*
* if it was our buffer that limited what we read,
* check if SSL has additional data pending inside SSL buffers.
*
* Because these won't signal at the network layer with POLLIN
* and if we don't realize, this data will sit there forever
*/
if (n != len)
goto bail;
if (!wsi->tls.ssl)
goto bail;
if (SSL_pending(wsi->tls.ssl) &&
lws_dll_is_null(&wsi->tls.pending_tls_list)) {
lws_dll_lws_add_front(&wsi->tls.pending_tls_list,
&pt->tls.pending_tls_head);
}
return n;
bail:
lws_ssl_remove_wsi_from_buffered_list(wsi);
return n;
}
LWS_VISIBLE int
lws_ssl_pending(struct lws *wsi)
{
if (!wsi->tls.ssl)
return 0;
return SSL_pending(wsi->tls.ssl);
}
LWS_VISIBLE int
lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
{
int n, m;
if (!wsi->tls.ssl)
return lws_ssl_capable_write_no_ssl(wsi, buf, len);
n = SSL_write(wsi->tls.ssl, buf, len);
if (n > 0)
return n;
m = SSL_get_error(wsi->tls.ssl, n);
if (m != SSL_ERROR_SYSCALL) {
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
lwsl_notice("%s: want read\n", __func__);
return LWS_SSL_CAPABLE_MORE_SERVICE;
}
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
lws_set_blocking_send(wsi);
lwsl_debug("%s: want write\n", __func__);
return LWS_SSL_CAPABLE_MORE_SERVICE;
}
}
lwsl_debug("%s failed: %d\n",__func__, m);
wsi->socket_is_permanently_unusable = 1;
return LWS_SSL_CAPABLE_ERROR;
}
int openssl_SSL_CTX_private_data_index;
void
lws_ssl_info_callback(const SSL *ssl, int where, int ret)
{
struct lws *wsi;
struct lws_context *context;
struct lws_ssl_info si;
context = (struct lws_context *)SSL_CTX_get_ex_data(
SSL_get_SSL_CTX(ssl),
openssl_SSL_CTX_private_data_index);
if (!context)
return;
wsi = wsi_from_fd(context, SSL_get_fd(ssl));
if (!wsi)
return;
if (!(where & wsi->vhost->tls.ssl_info_event_mask))
return;
si.where = where;
si.ret = ret;
if (user_callback_handle_rxflow(wsi->protocol->callback,
wsi, LWS_CALLBACK_SSL_INFO,
wsi->user_space, &si, 0))
lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
}
LWS_VISIBLE int
lws_ssl_close(struct lws *wsi)
{
lws_sockfd_type n;
if (!wsi->tls.ssl)
return 0; /* not handled */
#if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
/* kill ssl callbacks, becausse we will remove the fd from the
* table linking it to the wsi
*/
if (wsi->vhost->tls.ssl_info_event_mask)
SSL_set_info_callback(wsi->tls.ssl, NULL);
#endif
n = SSL_get_fd(wsi->tls.ssl);
if (!wsi->socket_is_permanently_unusable)
SSL_shutdown(wsi->tls.ssl);
compatible_close(n);
SSL_free(wsi->tls.ssl);
wsi->tls.ssl = NULL;
if (!lwsi_role_client(wsi) &&
wsi->context->simultaneous_ssl_restriction &&
wsi->context->simultaneous_ssl-- ==
wsi->context->simultaneous_ssl_restriction)
/* we made space and can do an accept */
lws_gate_accepts(wsi->context, 1);
#if defined(LWS_WITH_STATS)
wsi->context->updated = 1;
#endif
return 1; /* handled */
}
void
lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
{
if (vhost->tls.ssl_ctx)
SSL_CTX_free(vhost->tls.ssl_ctx);
if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
SSL_CTX_free(vhost->tls.ssl_client_ctx);
#if defined(LWS_WITH_ACME)
lws_tls_acme_sni_cert_destroy(vhost);
#endif
}
void
lws_ssl_context_destroy(struct lws_context *context)
{
}
lws_tls_ctx *
lws_tls_ctx_from_wsi(struct lws *wsi)
{
if (!wsi->tls.ssl)
return NULL;
return SSL_get_SSL_CTX(wsi->tls.ssl);
}
enum lws_ssl_capable_status
__lws_tls_shutdown(struct lws *wsi)
{
int n = SSL_shutdown(wsi->tls.ssl);
lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
switch (n) {
case 1: /* successful completion */
n = shutdown(wsi->desc.sockfd, SHUT_WR);
return LWS_SSL_CAPABLE_DONE;
case 0: /* needs a retry */
__lws_change_pollfd(wsi, 0, LWS_POLLIN);
return LWS_SSL_CAPABLE_MORE_SERVICE;
default: /* fatal error, or WANT */
n = SSL_get_error(wsi->tls.ssl, n);
if (n != SSL_ERROR_SYSCALL && n != SSL_ERROR_SSL) {
if (SSL_want_read(wsi->tls.ssl)) {
lwsl_debug("(wants read)\n");
__lws_change_pollfd(wsi, 0, LWS_POLLIN);
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
}
if (SSL_want_write(wsi->tls.ssl)) {
lwsl_debug("(wants write)\n");
__lws_change_pollfd(wsi, 0, LWS_POLLOUT);
return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
}
}
return LWS_SSL_CAPABLE_ERROR;
}
}
static time_t
lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime)
{
struct tm t;
if (!xtime || !xtime->year || xtime->year < 0)
return (time_t)(long long)-1;
memset(&t, 0, sizeof(t));
t.tm_year = xtime->year - 1900;
t.tm_mon = xtime->mon - 1; /* mbedtls months are 1+, tm are 0+ */
t.tm_mday = xtime->day - 1; /* mbedtls days are 1+, tm are 0+ */
t.tm_hour = xtime->hour;
t.tm_min = xtime->min;
t.tm_sec = xtime->sec;
t.tm_isdst = -1;
return mktime(&t);
}
static int
lws_tls_mbedtls_get_x509_name(mbedtls_x509_name *name,
union lws_tls_cert_info_results *buf, size_t len)
{
while (name) {
if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid)) {
name = name->next;
continue;
}
if (len - 1 < name->val.len)
return -1;
memcpy(&buf->ns.name[0], name->val.p, name->val.len);
buf->ns.name[name->val.len] = '\0';
buf->ns.len = name->val.len;
return 0;
}
return -1;
}
static int
lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type,
union lws_tls_cert_info_results *buf, size_t len)
{
if (!x509)
return -1;
switch (type) {
case LWS_TLS_CERT_INFO_VALIDITY_FROM:
buf->time = lws_tls_mbedtls_time_to_unix(&x509->valid_from);
if (buf->time == (time_t)(long long)-1)
return -1;
break;
case LWS_TLS_CERT_INFO_VALIDITY_TO:
buf->time = lws_tls_mbedtls_time_to_unix(&x509->valid_to);
if (buf->time == (time_t)(long long)-1)
return -1;
break;
case LWS_TLS_CERT_INFO_COMMON_NAME:
return lws_tls_mbedtls_get_x509_name(&x509->subject, buf, len);
case LWS_TLS_CERT_INFO_ISSUER_NAME:
return lws_tls_mbedtls_get_x509_name(&x509->issuer, buf, len);
case LWS_TLS_CERT_INFO_USAGE:
buf->usage = x509->key_usage;
break;
case LWS_TLS_CERT_INFO_OPAQUE_PUBLIC_KEY:
{
char *p = buf->ns.name;
size_t r = len, u;
switch (mbedtls_pk_get_type(&x509->pk)) {
case MBEDTLS_PK_RSA:
{
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(x509->pk);
if (mbedtls_mpi_write_string(&rsa->N, 16, p, r, &u))
return -1;
r -= u;
p += u;
if (mbedtls_mpi_write_string(&rsa->E, 16, p, r, &u))
return -1;
p += u;
buf->ns.len = lws_ptr_diff(p, buf->ns.name);
break;
}
case MBEDTLS_PK_ECKEY:
{
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(x509->pk);
if (mbedtls_mpi_write_string(&ecp->Q.X, 16, p, r, &u))
return -1;
r -= u;
p += u;
if (mbedtls_mpi_write_string(&ecp->Q.Y, 16, p, r, &u))
return -1;
r -= u;
p += u;
if (mbedtls_mpi_write_string(&ecp->Q.Z, 16, p, r, &u))
return -1;
p += u;
buf->ns.len = lws_ptr_diff(p, buf->ns.name);
break;
}
default:
lwsl_notice("%s: x509 has unsupported pubkey type %d\n",
__func__,
mbedtls_pk_get_type(&x509->pk));
return -1;
}
break;
}
default:
return -1;
}
return 0;
}
LWS_VISIBLE LWS_EXTERN int
lws_tls_vhost_cert_info(struct lws_vhost *vhost, enum lws_tls_cert_info type,
union lws_tls_cert_info_results *buf, size_t len)
{
mbedtls_x509_crt *x509 = ssl_ctx_get_mbedtls_x509_crt(vhost->tls.ssl_ctx);
return lws_tls_mbedtls_cert_info(x509, type, buf, len);
}
LWS_VISIBLE int
lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
union lws_tls_cert_info_results *buf, size_t len)
{
mbedtls_x509_crt *x509;
wsi = lws_get_network_wsi(wsi);
x509 = ssl_get_peer_mbedtls_x509_crt(wsi->tls.ssl);
if (!x509)
return -1;
switch (type) {
case LWS_TLS_CERT_INFO_VERIFIED:
buf->verified = SSL_get_verify_result(wsi->tls.ssl) == X509_V_OK;
return 0;
default:
return lws_tls_mbedtls_cert_info(x509, type, buf, len);
}
return -1;
}
static int
tops_fake_POLLIN_for_buffered_mbedtls(struct lws_context_per_thread *pt)
{
return lws_tls_fake_POLLIN_for_buffered(pt);
}
static int
tops_periodic_housekeeping_mbedtls(struct lws_context *context, time_t now)
{
int n;
n = lws_compare_time_t(context, now, context->tls.last_cert_check_s);
if ((!context->tls.last_cert_check_s || n > (24 * 60 * 60)) &&
!lws_tls_check_all_cert_lifetimes(context))
context->tls.last_cert_check_s = now;
return 0;
}
const struct lws_tls_ops tls_ops_mbedtls = {
/* fake_POLLIN_for_buffered */ tops_fake_POLLIN_for_buffered_mbedtls,
/* periodic_housekeeping */ tops_periodic_housekeeping_mbedtls,
};

