xref: /aosp_15_r20/external/libwebsockets/lib/tls/tls-client.c (revision 1c60b9aca93fdbc9b5f19b2d2194c91294b22281) 
1*1c60b9acSAndroid Build Coastguard Worker /*
2*1c60b9acSAndroid Build Coastguard Worker  * libwebsockets - small server side websockets and web server implementation
3*1c60b9acSAndroid Build Coastguard Worker  *
4*1c60b9acSAndroid Build Coastguard Worker  * Copyright (C) 2010 - 2019 Andy Green <[email protected]>
5*1c60b9acSAndroid Build Coastguard Worker  *
6*1c60b9acSAndroid Build Coastguard Worker  * Permission is hereby granted, free of charge, to any person obtaining a copy
7*1c60b9acSAndroid Build Coastguard Worker  * of this software and associated documentation files (the "Software"), to
8*1c60b9acSAndroid Build Coastguard Worker  * deal in the Software without restriction, including without limitation the
9*1c60b9acSAndroid Build Coastguard Worker  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10*1c60b9acSAndroid Build Coastguard Worker  * sell copies of the Software, and to permit persons to whom the Software is
11*1c60b9acSAndroid Build Coastguard Worker  * furnished to do so, subject to the following conditions:
12*1c60b9acSAndroid Build Coastguard Worker  *
13*1c60b9acSAndroid Build Coastguard Worker  * The above copyright notice and this permission notice shall be included in
14*1c60b9acSAndroid Build Coastguard Worker  * all copies or substantial portions of the Software.
15*1c60b9acSAndroid Build Coastguard Worker  *
16*1c60b9acSAndroid Build Coastguard Worker  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17*1c60b9acSAndroid Build Coastguard Worker  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18*1c60b9acSAndroid Build Coastguard Worker  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19*1c60b9acSAndroid Build Coastguard Worker  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20*1c60b9acSAndroid Build Coastguard Worker  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21*1c60b9acSAndroid Build Coastguard Worker  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22*1c60b9acSAndroid Build Coastguard Worker  * IN THE SOFTWARE.
23*1c60b9acSAndroid Build Coastguard Worker  */
24*1c60b9acSAndroid Build Coastguard Worker 
25*1c60b9acSAndroid Build Coastguard Worker #include "private-lib-core.h"
26*1c60b9acSAndroid Build Coastguard Worker 
27*1c60b9acSAndroid Build Coastguard Worker static int
lws_ssl_client_connect1(struct lws * wsi,char * errbuf,size_t len)28*1c60b9acSAndroid Build Coastguard Worker lws_ssl_client_connect1(struct lws *wsi, char *errbuf, size_t len)
29*1c60b9acSAndroid Build Coastguard Worker {
30*1c60b9acSAndroid Build Coastguard Worker 	int n;
31*1c60b9acSAndroid Build Coastguard Worker 
32*1c60b9acSAndroid Build Coastguard Worker 	n = lws_tls_client_connect(wsi, errbuf, len);
33*1c60b9acSAndroid Build Coastguard Worker 	switch (n) {
34*1c60b9acSAndroid Build Coastguard Worker 	case LWS_SSL_CAPABLE_ERROR:
35*1c60b9acSAndroid Build Coastguard Worker 		lws_tls_restrict_return_handshake(wsi);
36*1c60b9acSAndroid Build Coastguard Worker 		return -1;
37*1c60b9acSAndroid Build Coastguard Worker 	case LWS_SSL_CAPABLE_DONE:
38*1c60b9acSAndroid Build Coastguard Worker 		lws_tls_restrict_return_handshake(wsi);
39*1c60b9acSAndroid Build Coastguard Worker 		lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
40*1c60b9acSAndroid Build Coastguard Worker #if defined(LWS_WITH_CONMON)
41*1c60b9acSAndroid Build Coastguard Worker 	wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
