lib/tls/mbedtls/mbedtls-client.c - platform/external/libwebsockets - Git at Google

 /*
  * libwebsockets - mbedtls-specific client TLS code
  *
  * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation:
  *  version 2.1 of the License.
  *
  *  This library is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  *  Lesser General Public License for more details.
  *
  *  You should have received a copy of the GNU Lesser General Public
  *  License along with this library; if not, write to the Free Software
  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  *  MA  02110-1301  USA
  */

 #include "private-libwebsockets.h"

 static int
 OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
 	return 0;
 }

 int
 lws_ssl_client_bio_create(struct lws *wsi)
 {
 	X509_VERIFY_PARAM *param;
 	char hostname[128], *p;

 	if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
 			 _WSI_TOKEN_CLIENT_HOST) <= 0) {
 		lwsl_err("%s: Unable to get hostname\n", __func__);

 		return -1;
 	}

 	/*
 	 * remove any :port part on the hostname... necessary for network
 	 * connection but typical certificates do not contain it
 	 */
 	p = hostname;
 	while (*p) {
 		if (*p == ':') {
 			*p = '\0';
 			break;
 		}
 		p++;
 	}

 	wsi->ssl = SSL_new(wsi->vhost->ssl_client_ctx);
 	if (!wsi->ssl)
 		return -1;

 	if (wsi->vhost->ssl_info_event_mask)
 		SSL_set_info_callback(wsi->ssl, lws_ssl_info_callback);

 	if (!(wsi->use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
 		param = SSL_get0_param(wsi->ssl);
 		/* Enable automatic hostname checks */
 	//	X509_VERIFY_PARAM_set_hostflags(param,
 	//				X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, hostname, 0);
 	}

 	/*
 	 * use server name indication (SNI), if supported,
 	 * when establishing connection
 	 */
 	if (wsi->vhost->x509_client_CA)
 		SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER,
 			       OpenSSL_client_verify_callback);
 	else
 		SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE,
 			       OpenSSL_client_verify_callback);

 	SSL_set_fd(wsi->ssl, wsi->desc.sockfd);

 	return 0;
 }

 int ERR_get_error(void)
 {
 	return 0;
 }

 enum lws_ssl_capable_status
 lws_tls_client_connect(struct lws *wsi)
 {
 	int m, n = SSL_connect(wsi->ssl);

 	if (n == 1)
 		return LWS_SSL_CAPABLE_DONE;

 	m = SSL_get_error(wsi->ssl, n);

 	if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->ssl))
 		return LWS_SSL_CAPABLE_MORE_SERVICE_READ;

 	if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->ssl))
 		return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;

 	if (!n) /* we don't know what he wants, but he says to retry */
 		return LWS_SSL_CAPABLE_MORE_SERVICE;

 	return LWS_SSL_CAPABLE_ERROR;
 }

 int
 lws_tls_client_confirm_peer_cert(struct lws *wsi)
 {
 	X509 *peer = SSL_get_peer_certificate(wsi->ssl);

 	if (!peer) {
 		lwsl_info("peer did not provide cert\n");

 		return -1;
 	}
 	lwsl_info("peer provided cert\n");

 	return 0;
 }

 int
 lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    struct lws_context_creation_info *info,
 				    const char *cipher_list,
 				    const char *ca_filepath,
 				    const char *cert_filepath,
 				    const char *private_key_filepath)
 {
 	X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
 	SSL_METHOD *method = (SSL_METHOD *)TLS_client_method();
 	unsigned long error;
 	lws_filepos_t len;
 	uint8_t *buf;

 	if (!method) {
 		error = ERR_get_error();
 		lwsl_err("problem creating ssl method %lu: %s\n",
 			error, ERR_error_string(error,
 				      (char *)vh->context->pt[0].serv_buf));
 		return 1;
 	}
 	/* create context */
 	vh->ssl_client_ctx = SSL_CTX_new(method);
 	if (!vh->ssl_client_ctx) {
 		error = ERR_get_error();
 		lwsl_err("problem creating ssl context %lu: %s\n",
 			error, ERR_error_string(error,
 				      (char *)vh->context->pt[0].serv_buf));
 		return 1;
 	}

 	if (!ca_filepath)
 		return 0;

 	if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
 		lwsl_err("Load CA cert file %s failed\n", ca_filepath);
 		return 1;
 	}

 	vh->x509_client_CA = d2i_X509(NULL, buf, len);
 	free(buf);
 	if (!vh->x509_client_CA) {
 		lwsl_err("client CA: x509 parse failed\n");
 		return 1;
 	}