44
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl3.h vendored Normal file
View File

@@ -0,0 +1,44 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL3_H_
#define _SSL3_H_
#ifdef __cplusplus
extern "C" {
#endif
# define SSL3_AD_CLOSE_NOTIFY 0
# define SSL3_AD_UNEXPECTED_MESSAGE 10/* fatal */
# define SSL3_AD_BAD_RECORD_MAC 20/* fatal */
# define SSL3_AD_DECOMPRESSION_FAILURE 30/* fatal */
# define SSL3_AD_HANDSHAKE_FAILURE 40/* fatal */
# define SSL3_AD_NO_CERTIFICATE 41
# define SSL3_AD_BAD_CERTIFICATE 42
# define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
# define SSL3_AD_CERTIFICATE_REVOKED 44
# define SSL3_AD_CERTIFICATE_EXPIRED 45
# define SSL3_AD_CERTIFICATE_UNKNOWN 46
# define SSL3_AD_ILLEGAL_PARAMETER 47/* fatal */
# define SSL3_AL_WARNING 1
# define SSL3_AL_FATAL 2
#define SSL3_VERSION 0x0300
#ifdef __cplusplus
}
#endif
#endif

55
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h vendored Normal file
View File

@@ -0,0 +1,55 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_CERT_H_
#define _SSL_CERT_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl_types.h"
/**
* @brief create a certification object include private key object according to input certification
*
* @param ic - input certification point
*
* @return certification object point
*/
CERT *__ssl_cert_new(CERT *ic);
/**
* @brief create a certification object include private key object
*
* @param none
*
* @return certification object point
*/
CERT* ssl_cert_new(void);
/**
* @brief free a certification object
*
* @param cert - certification object point
*
* @return none
*/
void ssl_cert_free(CERT *cert);
#ifdef __cplusplus
}
#endif
#endif

124
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_code.h vendored Normal file
View File

@@ -0,0 +1,124 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_CODE_H_
#define _SSL_CODE_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl3.h"
#include "tls1.h"
#include "x509_vfy.h"
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
# define SSL_RECEIVED_SHUTDOWN 2
# define SSL_VERIFY_NONE 0x00
# define SSL_VERIFY_PEER 0x01
# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
# define SSL_VERIFY_CLIENT_ONCE 0x04
/*
* The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
* should not need these
*/
# define SSL_ST_READ_HEADER 0xF0
# define SSL_ST_READ_BODY 0xF1
# define SSL_ST_READ_DONE 0xF2
# define SSL_NOTHING 1
# define SSL_WRITING 2
# define SSL_READING 3
# define SSL_X509_LOOKUP 4
# define SSL_ASYNC_PAUSED 5
# define SSL_ASYNC_NO_JOBS 6
# define SSL_ERROR_NONE 0
# define SSL_ERROR_SSL 1
# define SSL_ERROR_WANT_READ 2
# define SSL_ERROR_WANT_WRITE 3
# define SSL_ERROR_WANT_X509_LOOKUP 4
# define SSL_ERROR_SYSCALL 5/* look at error stack/return value/errno */
# define SSL_ERROR_ZERO_RETURN 6
# define SSL_ERROR_WANT_CONNECT 7
# define SSL_ERROR_WANT_ACCEPT 8
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
/* Message flow states */
typedef enum {
/* No handshake in progress */
MSG_FLOW_UNINITED,
/* A permanent error with this connection */
MSG_FLOW_ERROR,
/* We are about to renegotiate */
MSG_FLOW_RENEGOTIATE,
/* We are reading messages */
MSG_FLOW_READING,
/* We are writing messages */
MSG_FLOW_WRITING,
/* Handshake has finished */
MSG_FLOW_FINISHED
} MSG_FLOW_STATE;
/* SSL subsystem states */
typedef enum {
TLS_ST_BEFORE,
TLS_ST_OK,
DTLS_ST_CR_HELLO_VERIFY_REQUEST,
TLS_ST_CR_SRVR_HELLO,
TLS_ST_CR_CERT,
TLS_ST_CR_CERT_STATUS,
TLS_ST_CR_KEY_EXCH,
TLS_ST_CR_CERT_REQ,
TLS_ST_CR_SRVR_DONE,
TLS_ST_CR_SESSION_TICKET,
TLS_ST_CR_CHANGE,
TLS_ST_CR_FINISHED,
TLS_ST_CW_CLNT_HELLO,
TLS_ST_CW_CERT,
TLS_ST_CW_KEY_EXCH,
TLS_ST_CW_CERT_VRFY,
TLS_ST_CW_CHANGE,
TLS_ST_CW_NEXT_PROTO,
TLS_ST_CW_FINISHED,
TLS_ST_SW_HELLO_REQ,
TLS_ST_SR_CLNT_HELLO,
DTLS_ST_SW_HELLO_VERIFY_REQUEST,
TLS_ST_SW_SRVR_HELLO,
TLS_ST_SW_CERT,
TLS_ST_SW_KEY_EXCH,
TLS_ST_SW_CERT_REQ,
TLS_ST_SW_SRVR_DONE,
TLS_ST_SR_CERT,
TLS_ST_SR_KEY_EXCH,
TLS_ST_SR_CERT_VRFY,
TLS_ST_SR_NEXT_PROTO,
TLS_ST_SR_CHANGE,
TLS_ST_SR_FINISHED,
TLS_ST_SW_SESSION_TICKET,
TLS_ST_SW_CERT_STATUS,
TLS_ST_SW_CHANGE,
TLS_ST_SW_FINISHED
} OSSL_HANDSHAKE_STATE;
#ifdef __cplusplus
}
#endif
#endif

190
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_dbg.h vendored Normal file
View File