42*1c60b9acSAndroid Build Coastguard Worker 					(lws_now_usecs() - wsi->conmon_datum);
43*1c60b9acSAndroid Build Coastguard Worker #endif
44*1c60b9acSAndroid Build Coastguard Worker 		return 1; /* connected */
45*1c60b9acSAndroid Build Coastguard Worker 	case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
46*1c60b9acSAndroid Build Coastguard Worker 		lws_callback_on_writable(wsi);
47*1c60b9acSAndroid Build Coastguard Worker 		/* fallthru */
48*1c60b9acSAndroid Build Coastguard Worker 	case LWS_SSL_CAPABLE_MORE_SERVICE:
49*1c60b9acSAndroid Build Coastguard Worker 	case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
50*1c60b9acSAndroid Build Coastguard Worker 		lwsi_set_state(wsi, LRS_WAITING_SSL);
51*1c60b9acSAndroid Build Coastguard Worker 		break;
52*1c60b9acSAndroid Build Coastguard Worker 	}
53*1c60b9acSAndroid Build Coastguard Worker 
54*1c60b9acSAndroid Build Coastguard Worker 	return 0; /* retry */
55*1c60b9acSAndroid Build Coastguard Worker }
56*1c60b9acSAndroid Build Coastguard Worker 
57*1c60b9acSAndroid Build Coastguard Worker int
lws_ssl_client_connect2(struct lws * wsi,char * errbuf,size_t len)58*1c60b9acSAndroid Build Coastguard Worker lws_ssl_client_connect2(struct lws *wsi, char *errbuf, size_t len)
59*1c60b9acSAndroid Build Coastguard Worker {
60*1c60b9acSAndroid Build Coastguard Worker 	int n;
61*1c60b9acSAndroid Build Coastguard Worker 
62*1c60b9acSAndroid Build Coastguard Worker 	if (lwsi_state(wsi) == LRS_WAITING_SSL) {
63*1c60b9acSAndroid Build Coastguard Worker 		n = lws_tls_client_connect(wsi, errbuf, len);
64*1c60b9acSAndroid Build Coastguard Worker 		lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
65*1c60b9acSAndroid Build Coastguard Worker 
66*1c60b9acSAndroid Build Coastguard Worker 		switch (n) {
67*1c60b9acSAndroid Build Coastguard Worker 		case LWS_SSL_CAPABLE_ERROR:
68*1c60b9acSAndroid Build Coastguard Worker 			lws_tls_restrict_return_handshake(wsi);
69*1c60b9acSAndroid Build Coastguard Worker 			// lws_snprintf(errbuf, len, "client connect failed");
70*1c60b9acSAndroid Build Coastguard Worker 			return -1;
71*1c60b9acSAndroid Build Coastguard Worker 		case LWS_SSL_CAPABLE_DONE:
72*1c60b9acSAndroid Build Coastguard Worker 			break; /* connected */
73*1c60b9acSAndroid Build Coastguard Worker 		case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
74*1c60b9acSAndroid Build Coastguard Worker 			lws_callback_on_writable(wsi);
75*1c60b9acSAndroid Build Coastguard Worker 			/* fallthru */
76*1c60b9acSAndroid Build Coastguard Worker 		case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
77*1c60b9acSAndroid Build Coastguard Worker 			lwsi_set_state(wsi, LRS_WAITING_SSL);
78*1c60b9acSAndroid Build Coastguard Worker 			/* fallthru */
79*1c60b9acSAndroid Build Coastguard Worker 		case LWS_SSL_CAPABLE_MORE_SERVICE:
80*1c60b9acSAndroid Build Coastguard Worker 			return 0; /* retry */
81*1c60b9acSAndroid Build Coastguard Worker 		}
82*1c60b9acSAndroid Build Coastguard Worker 	}
83*1c60b9acSAndroid Build Coastguard Worker 
84*1c60b9acSAndroid Build Coastguard Worker 	lws_tls_restrict_return_handshake(wsi);
85*1c60b9acSAndroid Build Coastguard Worker 
86*1c60b9acSAndroid Build Coastguard Worker 	if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len)) {
87*1c60b9acSAndroid Build Coastguard Worker 		lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
88*1c60b9acSAndroid Build Coastguard Worker 		return -1;
