Update Files

Kinc/Sources/kinc/libs/core/tls-client.c

@@ -0,0 +1,238 @@
+/*
+ * libwebsockets - small server side websockets and web server implementation
+ *
+ * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include "private-lib-core.h"
+
+static int
+lws_ssl_client_connect1(struct lws *wsi, char *errbuf, size_t len)
+{
+	int n;
+
+	n = lws_tls_client_connect(wsi, errbuf, len);
+	switch (n) {
+	case LWS_SSL_CAPABLE_ERROR:
+		lws_tls_restrict_return_handshake(wsi);
+		return -1;
+	case LWS_SSL_CAPABLE_DONE:
+		lws_tls_restrict_return_handshake(wsi);
+		lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
+#if defined(LWS_WITH_CONMON)
+	wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
+					(lws_now_usecs() - wsi->conmon_datum);
+#endif
+		return 1; /* connected */
+	case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
+		lws_callback_on_writable(wsi);
+		/* fallthru */
+	case LWS_SSL_CAPABLE_MORE_SERVICE:
+	case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
+		lwsi_set_state(wsi, LRS_WAITING_SSL);
+		break;
+	}
+
+	return 0; /* retry */
+}
+
+int
+lws_ssl_client_connect2(struct lws *wsi, char *errbuf, size_t len)
+{
+	int n;
+
+	if (lwsi_state(wsi) == LRS_WAITING_SSL) {
+		n = lws_tls_client_connect(wsi, errbuf, len);
+		lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
+
+		switch (n) {
+		case LWS_SSL_CAPABLE_ERROR:
+			lws_tls_restrict_return_handshake(wsi);
+
+			if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len)) {
+				lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
+				return -1;
+			}
+
+			// lws_snprintf(errbuf, len, "client connect failed");
+			return -1;
+		case LWS_SSL_CAPABLE_DONE:
+			break; /* connected */
+		case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
+			lws_callback_on_writable(wsi);
+			/* fallthru */
+		case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
+			lwsi_set_state(wsi, LRS_WAITING_SSL);
+			/* fallthru */
+		case LWS_SSL_CAPABLE_MORE_SERVICE:
+			return 0; /* retry */
+		}
+	}
+
+	lws_tls_restrict_return_handshake(wsi);
+
+	if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len)) {
+		lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
+		return -1;
+	}
+
+	lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
+#if defined(LWS_WITH_CONMON)
+	wsi->conmon.ciu_tls = (lws_conmon_interval_us_t)
+					(lws_now_usecs() - wsi->conmon_datum);
+#endif
+
+	return 1; /* connected */
+}
+
+
+int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
+				struct lws_vhost *vhost)
+{
+	const char *private_key_filepath = info->ssl_private_key_filepath;
+	const char *cert_filepath = info->ssl_cert_filepath;
+	const char *ca_filepath = info->ssl_ca_filepath;
+	const char *cipher_list = info->ssl_cipher_list;
+	lws_fakewsi_def_plwsa(&vhost->context->pt[0]);
+
+	lws_fakewsi_prep_plwsa_ctx(vhost->context);
+
+	if (vhost->options & LWS_SERVER_OPTION_ADOPT_APPLY_LISTEN_ACCEPT_CONFIG)
+		return 0;
+
+	if (vhost->tls.ssl_ctx) {
+		cert_filepath = NULL;
+		private_key_filepath = NULL;
+		ca_filepath = NULL;
+	}
+
+	/*
+	 *  for backwards-compatibility default to using ssl_... members, but
+	 * if the newer client-specific ones are given, use those
+	 */
+	if (info->client_ssl_cipher_list)
+		cipher_list = info->client_ssl_cipher_list;
+	if (info->client_ssl_cert_filepath)
+		cert_filepath = info->client_ssl_cert_filepath;
+	if (info->client_ssl_private_key_filepath)
+		private_key_filepath = info->client_ssl_private_key_filepath;
+
+	if (info->client_ssl_ca_filepath)
+		ca_filepath = info->client_ssl_ca_filepath;
+
+	if (vhost->tls.ssl_client_ctx)
+		return 0;
+
+#if !defined(LWS_WITH_MBEDTLS)
+	if (info->provided_client_ssl_ctx) {
+		/* use the provided OpenSSL context if given one */
+		vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
+		/* nothing for lib to delete */
+		vhost->tls.user_supplied_ssl_ctx = 1;
+
+		return 0;
+	}
+#endif
+
+	if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
+		return 0;
+
+	if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
+						ca_filepath,
+						info->client_ssl_ca_mem,
+						info->client_ssl_ca_mem_len,
+						cert_filepath,
+						info->client_ssl_cert_mem,
+						info->client_ssl_cert_mem_len,
+						private_key_filepath,
+						info->client_ssl_key_mem,
+						info->client_ssl_key_mem_len
+						))
+		return 1;
+
+	lwsl_info("created client ssl context for %s\n", vhost->name);
+
+	/*
+	 * give him a fake wsi with context set, so he can use
+	 * lws_get_context() in the callback
+	 */
+
+	plwsa->vhost = vhost; /* not a real bound wsi */
+
+	vhost->protocols[0].callback((struct lws *)plwsa,
+			LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
+				     vhost->tls.ssl_client_ctx, NULL, 0);
+
+	return 0;
+}
+
+int
+lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
+{
+	/* we can retry this... just cook the SSL BIO the first time */
+
+	if (wsi->tls.use_ssl & LCCSCF_USE_SSL) {
+		int n;
+
+		if (!wsi->tls.ssl) {
+
+#if defined(LWS_WITH_TLS)
+			if (!wsi->transaction_from_pipeline_queue &&
+			    lws_tls_restrict_borrow(wsi)) {
+				*pcce = "tls restriction limit";
+				return CCTLS_RETURN_ERROR;
+			}
+#endif
+			if (lws_ssl_client_bio_create(wsi) < 0) {
+				*pcce = "bio_create failed";
+				return CCTLS_RETURN_ERROR;
+			}
+		}
+
+		if (!do_c1)
+			return CCTLS_RETURN_DONE;
+
+		lws_metrics_caliper_report(wsi->cal_conn, METRES_GO);
+		lws_metrics_caliper_bind(wsi->cal_conn, wsi->a.context->mt_conn_tls);
+#if defined(LWS_WITH_CONMON)
+		wsi->conmon_datum = lws_now_usecs();
+#endif
+
+		n = lws_ssl_client_connect1(wsi, (char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf,
+					    wsi->a.context->pt_serv_buf_size);
+		lwsl_debug("%s: lws_ssl_client_connect1: %d\n", __func__, n);
+		if (!n)
+			return CCTLS_RETURN_RETRY; /* caller should return 0 */
+
+		if (n < 0) {
+			*pcce = (const char *)wsi->a.context->pt[(int)wsi->tsi].serv_buf;
+			lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
+			return CCTLS_RETURN_ERROR;
+		}
+		/* ...connect1 already handled caliper if SSL_accept done */
+
+		lws_tls_server_conn_alpn(wsi);
+
+	} else
+		wsi->tls.ssl = NULL;
+
+	return CCTLS_RETURN_DONE; /* OK */
+}