@@ -0,0 +1,190 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_DEBUG_H_
#define _SSL_DEBUG_H_
#include "platform/ssl_port.h"
#ifdef __cplusplus
extern "C" {
#endif
#ifdef CONFIG_OPENSSL_DEBUG_LEVEL
#define SSL_DEBUG_LEVEL CONFIG_OPENSSL_DEBUG_LEVEL
#else
#define SSL_DEBUG_LEVEL 0
#endif
#define SSL_DEBUG_ON (SSL_DEBUG_LEVEL + 1)
#define SSL_DEBUG_OFF (SSL_DEBUG_LEVEL - 1)
#ifdef CONFIG_OPENSSL_DEBUG
#ifndef SSL_DEBUG_LOG
#error "SSL_DEBUG_LOG is not defined"
#endif
#ifndef SSL_DEBUG_FL
#define SSL_DEBUG_FL "\n"
#endif
#define SSL_SHOW_LOCATION() \
SSL_DEBUG_LOG("SSL assert : %s %d\n", \
__FILE__, __LINE__)
#define SSL_DEBUG(level, fmt, ...) \
{ \
if (level > SSL_DEBUG_LEVEL) { \
SSL_DEBUG_LOG(fmt SSL_DEBUG_FL, ##__VA_ARGS__); \
} \
}
#else /* CONFIG_OPENSSL_DEBUG */
#define SSL_SHOW_LOCATION()
#define SSL_DEBUG(level, fmt, ...)
#endif /* CONFIG_OPENSSL_DEBUG */
/**
* OpenSSL assert function
*
* if select "CONFIG_OPENSSL_ASSERT_DEBUG", SSL_ASSERT* will show error file name and line
* if select "CONFIG_OPENSSL_ASSERT_EXIT", SSL_ASSERT* will just return error code.
* if select "CONFIG_OPENSSL_ASSERT_DEBUG_EXIT" SSL_ASSERT* will show error file name and line,
* then return error code.
* if select "CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK", SSL_ASSERT* will show error file name and line,
* then block here with "while (1)"
*
* SSL_ASSERT1 may will return "-1", so function's return argument is integer.
* SSL_ASSERT2 may will return "NULL", so function's return argument is a point.
* SSL_ASSERT2 may will return nothing, so function's return argument is "void".
*/
#if defined(CONFIG_OPENSSL_ASSERT_DEBUG)
#define SSL_ASSERT1(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
} \
}
#define SSL_ASSERT2(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
} \
}
#define SSL_ASSERT3(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
} \
}
#elif defined(CONFIG_OPENSSL_ASSERT_EXIT)
#define SSL_ASSERT1(s) \
{ \
if (!(s)) { \
return -1; \
} \
}
#define SSL_ASSERT2(s) \
{ \
if (!(s)) { \
return NULL; \
} \
}
#define SSL_ASSERT3(s) \
{ \
if (!(s)) { \
return ; \
} \
}
#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_EXIT)
#define SSL_ASSERT1(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
return -1; \
} \
}
#define SSL_ASSERT2(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
return NULL; \
} \
}
#define SSL_ASSERT3(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
return ; \
} \
}
#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK)
#define SSL_ASSERT1(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
while (1); \
} \
}
#define SSL_ASSERT2(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
while (1); \
} \
}
#define SSL_ASSERT3(s) \
{ \
if (!(s)) { \
SSL_SHOW_LOCATION(); \
while (1); \
} \
}
#else
#define SSL_ASSERT1(s)
#define SSL_ASSERT2(s)
#define SSL_ASSERT3(s)
#endif
#define SSL_PLATFORM_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_PLATFORM_ERROR_LEVEL SSL_DEBUG_ON
#define SSL_CERT_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_CERT_ERROR_LEVEL SSL_DEBUG_ON
#define SSL_PKEY_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_PKEY_ERROR_LEVEL SSL_DEBUG_ON
#define SSL_X509_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_X509_ERROR_LEVEL SSL_DEBUG_ON
#define SSL_LIB_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_LIB_ERROR_LEVEL SSL_DEBUG_ON
#define SSL_STACK_DEBUG_LEVEL SSL_DEBUG_OFF
#define SSL_STACK_ERROR_LEVEL SSL_DEBUG_ON
#ifdef __cplusplus
}
#endif
#endif

30
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_lib.h vendored Normal file
View File

@@ -0,0 +1,30 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_LIB_H_
#define _SSL_LIB_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl_types.h"
void _ssl_set_alpn_list(const SSL *ssl);
#ifdef __cplusplus
}
#endif
#endif

121
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h vendored Normal file
View File

@@ -0,0 +1,121 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_METHODS_H_
#define _SSL_METHODS_H_
#include "ssl_types.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* TLS method function implement
*/
#define IMPLEMENT_TLS_METHOD_FUNC(func_name, \
new, free, \
handshake, shutdown, clear, \
read, send, pending, \
set_fd, get_fd, \
set_bufflen, \
get_verify_result, \
get_state) \
static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \
new, \
free, \
handshake, \
shutdown, \
clear, \
read, \
send, \
pending, \
set_fd, \
get_fd, \
set_bufflen, \
get_verify_result, \
get_state \
};
#define IMPLEMENT_TLS_METHOD(ver, mode, fun, func_name) \
const SSL_METHOD* func_name(void) { \
static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
ver, \
mode, \
&(fun), \
}; \
return &func_name##_data; \
}
#define IMPLEMENT_SSL_METHOD(ver, mode, fun, func_name) \
const SSL_METHOD* func_name(void) { \
static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
ver, \
mode, \
&(fun), \
}; \
return &func_name##_data; \
}
#define IMPLEMENT_X509_METHOD(func_name, \
new, \
free, \
load, \
show_info) \
const X509_METHOD* func_name(void) { \
static const X509_METHOD func_name##_data LOCAL_ATRR = { \
new, \
free, \
load, \
show_info \
}; \
return &func_name##_data; \
}
#define IMPLEMENT_PKEY_METHOD(func_name, \
new, \
free, \
load) \
const PKEY_METHOD* func_name(void) { \
static const PKEY_METHOD func_name##_data LOCAL_ATRR = { \
new, \
free, \
load \
}; \
return &func_name##_data; \
}
/**
* @brief get X509 object method
*
* @param none
*
* @return X509 object method point
*/
const X509_METHOD* X509_method(void);
/**
* @brief get private key object method
*
* @param none
*
* @return private key object method point
*/
const PKEY_METHOD* EVP_PKEY_method(void);
#ifdef __cplusplus
}
#endif
#endif

86
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h vendored Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_PKEY_H_
#define _SSL_PKEY_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl_types.h"
/**
* @brief create a private key object according to input private key
*
* @param ipk - input private key point
*
* @return new private key object point
*/
EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk);
/**
* @brief create a private key object
*
* @param none
*
* @return private key object point
*/
EVP_PKEY* EVP_PKEY_new(void);
/**
* @brief load a character key context into system context. If '*a' is pointed to the
* private key, then load key into it. Or create a new private key object
*
* @param type - private key type
* @param a - a point pointed to a private key point
* @param pp - a point pointed to the key context memory point
* @param length - key bytes
*
* @return private key object point
*/
EVP_PKEY* d2i_PrivateKey(int type,
EVP_PKEY **a,
const unsigned char **pp,
long length);
/**
* @brief free a private key object
*
* @param pkey - private key object point
*
* @return none
*/
void EVP_PKEY_free(EVP_PKEY *x);
/**
* @brief load private key into the SSL
*
* @param type - private key type
* @param ssl - SSL point
* @param len - data bytes
* @param d - data point
*
* @return result
* 0 : failed
* 1 : OK
*/
int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len);
#ifdef __cplusplus
}
#endif
#endif

52
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_stack.h vendored Normal file
View File

@@ -0,0 +1,52 @@
#ifndef _SSL_STACK_H_
#define _SSL_STACK_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl_types.h"
#define STACK_OF(type) struct stack_st_##type
#define SKM_DEFINE_STACK_OF(t1, t2, t3) \
STACK_OF(t1); \
static ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
{ \
return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \
} \
#define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
/**
* @brief create a openssl stack object
*
* @param c - stack function
*
* @return openssl stack object point
*/
OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c);
/**
* @brief create a NULL function openssl stack object
*
* @param none
*
* @return openssl stack object point
*/
OPENSSL_STACK *OPENSSL_sk_new_null(void);
/**
* @brief free openssl stack object
*
* @param openssl stack object point
*
* @return none
*/
void OPENSSL_sk_free(OPENSSL_STACK *stack);
#ifdef __cplusplus
}
#endif
#endif

303
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h vendored Normal file
View File