89*1c60b9acSAndroid Build Coastguard Worker 	}
90*1c60b9acSAndroid Build Coastguard Worker 
91*1c60b9acSAndroid Build Coastguard Worker 	lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
92*1c60b9acSAndroid Build Coastguard Worker #if defined(LWS_WITH_CONMON)
93*1c60b9acSAndroid Build Coastguard Worker 	wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
94*1c60b9acSAndroid Build Coastguard Worker 					(lws_now_usecs() - wsi->conmon_datum);
95*1c60b9acSAndroid Build Coastguard Worker #endif
96*1c60b9acSAndroid Build Coastguard Worker 
97*1c60b9acSAndroid Build Coastguard Worker 	return 1; /* connected */
98*1c60b9acSAndroid Build Coastguard Worker }
99*1c60b9acSAndroid Build Coastguard Worker 
100*1c60b9acSAndroid Build Coastguard Worker 
lws_context_init_client_ssl(const struct lws_context_creation_info * info,struct lws_vhost * vhost)101*1c60b9acSAndroid Build Coastguard Worker int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
102*1c60b9acSAndroid Build Coastguard Worker 				struct lws_vhost *vhost)
103*1c60b9acSAndroid Build Coastguard Worker {
104*1c60b9acSAndroid Build Coastguard Worker 	const char *private_key_filepath = info->ssl_private_key_filepath;
105*1c60b9acSAndroid Build Coastguard Worker 	const char *cert_filepath = info->ssl_cert_filepath;
106*1c60b9acSAndroid Build Coastguard Worker 	const char *ca_filepath = info->ssl_ca_filepath;
107*1c60b9acSAndroid Build Coastguard Worker 	const char *cipher_list = info->ssl_cipher_list;
108*1c60b9acSAndroid Build Coastguard Worker 	lws_fakewsi_def_plwsa(&vhost->context->pt[0]);
109*1c60b9acSAndroid Build Coastguard Worker 
110*1c60b9acSAndroid Build Coastguard Worker 	lws_fakewsi_prep_plwsa_ctx(vhost->context);
111*1c60b9acSAndroid Build Coastguard Worker 
112*1c60b9acSAndroid Build Coastguard Worker 	if (vhost->options & LWS_SERVER_OPTION_ADOPT_APPLY_LISTEN_ACCEPT_CONFIG)
113*1c60b9acSAndroid Build Coastguard Worker 		return 0;
114*1c60b9acSAndroid Build Coastguard Worker 
115*1c60b9acSAndroid Build Coastguard Worker 	if (vhost->tls.ssl_ctx) {
116*1c60b9acSAndroid Build Coastguard Worker 		cert_filepath = NULL;
117*1c60b9acSAndroid Build Coastguard Worker 		private_key_filepath = NULL;
118*1c60b9acSAndroid Build Coastguard Worker 		ca_filepath = NULL;
119*1c60b9acSAndroid Build Coastguard Worker 	}
120*1c60b9acSAndroid Build Coastguard Worker 
121*1c60b9acSAndroid Build Coastguard Worker 	/*
122*1c60b9acSAndroid Build Coastguard Worker 	 *  for backwards-compatibility default to using ssl_... members, but
123*1c60b9acSAndroid Build Coastguard Worker 	 * if the newer client-specific ones are given, use those
124*1c60b9acSAndroid Build Coastguard Worker 	 */
125*1c60b9acSAndroid Build Coastguard Worker 	if (info->client_ssl_cipher_list)
126*1c60b9acSAndroid Build Coastguard Worker 		cipher_list = info->client_ssl_cipher_list;
127*1c60b9acSAndroid Build Coastguard Worker 	if (info->client_ssl_cert_filepath)
128*1c60b9acSAndroid Build Coastguard Worker 		cert_filepath = info->client_ssl_cert_filepath;
129*1c60b9acSAndroid Build Coastguard Worker 	if (info->client_ssl_private_key_filepath)
130*1c60b9acSAndroid Build Coastguard Worker 		private_key_filepath = info->client_ssl_private_key_filepath;
131*1c60b9acSAndroid Build Coastguard Worker 
132*1c60b9acSAndroid Build Coastguard Worker 	if (info->client_ssl_ca_filepath)
133*1c60b9acSAndroid Build Coastguard Worker 		ca_filepath = info->client_ssl_ca_filepath;
134*1c60b9acSAndroid Build Coastguard Worker 