 	// SSL_CTX_add_client_CA(vh->ssl_client_ctx, vh->x509_client_CA);
 	SSL_CTX_add_client_CA(vh->ssl_ctx, vh->x509_client_CA);

 	lwsl_notice("client loaded CA for verification %s\n", ca_filepath);

 	return 0;
 }
	/*
	* libwebsockets - mbedtls-specific client TLS code
	*
	* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation:
	* version 2.1 of the License.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
	* MA 02110-1301 USA
	*/

	#include "private-libwebsockets.h"

	static int
	OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
	{
	return 0;
	}

	int
	lws_ssl_client_bio_create(struct lws *wsi)
	{
	X509_VERIFY_PARAM *param;
	char hostname[128], *p;

	if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
	_WSI_TOKEN_CLIENT_HOST) <= 0) {
	lwsl_err("%s: Unable to get hostname\n", __func__);

	return -1;
	}

	/*
	* remove any :port part on the hostname... necessary for network
	* connection but typical certificates do not contain it
	*/
	p = hostname;
	while (*p) {
	if (*p == ':') {
	*p = '\0';
	break;
	}
	p++;
	}

	wsi->ssl = SSL_new(wsi->vhost->ssl_client_ctx);
	if (!wsi->ssl)
	return -1;

	if (wsi->vhost->ssl_info_event_mask)
	SSL_set_info_callback(wsi->ssl, lws_ssl_info_callback);

	if (!(wsi->use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
	param = SSL_get0_param(wsi->ssl);
	/* Enable automatic hostname checks */
	// X509_VERIFY_PARAM_set_hostflags(param,
	// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
	X509_VERIFY_PARAM_set1_host(param, hostname, 0);
	}

	/*
	* use server name indication (SNI), if supported,
	* when establishing connection
	*/
	if (wsi->vhost->x509_client_CA)
	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER,
	OpenSSL_client_verify_callback);
	else
	SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE,
	OpenSSL_client_verify_callback);

	SSL_set_fd(wsi->ssl, wsi->desc.sockfd);

	return 0;
	}

	int ERR_get_error(void)
	{
	return 0;
	}

	enum lws_ssl_capable_status
	lws_tls_client_connect(struct lws *wsi)
	{
	int m, n = SSL_connect(wsi->ssl);

	if (n == 1)
	return LWS_SSL_CAPABLE_DONE;

	m = SSL_get_error(wsi->ssl, n);

	if (m == SSL_ERROR_WANT_READ \|\| SSL_want_read(wsi->ssl))
	return LWS_SSL_CAPABLE_MORE_SERVICE_READ;

	if (m == SSL_ERROR_WANT_WRITE \|\| SSL_want_write(wsi->ssl))
	return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;

	if (!n) /* we don't know what he wants, but he says to retry */
	return LWS_SSL_CAPABLE_MORE_SERVICE;

	return LWS_SSL_CAPABLE_ERROR;
	}

	int
	lws_tls_client_confirm_peer_cert(struct lws *wsi)
	{
	X509 *peer = SSL_get_peer_certificate(wsi->ssl);

	if (!peer) {
	lwsl_info("peer did not provide cert\n");

	return -1;
	}
	lwsl_info("peer provided cert\n");

	return 0;
	}

	int
	lws_tls_client_create_vhost_context(struct lws_vhost *vh,
	struct lws_context_creation_info *info,
	const char *cipher_list,
	const char *ca_filepath,
	const char *cert_filepath,
	const char *private_key_filepath)
	{
	X509 d2i_X509(X509 cert, const unsigned char buffer, long len);
	SSL_METHOD method = (SSL_METHOD )TLS_client_method();
	unsigned long error;
	lws_filepos_t len;
	uint8_t *buf;

	if (!method) {
	error = ERR_get_error();
	lwsl_err("problem creating ssl method %lu: %s\n",
	error, ERR_error_string(error,
	(char *)vh->context->pt[0].serv_buf));
	return 1;
	}
	/* create context */
	vh->ssl_client_ctx = SSL_CTX_new(method);
	if (!vh->ssl_client_ctx) {
	error = ERR_get_error();
	lwsl_err("problem creating ssl context %lu: %s\n",
	error, ERR_error_string(error,
	(char *)vh->context->pt[0].serv_buf));
	return 1;
	}

	if (!ca_filepath)
	return 0;

	if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
	lwsl_err("Load CA cert file %s failed\n", ca_filepath);
	return 1;
	}

	vh->x509_client_CA = d2i_X509(NULL, buf, len);
	free(buf);
	if (!vh->x509_client_CA) {
	lwsl_err("client CA: x509 parse failed\n");
	return 1;
	}

	// SSL_CTX_add_client_CA(vh->ssl_client_ctx, vh->x509_client_CA);
	SSL_CTX_add_client_CA(vh->ssl_ctx, vh->x509_client_CA);

	lwsl_notice("client loaded CA for verification %s\n", ca_filepath);

	return 0;
	}