@@ -0,0 +1,303 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_TYPES_H_
#define _SSL_TYPES_H_
#ifdef __cplusplus
extern "C" {
#endif
#include <lws_config.h>
#if defined(LWS_WITH_ESP32)
#undef MBEDTLS_CONFIG_FILE
#define MBEDTLS_CONFIG_FILE <mbedtls/esp_config.h>
#endif
#include "ssl_code.h"
typedef void SSL_CIPHER;
typedef void X509_STORE_CTX;
typedef void X509_STORE;
typedef void RSA;
typedef void STACK;
typedef void BIO;
#if defined(WIN32) || defined(_WIN32)
#define ossl_inline __inline
#else
#define ossl_inline inline
#endif
#define SSL_METHOD_CALL(f, s, ...) s->method->func->ssl_##f(s, ##__VA_ARGS__)
#define X509_METHOD_CALL(f, x, ...) x->method->x509_##f(x, ##__VA_ARGS__)
#define EVP_PKEY_METHOD_CALL(f, k, ...) k->method->pkey_##f(k, ##__VA_ARGS__)
typedef int (*OPENSSL_sk_compfunc)(const void *, const void *);
struct stack_st;
typedef struct stack_st OPENSSL_STACK;
struct ssl_method_st;
typedef struct ssl_method_st SSL_METHOD;
struct ssl_method_func_st;
typedef struct ssl_method_func_st SSL_METHOD_FUNC;
struct record_layer_st;
typedef struct record_layer_st RECORD_LAYER;
struct ossl_statem_st;
typedef struct ossl_statem_st OSSL_STATEM;
struct ssl_session_st;
typedef struct ssl_session_st SSL_SESSION;
struct ssl_ctx_st;
typedef struct ssl_ctx_st SSL_CTX;
struct ssl_st;
typedef struct ssl_st SSL;
struct cert_st;
typedef struct cert_st CERT;
struct x509_st;
typedef struct x509_st X509;
struct X509_VERIFY_PARAM_st;
typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
struct evp_pkey_st;
typedef struct evp_pkey_st EVP_PKEY;
struct x509_method_st;
typedef struct x509_method_st X509_METHOD;
struct pkey_method_st;
typedef struct pkey_method_st PKEY_METHOD;
struct stack_st {
char **data;
int num_alloc;
OPENSSL_sk_compfunc c;
};
struct evp_pkey_st {
void *pkey_pm;
const PKEY_METHOD *method;
};
struct x509_st {
/* X509 certification platform private point */
void *x509_pm;
const X509_METHOD *method;
};
struct cert_st {
int sec_level;
X509 *x509;
EVP_PKEY *pkey;
};
struct ossl_statem_st {
MSG_FLOW_STATE state;
int hand_state;
};
struct record_layer_st {
int rstate;
int read_ahead;
};
struct ssl_session_st {
long timeout;
long time;
X509 *peer;
};
struct X509_VERIFY_PARAM_st {
int depth;
};
typedef int (*next_proto_cb)(SSL *ssl, unsigned char **out,
unsigned char *outlen, const unsigned char *in,
unsigned int inlen, void *arg);
struct ssl_ctx_st
{
int version;
int references;
unsigned long options;
const SSL_METHOD *method;
CERT *cert;
X509 *client_CA;
const char **alpn_protos;
next_proto_cb alpn_cb;
int verify_mode;
int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);
long session_timeout;
int read_ahead;
int read_buffer_len;
X509_VERIFY_PARAM param;
};
struct ssl_st
{
/* protocol version(one of SSL3.0, TLS1.0, etc.) */
int version;
unsigned long options;
/* shut things down(0x01 : sent, 0x02 : received) */
int shutdown;
CERT *cert;
X509 *client_CA;
SSL_CTX *ctx;
const SSL_METHOD *method;
const char **alpn_protos;
RECORD_LAYER rlayer;
/* where we are */
OSSL_STATEM statem;
SSL_SESSION *session;
int verify_mode;
int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
int rwstate;
int interrupted_remaining_write;
long verify_result;
X509_VERIFY_PARAM param;
int err;
void (*info_callback) (const SSL *ssl, int type, int val);
/* SSL low-level system arch point */
void *ssl_pm;
};
struct ssl_method_st {
/* protocol version(one of SSL3.0, TLS1.0, etc.) */
int version;
/* SSL mode(client(0) , server(1), not known(-1)) */
int endpoint;
const SSL_METHOD_FUNC *func;
};
struct ssl_method_func_st {
int (*ssl_new)(SSL *ssl);
void (*ssl_free)(SSL *ssl);
int (*ssl_handshake)(SSL *ssl);
int (*ssl_shutdown)(SSL *ssl);
int (*ssl_clear)(SSL *ssl);
int (*ssl_read)(SSL *ssl, void *buffer, int len);
int (*ssl_send)(SSL *ssl, const void *buffer, int len);
int (*ssl_pending)(const SSL *ssl);
void (*ssl_set_fd)(SSL *ssl, int fd, int mode);
int (*ssl_get_fd)(const SSL *ssl, int mode);
void (*ssl_set_bufflen)(SSL *ssl, int len);
long (*ssl_get_verify_result)(const SSL *ssl);
OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);
};
struct x509_method_st {
int (*x509_new)(X509 *x, X509 *m_x);
void (*x509_free)(X509 *x);
int (*x509_load)(X509 *x, const unsigned char *buf, int len);
int (*x509_show_info)(X509 *x);
};
struct pkey_method_st {
int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey);
void (*pkey_free)(EVP_PKEY *pkey);
int (*pkey_load)(EVP_PKEY *pkey, const unsigned char *buf, int len);
};
#define OPENSSL_NPN_NEGOTIATED 1
#ifdef __cplusplus
}
#endif
#endif

110
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_x509.h vendored Normal file
View File

@@ -0,0 +1,110 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_X509_H_
#define _SSL_X509_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "ssl_types.h"
#include "ssl_stack.h"
DEFINE_STACK_OF(X509_NAME)
/**
* @brief create a X509 certification object according to input X509 certification
*
* @param ix - input X509 certification point
*
* @return new X509 certification object point
*/
X509* __X509_new(X509 *ix);
/**
* @brief create a X509 certification object
*
* @param none
*
* @return X509 certification object point
*/
X509* X509_new(void);
/**
* @brief load a character certification context into system context. If '*cert' is pointed to the
* certification, then load certification into it. Or create a new X509 certification object
*
* @param cert - a point pointed to X509 certification
* @param buffer - a point pointed to the certification context memory point
* @param length - certification bytes
*
* @return X509 certification object point
*/
X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len);
/**
* @brief free a X509 certification object
*
* @param x - X509 certification object point
*
* @return none
*/
void X509_free(X509 *x);
/**
* @brief set SSL context client CA certification
*
* @param ctx - SSL context point
* @param x - X509 certification point
*
* @return result
* 0 : failed
* 1 : OK
*/
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
/**
* @brief add CA client certification into the SSL
*
* @param ssl - SSL point
* @param x - X509 certification point
*
* @return result
* 0 : failed
* 1 : OK
*/
int SSL_add_client_CA(SSL *ssl, X509 *x);
/**
* @brief load certification into the SSL
*
* @param ssl - SSL point
* @param len - data bytes
* @param d - data point
*
* @return result
* 0 : failed
* 1 : OK
*
*/
int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
const char *X509_verify_cert_error_string(long n);
#ifdef __cplusplus
}
#endif
#endif

58
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/tls1.h vendored Normal file
View File

@@ -0,0 +1,58 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _TLS1_H_
#define _TLS1_H_
#ifdef __cplusplus
extern "C" {
#endif
# define TLS1_AD_DECRYPTION_FAILED 21
# define TLS1_AD_RECORD_OVERFLOW 22
# define TLS1_AD_UNKNOWN_CA 48/* fatal */
# define TLS1_AD_ACCESS_DENIED 49/* fatal */
# define TLS1_AD_DECODE_ERROR 50/* fatal */
# define TLS1_AD_DECRYPT_ERROR 51
# define TLS1_AD_EXPORT_RESTRICTION 60/* fatal */
# define TLS1_AD_PROTOCOL_VERSION 70/* fatal */
# define TLS1_AD_INSUFFICIENT_SECURITY 71/* fatal */
# define TLS1_AD_INTERNAL_ERROR 80/* fatal */
# define TLS1_AD_INAPPROPRIATE_FALLBACK 86/* fatal */
# define TLS1_AD_USER_CANCELLED 90
# define TLS1_AD_NO_RENEGOTIATION 100
/* codes 110-114 are from RFC3546 */
# define TLS1_AD_UNSUPPORTED_EXTENSION 110
# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
# define TLS1_AD_UNRECOGNIZED_NAME 112
# define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
# define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
# define TLS1_AD_UNKNOWN_PSK_IDENTITY 115/* fatal */
# define TLS1_AD_NO_APPLICATION_PROTOCOL 120 /* fatal */
/* Special value for method supporting multiple versions */
#define TLS_ANY_VERSION 0x10000
#define TLS1_VERSION 0x0301
#define TLS1_1_VERSION 0x0302
#define TLS1_2_VERSION 0x0303
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_NOACK 3
#ifdef __cplusplus
}
#endif
#endif

116
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/x509_vfy.h vendored Normal file
View File

@@ -0,0 +1,116 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _X509_VFY_H_
#define _X509_VFY_H_
#ifdef __cplusplus
extern "C" {
#endif
#define X509_V_OK 0
#define X509_V_ERR_UNSPECIFIED 1
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
#define X509_V_ERR_UNABLE_TO_GET_CRL 3
#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
#define X509_V_ERR_CERT_NOT_YET_VALID 9
#define X509_V_ERR_CERT_HAS_EXPIRED 10
#define X509_V_ERR_CRL_NOT_YET_VALID 11
#define X509_V_ERR_CRL_HAS_EXPIRED 12
#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
#define X509_V_ERR_OUT_OF_MEM 17
#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
#define X509_V_ERR_CERT_REVOKED 23
#define X509_V_ERR_INVALID_CA 24
#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
#define X509_V_ERR_INVALID_PURPOSE 26
#define X509_V_ERR_CERT_UNTRUSTED 27
#define X509_V_ERR_CERT_REJECTED 28
/* These are 'informational' when looking for issuer cert */
#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
#define X509_V_ERR_AKID_SKID_MISMATCH 30
#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
#define X509_V_ERR_INVALID_NON_CA 37
#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
#define X509_V_ERR_INVALID_EXTENSION 41
#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
#define X509_V_ERR_NO_EXPLICIT_POLICY 43
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
#define X509_V_ERR_UNNESTED_RESOURCE 46
#define X509_V_ERR_PERMITTED_VIOLATION 47
#define X509_V_ERR_EXCLUDED_VIOLATION 48
#define X509_V_ERR_SUBTREE_MINMAX 49
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
/* Another issuer check debug option */
#define X509_V_ERR_PATH_LOOP 55
/* Suite B mode algorithm violation */
#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
/* Host, email and IP check errors */
#define X509_V_ERR_HOSTNAME_MISMATCH 62
#define X509_V_ERR_EMAIL_MISMATCH 63
#define X509_V_ERR_IP_ADDRESS_MISMATCH 64
/* DANE TLSA errors */
#define X509_V_ERR_DANE_NO_MATCH 65
/* security level errors */
#define X509_V_ERR_EE_KEY_TOO_SMALL 66
#define X509_V_ERR_CA_KEY_TOO_SMALL 67
#define X509_V_ERR_CA_MD_TOO_WEAK 68
/* Caller error */
#define X509_V_ERR_INVALID_CALL 69
/* Issuer lookup error */
#define X509_V_ERR_STORE_LOOKUP 70
/* Certificate transparency */
#define X509_V_ERR_NO_VALID_SCTS 71
#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72
typedef void X509_STORE_CTX;
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
#ifdef __cplusplus
}
#endif
#endif