135*1c60b9acSAndroid Build Coastguard Worker 	if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
136*1c60b9acSAndroid Build Coastguard Worker 		return 0;
137*1c60b9acSAndroid Build Coastguard Worker 
138*1c60b9acSAndroid Build Coastguard Worker 	if (vhost->tls.ssl_client_ctx)
139*1c60b9acSAndroid Build Coastguard Worker 		return 0;
140*1c60b9acSAndroid Build Coastguard Worker 
141*1c60b9acSAndroid Build Coastguard Worker #if !defined(LWS_WITH_MBEDTLS)
142*1c60b9acSAndroid Build Coastguard Worker 	if (info->provided_client_ssl_ctx) {
143*1c60b9acSAndroid Build Coastguard Worker 		/* use the provided OpenSSL context if given one */
144*1c60b9acSAndroid Build Coastguard Worker 		vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
145*1c60b9acSAndroid Build Coastguard Worker 		/* nothing for lib to delete */
146*1c60b9acSAndroid Build Coastguard Worker 		vhost->tls.user_supplied_ssl_ctx = 1;
147*1c60b9acSAndroid Build Coastguard Worker 
148*1c60b9acSAndroid Build Coastguard Worker 		return 0;
149*1c60b9acSAndroid Build Coastguard Worker 	}
150*1c60b9acSAndroid Build Coastguard Worker #endif
151*1c60b9acSAndroid Build Coastguard Worker 
152*1c60b9acSAndroid Build Coastguard Worker 	if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
153*1c60b9acSAndroid Build Coastguard Worker 						ca_filepath,
154*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_ca_mem,
155*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_ca_mem_len,
156*1c60b9acSAndroid Build Coastguard Worker 						cert_filepath,
157*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_cert_mem,
158*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_cert_mem_len,
159*1c60b9acSAndroid Build Coastguard Worker 						private_key_filepath,
160*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_key_mem,
161*1c60b9acSAndroid Build Coastguard Worker 						info->client_ssl_key_mem_len
162*1c60b9acSAndroid Build Coastguard Worker 						))
163*1c60b9acSAndroid Build Coastguard Worker 		return 1;
164*1c60b9acSAndroid Build Coastguard Worker 
165*1c60b9acSAndroid Build Coastguard Worker 	lwsl_info("created client ssl context for %s\n", vhost->name);
166*1c60b9acSAndroid Build Coastguard Worker 
167*1c60b9acSAndroid Build Coastguard Worker 	/*
168*1c60b9acSAndroid Build Coastguard Worker 	 * give him a fake wsi with context set, so he can use
169*1c60b9acSAndroid Build Coastguard Worker 	 * lws_get_context() in the callback
170*1c60b9acSAndroid Build Coastguard Worker 	 */
171*1c60b9acSAndroid Build Coastguard Worker 
172*1c60b9acSAndroid Build Coastguard Worker 	plwsa->vhost = vhost; /* not a real bound wsi */
173*1c60b9acSAndroid Build Coastguard Worker 
174*1c60b9acSAndroid Build Coastguard Worker 	vhost->protocols[0].callback((struct lws *)plwsa,
175*1c60b9acSAndroid Build Coastguard Worker 			LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
176*1c60b9acSAndroid Build Coastguard Worker 				     vhost->tls.ssl_client_ctx, NULL, 0);
177*1c60b9acSAndroid Build Coastguard Worker 
178*1c60b9acSAndroid Build Coastguard Worker 	return 0;
179*1c60b9acSAndroid Build Coastguard Worker }
180*1c60b9acSAndroid Build Coastguard Worker 
181*1c60b9acSAndroid Build Coastguard Worker int
lws_client_create_tls(struct lws * wsi,const char ** pcce,int do_c1)182*1c60b9acSAndroid Build Coastguard Worker lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
183*1c60b9acSAndroid Build Coastguard Worker {
184*1c60b9acSAndroid Build Coastguard Worker 	/* we can retry this... just cook the SSL BIO the first time */