1833
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/openssl/ssl.h vendored Executable file
View File

File diff suppressed because it is too large Load Diff

61
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h vendored Normal file
View File

@@ -0,0 +1,61 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_PM_H_
#define _SSL_PM_H_
#ifdef __cplusplus
extern "C" {
#endif
#include <string.h>
#include "ssl_types.h"
#include "ssl_port.h"
#define LOCAL_ATRR
int ssl_pm_new(SSL *ssl);
void ssl_pm_free(SSL *ssl);
int ssl_pm_handshake(SSL *ssl);
int ssl_pm_shutdown(SSL *ssl);
int ssl_pm_clear(SSL *ssl);
int ssl_pm_read(SSL *ssl, void *buffer, int len);
int ssl_pm_send(SSL *ssl, const void *buffer, int len);
int ssl_pm_pending(const SSL *ssl);
void ssl_pm_set_fd(SSL *ssl, int fd, int mode);
int ssl_pm_get_fd(const SSL *ssl, int mode);
OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl);
void ssl_pm_set_bufflen(SSL *ssl, int len);
int x509_pm_show_info(X509 *x);
int x509_pm_new(X509 *x, X509 *m_x);
void x509_pm_free(X509 *x);
int x509_pm_load(X509 *x, const unsigned char *buffer, int len);
int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk);
void pkey_pm_free(EVP_PKEY *pk);
int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len);
long ssl_pm_get_verify_result(const SSL *ssl);
#ifdef __cplusplus
}
#endif
#endif

46
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_port.h vendored Normal file
View File

@@ -0,0 +1,46 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_PORT_H_
#define _SSL_PORT_H_
#ifdef __cplusplus
extern "C" {
#endif
#include "string.h"
#include "stdlib.h"
#if defined(LWS_HAVE_MALLOC_H)
#include "malloc.h"
#endif
void *ssl_mem_zalloc(size_t size);
#define ssl_mem_malloc malloc
#define ssl_mem_free free
#define ssl_memcpy memcpy
#define ssl_strlen strlen
#define ssl_speed_up_enter()
#define ssl_speed_up_exit()
#define SSL_DEBUG_FL
#define SSL_DEBUG_LOG(fmt, ...) ESP_LOGI("openssl", fmt, ##__VA_ARGS__)
#ifdef __cplusplus
}
#endif
#endif

87
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_cert.c vendored Normal file
View File

@@ -0,0 +1,87 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_cert.h"
#include "ssl_pkey.h"
#include "ssl_x509.h"
#include "ssl_dbg.h"
#include "ssl_port.h"
/**
* @brief create a certification object according to input certification
*/
CERT *__ssl_cert_new(CERT *ic)
{
CERT *cert;
X509 *ix;
EVP_PKEY *ipk;
cert = ssl_mem_zalloc(sizeof(CERT));
if (!cert) {
SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "no enough memory > (cert)");
goto no_mem;
}
if (ic) {
ipk = ic->pkey;
ix = ic->x509;
} else {
ipk = NULL;
ix = NULL;
}
cert->pkey = __EVP_PKEY_new(ipk);
if (!cert->pkey) {
SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL");
goto pkey_err;
}
cert->x509 = __X509_new(ix);
if (!cert->x509) {
SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__X509_new() return NULL");
goto x509_err;
}
return cert;
x509_err:
EVP_PKEY_free(cert->pkey);
pkey_err:
ssl_mem_free(cert);
no_mem:
return NULL;
}
/**
* @brief create a certification object include private key object
*/
CERT *ssl_cert_new(void)
{
return __ssl_cert_new(NULL);
}
/**
* @brief free a certification object
*/
void ssl_cert_free(CERT *cert)
{
SSL_ASSERT3(cert);
X509_free(cert->x509);
EVP_PKEY_free(cert->pkey);
ssl_mem_free(cert);
}

1736
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_lib.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

81
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c vendored Normal file
View File

@@ -0,0 +1,81 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_methods.h"
#include "ssl_pm.h"
/**
* TLS method function collection
*/
IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
ssl_pm_new, ssl_pm_free,
ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear,
ssl_pm_read, ssl_pm_send, ssl_pm_pending,
ssl_pm_set_fd, ssl_pm_get_fd,
ssl_pm_set_bufflen,
ssl_pm_get_verify_result,
ssl_pm_get_state);
/**
* TLS or SSL client method collection
*/
IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 0, TLS_method_func, TLS_client_method);
IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 0, TLS_method_func, TLSv1_2_client_method);
IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 0, TLS_method_func, TLSv1_1_client_method);
IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_client_method);
IMPLEMENT_SSL_METHOD(SSL3_VERSION, 0, TLS_method_func, SSLv3_client_method);
/**
* TLS or SSL server method collection
*/
IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 1, TLS_method_func, TLS_server_method);
IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 1, TLS_method_func, TLSv1_1_server_method);
IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 1, TLS_method_func, TLSv1_2_server_method);
IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_server_method);
IMPLEMENT_SSL_METHOD(SSL3_VERSION, 1, TLS_method_func, SSLv3_server_method);
/**
* TLS or SSL method collection
*/
IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, -1, TLS_method_func, TLS_method);
IMPLEMENT_SSL_METHOD(TLS1_2_VERSION, -1, TLS_method_func, TLSv1_2_method);
IMPLEMENT_SSL_METHOD(TLS1_1_VERSION, -1, TLS_method_func, TLSv1_1_method);
IMPLEMENT_SSL_METHOD(TLS1_VERSION, -1, TLS_method_func, TLSv1_method);
IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method);
/**
* @brief get X509 object method
*/
IMPLEMENT_X509_METHOD(X509_method,
x509_pm_new, x509_pm_free,
x509_pm_load, x509_pm_show_info);
/**
* @brief get private key object method
*/
IMPLEMENT_PKEY_METHOD(EVP_PKEY_method,
pkey_pm_new, pkey_pm_free,
pkey_pm_load);

239
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_pkey.c vendored Normal file
View File

@@ -0,0 +1,239 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_pkey.h"
#include "ssl_methods.h"
#include "ssl_dbg.h"
#include "ssl_port.h"
/**
* @brief create a private key object according to input private key
*/
EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk)
{
int ret;
EVP_PKEY *pkey;
pkey = ssl_mem_zalloc(sizeof(EVP_PKEY));
if (!pkey) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "no enough memory > (pkey)");
goto no_mem;
}
if (ipk) {
pkey->method = ipk->method;
} else {
pkey->method = EVP_PKEY_method();
}
ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk);
if (ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret);
goto failed;
}
return pkey;
failed:
ssl_mem_free(pkey);
no_mem:
return NULL;
}
/**
* @brief create a private key object
*/
EVP_PKEY* EVP_PKEY_new(void)
{
return __EVP_PKEY_new(NULL);
}
/**
* @brief free a private key object
*/
void EVP_PKEY_free(EVP_PKEY *pkey)
{
SSL_ASSERT3(pkey);
EVP_PKEY_METHOD_CALL(free, pkey);
ssl_mem_free(pkey);
}
/**
* @brief load a character key context into system context. If '*a' is pointed to the
* private key, then load key into it. Or create a new private key object
*/
EVP_PKEY *d2i_PrivateKey(int type,
EVP_PKEY **a,
const unsigned char **pp,
long length)
{
int m = 0;
int ret;
EVP_PKEY *pkey;
SSL_ASSERT2(pp);
SSL_ASSERT2(*pp);
SSL_ASSERT2(length);
if (a && *a) {
pkey = *a;
} else {
pkey = EVP_PKEY_new();;
if (!pkey) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL");
goto failed1;
}
m = 1;
}
ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length);
if (ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(load) return %d", ret);
goto failed2;
}
if (a)
*a = pkey;
return pkey;
failed2:
if (m)
EVP_PKEY_free(pkey);
failed1:
return NULL;
}
/**
* @brief set the SSL context private key
*/
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
{
SSL_ASSERT1(ctx);
SSL_ASSERT1(pkey);
if (ctx->cert->pkey == pkey)
return 1;
if (ctx->cert->pkey)
EVP_PKEY_free(ctx->cert->pkey);
ctx->cert->pkey = pkey;
return 1;
}
/**
* @brief set the SSL private key
*/
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(pkey);
if (ssl->cert->pkey == pkey)
return 1;
if (ssl->cert->pkey)
EVP_PKEY_free(ssl->cert->pkey);
ssl->cert->pkey = pkey;
return 1;
}
/**
* @brief load private key into the SSL context
*/
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
const unsigned char *d, long len)
{
int ret;
EVP_PKEY *pk;
pk = d2i_PrivateKey(0, NULL, &d, len);
if (!pk) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
goto failed1;
}
ret = SSL_CTX_use_PrivateKey(ctx, pk);
if (!ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_PrivateKey() return %d", ret);
goto failed2;
}
return 1;
failed2:
EVP_PKEY_free(pk);
failed1:
return 0;
}
/**
* @brief load private key into the SSL
*/
int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
const unsigned char *d, long len)
{
int ret;
EVP_PKEY *pk;
pk = d2i_PrivateKey(0, NULL, &d, len);
if (!pk) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
goto failed1;
}
ret = SSL_use_PrivateKey(ssl, pk);
if (!ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_PrivateKey() return %d", ret);
goto failed2;
}
return 1;
failed2:
EVP_PKEY_free(pk);
failed1:
return 0;
}
/**
* @brief load the private key file into SSL context
*/
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
return 0;
}
/**
* @brief load the private key file into SSL
*/
int SSL_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
return 0;
}
/**
* @brief load the RSA ASN1 private key into SSL context
*/
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
{
return SSL_CTX_use_PrivateKey_ASN1(0, ctx, d, len);
}

74
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_stack.c vendored Normal file
View File

@@ -0,0 +1,74 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_stack.h"
#include "ssl_dbg.h"
#include "ssl_port.h"
#ifndef CONFIG_MIN_NODES
#define MIN_NODES 4
#else
#define MIN_NODES CONFIG_MIN_NODES
#endif
/**
* @brief create a openssl stack object
*/
OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
{
OPENSSL_STACK *stack;
char **data;
stack = ssl_mem_zalloc(sizeof(OPENSSL_STACK));
if (!stack) {
SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (stack)");
goto no_mem1;
}
data = ssl_mem_zalloc(sizeof(*data) * MIN_NODES);
if (!data) {
SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (data)");
goto no_mem2;
}
stack->data = data;
stack->num_alloc = MIN_NODES;
stack->c = c;
return stack;
no_mem2:
ssl_mem_free(stack);
no_mem1:
return NULL;
}
/**
* @brief create a NULL function openssl stack object
*/
OPENSSL_STACK *OPENSSL_sk_new_null(void)
{
return OPENSSL_sk_new((OPENSSL_sk_compfunc)NULL);
}
/**
* @brief free openssl stack object
*/
void OPENSSL_sk_free(OPENSSL_STACK *stack)
{
SSL_ASSERT3(stack);
ssl_mem_free(stack->data);
ssl_mem_free(stack);
}

354
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_x509.c vendored Normal file
View File

@@ -0,0 +1,354 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_x509.h"
#include "ssl_methods.h"
#include "ssl_dbg.h"
#include "ssl_port.h"
#include <assert.h>
/**
* @brief show X509 certification information
*/
int __X509_show_info(X509 *x)
{
return X509_METHOD_CALL(show_info, x);
}
/**
* @brief create a X509 certification object according to input X509 certification
*/
X509* __X509_new(X509 *ix)
{
int ret;
X509 *x;
x = ssl_mem_zalloc(sizeof(X509));
if (!x) {
SSL_DEBUG(SSL_X509_ERROR_LEVEL, "no enough memory > (x)");
goto no_mem;
}
if (ix)
x->method = ix->method;
else
x->method = X509_method();
ret = X509_METHOD_CALL(new, x, ix);
if (ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(new) return %d", ret);
goto failed;
}
return x;
failed:
ssl_mem_free(x);
no_mem:
return NULL;
}
/**
* @brief create a X509 certification object
*/
X509* X509_new(void)
{
return __X509_new(NULL);
}
/**
* @brief free a X509 certification object
*/
void X509_free(X509 *x)
{
SSL_ASSERT3(x);
X509_METHOD_CALL(free, x);
ssl_mem_free(x);
};
/**
* @brief load a character certification context into system context. If '*cert' is pointed to the
* certification, then load certification into it. Or create a new X509 certification object
*/
X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len)
{
int m = 0;
int ret;
X509 *x;
SSL_ASSERT2(buffer);
SSL_ASSERT2(len);
if (cert && *cert) {
x = *cert;
} else {
x = X509_new();
if (!x) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL");
goto failed1;
}
m = 1;
}
ret = X509_METHOD_CALL(load, x, buffer, len);
if (ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret);
goto failed2;
}
return x;
failed2:
if (m)
X509_free(x);
failed1:
return NULL;
}
/**
* @brief return SSL X509 verify parameters
*/
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
{
return &ssl->param;
}
/**
* @brief set X509 host verification flags
*/
int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
unsigned long flags)
{
/* flags not supported yet */
return 0;
}
/**
* @brief clear X509 host verification flags
*/
int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
unsigned long flags)
{
/* flags not supported yet */
return 0;
}
/**
* @brief set SSL context client CA certification
*/
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
{
SSL_ASSERT1(ctx);
SSL_ASSERT1(x);
assert(ctx);
if (ctx->client_CA == x)
return 1;
X509_free(ctx->client_CA);
ctx->client_CA = x;
return 1;
}
/**
* @brief add CA client certification into the SSL
*/
int SSL_CTX_add_client_CA_ASN1(SSL_CTX *ctx, int len,
const unsigned char *d)
{
X509 *x;
x = d2i_X509(NULL, d, len);
if (!x) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
return 0;
}
SSL_ASSERT1(ctx);
X509_free(ctx->client_CA);
ctx->client_CA = x;
return 1;
}
/**
* @brief add CA client certification into the SSL
*/
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(x);
if (ssl->client_CA == x)
return 1;
X509_free(ssl->client_CA);
ssl->client_CA = x;
return 1;
}
/**
* @brief set the SSL context certification
*/
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
{
SSL_ASSERT1(ctx);
SSL_ASSERT1(x);
if (ctx->cert->x509 == x)
return 1;
X509_free(ctx->cert->x509);
ctx->cert->x509 = x;
return 1;
}
/**
* @brief set the SSL certification
*/
int SSL_use_certificate(SSL *ssl, X509 *x)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(x);
if (ssl->cert->x509 == x)
return 1;
X509_free(ssl->cert->x509);
ssl->cert->x509 = x;
return 1;
}
/**
* @brief get the SSL certification point
*/
X509 *SSL_get_certificate(const SSL *ssl)
{
SSL_ASSERT2(ssl);
return ssl->cert->x509;
}
/**
* @brief load certification into the SSL context
*/
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
const unsigned char *d)
{
int ret;
X509 *x;
x = d2i_X509(NULL, d, len);
if (!x) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
goto failed1;
}
ret = SSL_CTX_use_certificate(ctx, x);
if (!ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret);
goto failed2;
}
return 1;
failed2:
X509_free(x);
failed1:
return 0;
}
/**
* @brief load certification into the SSL
*/
int SSL_use_certificate_ASN1(SSL *ssl, int len,
const unsigned char *d)
{
int ret;
X509 *x;
x = d2i_X509(NULL, d, len);
if (!x) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
goto failed1;
}
ret = SSL_use_certificate(ssl, x);
if (!ret) {
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_certificate() return %d", ret);
goto failed2;
}
return 1;
failed2:
X509_free(x);
failed1:
return 0;
}
/**
* @brief load the certification file into SSL context
*/
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
return 0;
}
/**
* @brief load the certification file into SSL
*/
int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
{
return 0;
}
/**
* @brief get peer certification
*/
X509 *SSL_get_peer_certificate(const SSL *ssl)
{
SSL_ASSERT2(ssl);
return ssl->session->peer;
}
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
{
return X509_V_ERR_UNSPECIFIED;
}
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
{
return 0;
}
const char *X509_verify_cert_error_string(long n)
{
return "unknown";
}

907
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c vendored Executable file
View File