185*1c60b9acSAndroid Build Coastguard Worker 
186*1c60b9acSAndroid Build Coastguard Worker 	if (wsi->tls.use_ssl & LCCSCF_USE_SSL) {
187*1c60b9acSAndroid Build Coastguard Worker 		int n;
188*1c60b9acSAndroid Build Coastguard Worker 
189*1c60b9acSAndroid Build Coastguard Worker 		if (!wsi->tls.ssl) {
190*1c60b9acSAndroid Build Coastguard Worker 
191*1c60b9acSAndroid Build Coastguard Worker #if defined(LWS_WITH_TLS)
192*1c60b9acSAndroid Build Coastguard Worker 			if (!wsi->transaction_from_pipeline_queue &&
193*1c60b9acSAndroid Build Coastguard Worker 			    lws_tls_restrict_borrow(wsi)) {
194*1c60b9acSAndroid Build Coastguard Worker 				*pcce = "tls restriction limit";
195*1c60b9acSAndroid Build Coastguard Worker 				return CCTLS_RETURN_ERROR;
196*1c60b9acSAndroid Build Coastguard Worker 			}
197*1c60b9acSAndroid Build Coastguard Worker #endif
198*1c60b9acSAndroid Build Coastguard Worker 			if (lws_ssl_client_bio_create(wsi) < 0) {
199*1c60b9acSAndroid Build Coastguard Worker 				*pcce = "bio_create failed";
200*1c60b9acSAndroid Build Coastguard Worker 				return CCTLS_RETURN_ERROR;
201*1c60b9acSAndroid Build Coastguard Worker 			}
202*1c60b9acSAndroid Build Coastguard Worker 		}
203*1c60b9acSAndroid Build Coastguard Worker 
204*1c60b9acSAndroid Build Coastguard Worker 		if (!do_c1)
205*1c60b9acSAndroid Build Coastguard Worker 			return CCTLS_RETURN_DONE;
206*1c60b9acSAndroid Build Coastguard Worker 
207*1c60b9acSAndroid Build Coastguard Worker 		lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
208*1c60b9acSAndroid Build Coastguard Worker 		lws_metrics_caliper_bind(wsi->cal_conn, wsi->a.context->mt_conn_tls);
209*1c60b9acSAndroid Build Coastguard Worker #if defined(LWS_WITH_CONMON)
210*1c60b9acSAndroid Build Coastguard Worker 		wsi->conmon_datum = lws_now_usecs();
211*1c60b9acSAndroid Build Coastguard Worker #endif
212*1c60b9acSAndroid Build Coastguard Worker 
213*1c60b9acSAndroid Build Coastguard Worker 		n = lws_ssl_client_connect1(wsi, (char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf,
214*1c60b9acSAndroid Build Coastguard Worker 					    wsi->a.context->pt_serv_buf_size);
215*1c60b9acSAndroid Build Coastguard Worker 		lwsl_debug("%s: lws_ssl_client_connect1: %d\n", __func__, n);
216*1c60b9acSAndroid Build Coastguard Worker 		if (!n)
217*1c60b9acSAndroid Build Coastguard Worker 			return CCTLS_RETURN_RETRY; /* caller should return 0 */
218*1c60b9acSAndroid Build Coastguard Worker 
219*1c60b9acSAndroid Build Coastguard Worker 		if (n < 0) {
220*1c60b9acSAndroid Build Coastguard Worker 			*pcce = (const char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf;
221*1c60b9acSAndroid Build Coastguard Worker 			lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
222*1c60b9acSAndroid Build Coastguard Worker 			return CCTLS_RETURN_ERROR;
223*1c60b9acSAndroid Build Coastguard Worker 		}
224*1c60b9acSAndroid Build Coastguard Worker 		/* ...connect1 already handled caliper if SSL_accept done */
225*1c60b9acSAndroid Build Coastguard Worker 
226*1c60b9acSAndroid Build Coastguard Worker 		lws_tls_server_conn_alpn(wsi);
227*1c60b9acSAndroid Build Coastguard Worker 
228*1c60b9acSAndroid Build Coastguard Worker 	} else
229*1c60b9acSAndroid Build Coastguard Worker 		wsi->tls.ssl = NULL;
230*1c60b9acSAndroid Build Coastguard Worker 
231*1c60b9acSAndroid Build Coastguard Worker 	return CCTLS_RETURN_DONE; /* OK */
232*1c60b9acSAndroid Build Coastguard Worker }
233