@@ -0,0 +1,907 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_pm.h"
#include "ssl_port.h"
#include "ssl_dbg.h"
/* mbedtls include */
#include "mbedtls/platform.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"
#include <libwebsockets.h>
#define X509_INFO_STRING_LENGTH 8192
struct ssl_pm
{
/* local socket file description */
mbedtls_net_context fd;
/* remote client socket file description */
mbedtls_net_context cl_fd;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_entropy_context entropy;
SSL *owner;
};
struct x509_pm
{
mbedtls_x509_crt *x509_crt;
mbedtls_x509_crt *ex_crt;
};
struct pkey_pm
{
mbedtls_pk_context *pkey;
mbedtls_pk_context *ex_pkey;
};
unsigned int max_content_len;
/*********************************************************************************************/
/************************************ SSL arch interface *************************************/
//#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
/* mbedtls debug level */
#define MBEDTLS_DEBUG_LEVEL 4
/**
* @brief mbedtls debug function
*/
static void ssl_platform_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
/* Shorten 'file' from the whole file path to just the filename
This is a bit wasteful because the macros are compiled in with
the full _FILE_ path in each case.
*/
// char *file_sep = rindex(file, '/');
// if(file_sep)
// file = file_sep + 1;
printf("%s:%d %s", file, line, str);
}
//#endif
/**
* @brief create SSL low-level object
*/
int ssl_pm_new(SSL *ssl)
{
struct ssl_pm *ssl_pm;
int ret;
const unsigned char pers[] = "OpenSSL PM";
size_t pers_len = sizeof(pers);
int endpoint;
int version;
const SSL_METHOD *method = ssl->method;
ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
if (!ssl_pm) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
goto no_mem;
}
ssl_pm->owner = ssl;
if (!ssl->ctx->read_buffer_len)
ssl->ctx->read_buffer_len = 2048;
max_content_len = ssl->ctx->read_buffer_len;
// printf("ssl->ctx->read_buffer_len = %d ++++++++++++++++++++\n", ssl->ctx->read_buffer_len);
mbedtls_net_init(&ssl_pm->fd);
mbedtls_net_init(&ssl_pm->cl_fd);
mbedtls_ssl_config_init(&ssl_pm->conf);
mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg);
mbedtls_entropy_init(&ssl_pm->entropy);
mbedtls_ssl_init(&ssl_pm->ssl);
ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
goto mbedtls_err1;
}
if (method->endpoint) {
endpoint = MBEDTLS_SSL_IS_SERVER;
} else {
endpoint = MBEDTLS_SSL_IS_CLIENT;
}
ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
goto mbedtls_err2;
}
if (TLS_ANY_VERSION != ssl->version) {
if (TLS1_2_VERSION == ssl->version)
version = MBEDTLS_SSL_MINOR_VERSION_3;
else if (TLS1_1_VERSION == ssl->version)
version = MBEDTLS_SSL_MINOR_VERSION_2;
else if (TLS1_VERSION == ssl->version)
version = MBEDTLS_SSL_MINOR_VERSION_1;
else
version = MBEDTLS_SSL_MINOR_VERSION_0;
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
} else {
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
}
mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
//#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
// mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL);
// mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
//#else
mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
//#endif
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
goto mbedtls_err2;
}
mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
ssl->ssl_pm = ssl_pm;
return 0;
mbedtls_err2:
mbedtls_ssl_config_free(&ssl_pm->conf);
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
mbedtls_err1:
mbedtls_entropy_free(&ssl_pm->entropy);
ssl_mem_free(ssl_pm);
no_mem:
return -1;
}
/**
* @brief free SSL low-level object
*/
void ssl_pm_free(SSL *ssl)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
mbedtls_entropy_free(&ssl_pm->entropy);
mbedtls_ssl_config_free(&ssl_pm->conf);
mbedtls_ssl_free(&ssl_pm->ssl);
ssl_mem_free(ssl_pm);
ssl->ssl_pm = NULL;
}
/**
* @brief reload SSL low-level certification object
*/
static int ssl_pm_reload_crt(SSL *ssl)
{
int ret;
int mode;
struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else
mode = MBEDTLS_SSL_VERIFY_NONE;
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
if (ca_pm->x509_crt) {
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
} else if (ca_pm->ex_crt) {
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
}
if (crt_pm->x509_crt && pkey_pm->pkey) {
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
} else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
} else {
ret = 0;
}
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
ret = -1;
}
return ret;
}
/*
* Perform the mbedtls SSL handshake instead of mbedtls_ssl_handshake.
* We can add debug here.
*/
static int mbedtls_handshake( mbedtls_ssl_context *ssl )
{
int ret = 0;
while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
ret = mbedtls_ssl_handshake_step(ssl);
lwsl_info("%s: ssl ret -%x state %d\n", __func__, -ret, ssl->state);
if (ret != 0)
break;
}
return ret;
}
#include <errno.h>
int ssl_pm_handshake(SSL *ssl)
{
int ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ssl->err = 0;
errno = 0;
ret = ssl_pm_reload_crt(ssl);
if (ret) {
printf("%s: cert reload failed\n", __func__);
return 0;
}
if (ssl_pm->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
ssl_speed_up_enter();
/* mbedtls return codes
* 0 = successful, or MBEDTLS_ERR_SSL_WANT_READ/WRITE
* anything else = death
*/
ret = mbedtls_handshake(&ssl_pm->ssl);
ssl_speed_up_exit();
} else
ret = 0;
/*
* OpenSSL return codes:
* 0 = did not complete, but may be retried
* 1 = successfully completed
* <0 = death
*/
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
ssl->err = ret;
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -ret);
return 0; /* OpenSSL: did not complete but may be retried */
}
if (ret == 0) { /* successful */
struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
x509_pm->ex_crt = (mbedtls_x509_crt *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl);
return 1; /* openssl successful */
}
if (errno == 11) {
ssl->err = ret == MBEDTLS_ERR_SSL_WANT_READ;
return 0;
}
printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret);
/* it's had it */
ssl->err = SSL_ERROR_SYSCALL;
return -1; /* openssl death */
}
mbedtls_x509_crt *
ssl_ctx_get_mbedtls_x509_crt(SSL_CTX *ssl_ctx)
{
struct x509_pm *x509_pm = (struct x509_pm *)ssl_ctx->cert->x509->x509_pm;
if (!x509_pm)
return NULL;
return x509_pm->x509_crt;
}
mbedtls_x509_crt *
ssl_get_peer_mbedtls_x509_crt(SSL *ssl)
{
struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
if (!x509_pm)
return NULL;
return x509_pm->ex_crt;
}
int ssl_pm_shutdown(SSL *ssl)
{
int ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_close_notify() return -0x%x", -ret);
if (ret == MBEDTLS_ERR_NET_CONN_RESET)
ssl->err = SSL_ERROR_SYSCALL;
ret = -1; /* OpenSSL: "Call SSL_get_error with the return value to find the reason */
} else {
struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
x509_pm->ex_crt = NULL;
ret = 1; /* OpenSSL: "The shutdown was successfully completed"
...0 means retry */
}
return ret;
}
int ssl_pm_clear(SSL *ssl)
{
return ssl_pm_shutdown(ssl);
}
int ssl_pm_read(SSL *ssl, void *buffer, int len)
{
int ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
if (ret < 0) {
// lwsl_notice("%s: mbedtls_ssl_read says -0x%x\n", __func__, -ret);
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret);
if (ret == MBEDTLS_ERR_NET_CONN_RESET ||
ret <= MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) /* fatal errors */
ssl->err = SSL_ERROR_SYSCALL;
ret = -1;
}
return ret;
}
/*
* This returns -1, or the length sent.
* If -1, then you need to find out if the error was
* fatal or recoverable using SSL_get_error()
*/
int ssl_pm_send(SSL *ssl, const void *buffer, int len)
{
int ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
/*
* We can get a positive number, which may be less than len... that
* much was sent successfully and you can call again to send more.
*
* We can get a negative mbedtls error code... if WANT_WRITE or WANT_READ,
* it's nonfatal and means it should be retried as-is. If something else,
* it's fatal actually.
*
* If this function returns something other than a positive value or
* MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context becomes unusable, and
* you should either free it or call mbedtls_ssl_session_reset() on it
* before re-using it for a new connection; the current connection must
* be closed.
*
* When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be
* called later with the same arguments, until it returns a positive value.
*/
if (ret < 0) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
switch (ret) {
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_CONN_RESET:
ssl->err = SSL_ERROR_SYSCALL;
break;
case MBEDTLS_ERR_SSL_WANT_WRITE:
ssl->err = SSL_ERROR_WANT_WRITE;
break;
case MBEDTLS_ERR_SSL_WANT_READ:
ssl->err = SSL_ERROR_WANT_READ;
break;
default:
break;
}
ret = -1;
}
return ret;
}
int ssl_pm_pending(const SSL *ssl)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
return mbedtls_ssl_get_bytes_avail(&ssl_pm->ssl);
}
void ssl_pm_set_fd(SSL *ssl, int fd, int mode)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ssl_pm->fd.fd = fd;
}
int ssl_pm_get_fd(const SSL *ssl, int mode)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
return ssl_pm->fd.fd;
}
OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)
{
OSSL_HANDSHAKE_STATE state;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
switch (ssl_pm->ssl.state)
{
case MBEDTLS_SSL_CLIENT_HELLO:
state = TLS_ST_CW_CLNT_HELLO;
break;
case MBEDTLS_SSL_SERVER_HELLO:
state = TLS_ST_SW_SRVR_HELLO;
break;
case MBEDTLS_SSL_SERVER_CERTIFICATE:
state = TLS_ST_SW_CERT;
break;
case MBEDTLS_SSL_SERVER_HELLO_DONE:
state = TLS_ST_SW_SRVR_DONE;
break;
case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
state = TLS_ST_CW_KEY_EXCH;
break;
case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
state = TLS_ST_CW_CHANGE;
break;
case MBEDTLS_SSL_CLIENT_FINISHED:
state = TLS_ST_CW_FINISHED;
break;
case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
state = TLS_ST_SW_CHANGE;
break;
case MBEDTLS_SSL_SERVER_FINISHED:
state = TLS_ST_SW_FINISHED;
break;
case MBEDTLS_SSL_CLIENT_CERTIFICATE:
state = TLS_ST_CW_CERT;
break;
case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
state = TLS_ST_SR_KEY_EXCH;
break;
case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
state = TLS_ST_SW_SESSION_TICKET;
break;
case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
state = TLS_ST_SW_CERT_REQ;
break;
case MBEDTLS_SSL_HANDSHAKE_OVER:
state = TLS_ST_OK;
break;
default :
state = TLS_ST_BEFORE;
break;
}
return state;
}
int x509_pm_show_info(X509 *x)
{
int ret;
char *buf;
mbedtls_x509_crt *x509_crt;
struct x509_pm *x509_pm = x->x509_pm;
if (x509_pm->x509_crt)
x509_crt = x509_pm->x509_crt;
else if (x509_pm->ex_crt)
x509_crt = x509_pm->ex_crt;
else
x509_crt = NULL;
if (!x509_crt)
return -1;
buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH);
if (!buf) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)");
goto no_mem;
}
ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt);
if (ret <= 0) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret);
goto mbedtls_err1;
}
buf[ret] = 0;
ssl_mem_free(buf);
SSL_DEBUG(SSL_DEBUG_ON, "%s", buf);
return 0;
mbedtls_err1:
ssl_mem_free(buf);
no_mem:
return -1;
}
int x509_pm_new(X509 *x, X509 *m_x)
{
struct x509_pm *x509_pm;
x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm));
if (!x509_pm) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)");
goto failed1;
}
x->x509_pm = x509_pm;
if (m_x) {
struct x509_pm *m_x509_pm = (struct x509_pm *)m_x->x509_pm;
x509_pm->ex_crt = m_x509_pm->x509_crt;
}
return 0;
failed1:
return -1;
}
void x509_pm_free(X509 *x)
{
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
if (x509_pm->x509_crt) {
mbedtls_x509_crt_free(x509_pm->x509_crt);
ssl_mem_free(x509_pm->x509_crt);
x509_pm->x509_crt = NULL;
}
ssl_mem_free(x->x509_pm);
x->x509_pm = NULL;
}
int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
{
int ret;
unsigned char *load_buf;
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
if (x509_pm->x509_crt)
mbedtls_x509_crt_free(x509_pm->x509_crt);
if (!x509_pm->x509_crt) {
x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
if (!x509_pm->x509_crt) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
goto no_mem;
}
}
mbedtls_x509_crt_init(x509_pm->x509_crt);
if (buffer[0] != 0x30) {
load_buf = ssl_mem_malloc(len + 1);
if (!load_buf) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
goto failed;
}
ssl_memcpy(load_buf, buffer, len);
load_buf[len] = '\0';
ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1);
ssl_mem_free(load_buf);
} else {
printf("parsing as der\n");
ret = mbedtls_x509_crt_parse_der(x509_pm->x509_crt, buffer, len);
}
if (ret) {
printf("mbedtls_x509_crt_parse return -0x%x", -ret);
goto failed;
}
return 0;
failed:
mbedtls_x509_crt_free(x509_pm->x509_crt);
ssl_mem_free(x509_pm->x509_crt);
x509_pm->x509_crt = NULL;
no_mem:
return -1;
}
int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey)
{
struct pkey_pm *pkey_pm;
pkey_pm = ssl_mem_zalloc(sizeof(struct pkey_pm));
if (!pkey_pm)
return -1;
pk->pkey_pm = pkey_pm;
if (m_pkey) {
struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm;
pkey_pm->ex_pkey = m_pkey_pm->pkey;
}
return 0;
}
void pkey_pm_free(EVP_PKEY *pk)
{
struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
if (pkey_pm->pkey) {
mbedtls_pk_free(pkey_pm->pkey);
ssl_mem_free(pkey_pm->pkey);
pkey_pm->pkey = NULL;
}
ssl_mem_free(pk->pkey_pm);
pk->pkey_pm = NULL;
}
int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
{
int ret;
unsigned char *load_buf;
struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
if (pkey_pm->pkey)
mbedtls_pk_free(pkey_pm->pkey);
if (!pkey_pm->pkey) {
pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context));
if (!pkey_pm->pkey) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)");
goto no_mem;
}
}
load_buf = ssl_mem_malloc(len + 1);
if (!load_buf) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
goto failed;
}
ssl_memcpy(load_buf, buffer, len);
load_buf[len] = '\0';
mbedtls_pk_init(pkey_pm->pkey);
ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len + 1, NULL, 0);
ssl_mem_free(load_buf);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret);
goto failed;
}
return 0;
failed:
mbedtls_pk_free(pkey_pm->pkey);
ssl_mem_free(pkey_pm->pkey);
pkey_pm->pkey = NULL;
no_mem:
return -1;
}
void ssl_pm_set_bufflen(SSL *ssl, int len)
{
max_content_len = len;
}
long ssl_pm_get_verify_result(const SSL *ssl)
{
uint32_t ret;
long verify_result;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
if (!ret)
return X509_V_OK;
if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ||
(ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED))
verify_result = X509_V_ERR_INVALID_CA;
else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) ||
(ret & MBEDTLS_X509_BADCRL_BAD_KEY))
verify_result = X509_V_ERR_CA_KEY_TOO_SMALL;
else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) ||
(ret & MBEDTLS_X509_BADCRL_BAD_MD))
verify_result = X509_V_ERR_CA_MD_TOO_WEAK;
else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) ||
(ret & MBEDTLS_X509_BADCRL_FUTURE))
verify_result = X509_V_ERR_CERT_NOT_YET_VALID;
else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) ||
(ret & MBEDTLS_X509_BADCRL_EXPIRED))
verify_result = X509_V_ERR_CERT_HAS_EXPIRED;
else
verify_result = X509_V_ERR_UNSPECIFIED;
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
"mbedtls_ssl_get_verify_result() return 0x%x", ret);
return verify_result;
}
/**
* @brief set expected hostname on peer cert CN
*/
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
char *name_cstr = NULL;
if (namelen) {
name_cstr = malloc(namelen + 1);
if (!name_cstr)
return 0;
memcpy(name_cstr, name, namelen);
name_cstr[namelen] = '\0';
name = name_cstr;
}
mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
if (namelen)
free(name_cstr);
return 1;
}
void _ssl_set_alpn_list(const SSL *ssl)
{
if (ssl->alpn_protos) {
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos))
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
return;
}
if (!ssl->ctx->alpn_protos)
return;
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos))
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
}
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned int *len)
{
const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl);
*data = (const unsigned char *)alp;
if (alp)
*len = strlen(alp);
else
*len = 0;
}
int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *,
const unsigned char *, size_t), void *param)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param);
return 0;
}
SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc)
{
struct ssl_pm *ssl_pm = (struct ssl_pm *)((char *)msc - offsetof(struct ssl_pm, ssl));
return ssl_pm->owner;
}
#include "ssl_cert.h"
void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
{
struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm;
struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm;
int mode;
if (ssl->cert)
ssl_cert_free(ssl->cert);
ssl->ctx = ctx;
ssl->cert = __ssl_cert_new(ctx->cert);
if (ctx->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else
mode = MBEDTLS_SSL_VERIFY_NONE;
// printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode);
/* apply new ctx cert to ssl */
ssl->verify_mode = ctx->verify_mode;
mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL);
mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey);
mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode);
}

29
thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_port.c vendored Normal file
View File

@@ -0,0 +1,29 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_port.h"
/*********************************************************************************************/
/********************************* SSL general interface *************************************/
void *ssl_mem_zalloc(size_t size)
{
void *p = malloc(size);
if (p)
memset(p, 0, size);
return p;
}