summaryrefslogtreecommitdiff
path: root/thirdparty/libwebsockets/lib/tls
diff options
context:
space:
mode:
authorRĂ©mi Verschelde <rverschelde@gmail.com>2019-05-02 08:15:23 +0200
committerGitHub <noreply@github.com>2019-05-02 08:15:23 +0200
commitb7cd9794fe5b38b6a60c9ce64ca9bf1bab1d7813 (patch)
tree3b0f365ad3ea1cebd50985293cd49617153b5ac6 /thirdparty/libwebsockets/lib/tls
parentc2c56ee3975ec9744088d5328462818a5980a5a0 (diff)
parentbe414e4476371567a824099767b6c91a0123d626 (diff)
Merge pull request #28568 from Faless/net/lws_rollback_3.0.1_pr
Roll back libwebsockets to version 3.0.1
Diffstat (limited to 'thirdparty/libwebsockets/lib/tls')
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/lws-genhash.c202
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/lws-genrsa.c329
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-client.c245
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-server.c699
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/ssl.c509
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl3.h44
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h55
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_code.h124
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_dbg.h190
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_lib.h30
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h121
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h86
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_stack.h52
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h303
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_x509.h110
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/tls1.h58
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/x509_vfy.h116
-rwxr-xr-xthirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/openssl/ssl.h1833
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h61
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_port.h46
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_cert.c87
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_lib.c1736
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c81
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_pkey.c239
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_stack.c74
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_x509.c354
-rwxr-xr-xthirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c907
-rw-r--r--thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_port.c29
-rw-r--r--thirdparty/libwebsockets/lib/tls/private.h286
-rw-r--r--thirdparty/libwebsockets/lib/tls/tls-client.c153
-rw-r--r--thirdparty/libwebsockets/lib/tls/tls-server.c388
-rw-r--r--thirdparty/libwebsockets/lib/tls/tls.c505
32 files changed, 0 insertions, 10052 deletions
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genhash.c b/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genhash.c
deleted file mode 100644
index ce4ee6e382..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genhash.c
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * libwebsockets - generic hash and HMAC api hiding the backend
- *
- * Copyright (C) 2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- *
- * lws_genhash provides a hash / hmac abstraction api in lws that works the
- * same whether you are using openssl or mbedtls hash functions underneath.
- */
-#include "libwebsockets.h"
-#include <mbedtls/version.h>
-
-#if (MBEDTLS_VERSION_NUMBER >= 0x02070000)
-#define MBA(fn) fn##_ret
-#else
-#define MBA(fn) fn
-#endif
-
-size_t
-lws_genhash_size(enum lws_genhash_types type)
-{
- switch(type) {
- case LWS_GENHASH_TYPE_SHA1:
- return 20;
- case LWS_GENHASH_TYPE_SHA256:
- return 32;
- case LWS_GENHASH_TYPE_SHA384:
- return 48;
- case LWS_GENHASH_TYPE_SHA512:
- return 64;
- }
-
- return 0;
-}
-
-int
-lws_genhash_init(struct lws_genhash_ctx *ctx, enum lws_genhash_types type)
-{
- ctx->type = type;
-
- switch (ctx->type) {
- case LWS_GENHASH_TYPE_SHA1:
- mbedtls_sha1_init(&ctx->u.sha1);
- MBA(mbedtls_sha1_starts)(&ctx->u.sha1);
- break;
- case LWS_GENHASH_TYPE_SHA256:
- mbedtls_sha256_init(&ctx->u.sha256);
- MBA(mbedtls_sha256_starts)(&ctx->u.sha256, 0);
- break;
- case LWS_GENHASH_TYPE_SHA384:
- mbedtls_sha512_init(&ctx->u.sha512);
- MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 1 /* is384 */);
- break;
- case LWS_GENHASH_TYPE_SHA512:
- mbedtls_sha512_init(&ctx->u.sha512);
- MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 0);
- break;
- default:
- return 1;
- }
-
- return 0;
-}
-
-int
-lws_genhash_update(struct lws_genhash_ctx *ctx, const void *in, size_t len)
-{
- switch (ctx->type) {
- case LWS_GENHASH_TYPE_SHA1:
- MBA(mbedtls_sha1_update)(&ctx->u.sha1, in, len);
- break;
- case LWS_GENHASH_TYPE_SHA256:
- MBA(mbedtls_sha256_update)(&ctx->u.sha256, in, len);
- break;
- case LWS_GENHASH_TYPE_SHA384:
- MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len);
- break;
- case LWS_GENHASH_TYPE_SHA512:
- MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len);
- break;
- }
-
- return 0;
-}
-
-int
-lws_genhash_destroy(struct lws_genhash_ctx *ctx, void *result)
-{
- switch (ctx->type) {
- case LWS_GENHASH_TYPE_SHA1:
- MBA(mbedtls_sha1_finish)(&ctx->u.sha1, result);
- mbedtls_sha1_free(&ctx->u.sha1);
- break;
- case LWS_GENHASH_TYPE_SHA256:
- MBA(mbedtls_sha256_finish)(&ctx->u.sha256, result);
- mbedtls_sha256_free(&ctx->u.sha256);
- break;
- case LWS_GENHASH_TYPE_SHA384:
- MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result);
- mbedtls_sha512_free(&ctx->u.sha512);
- break;
- case LWS_GENHASH_TYPE_SHA512:
- MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result);
- mbedtls_sha512_free(&ctx->u.sha512);
- break;
- }
-
- return 0;
-}
-
-size_t
-lws_genhmac_size(enum lws_genhmac_types type)
-{
- switch(type) {
- case LWS_GENHMAC_TYPE_SHA256:
- return 32;
- case LWS_GENHMAC_TYPE_SHA384:
- return 48;
- case LWS_GENHMAC_TYPE_SHA512:
- return 64;
- }
-
- return 0;
-}
-
-int
-lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type,
- const uint8_t *key, size_t key_len)
-{
- int t;
-
- ctx->type = type;
-
- switch (type) {
- case LWS_GENHMAC_TYPE_SHA256:
- t = MBEDTLS_MD_SHA256;
- break;
- case LWS_GENHMAC_TYPE_SHA384:
- t = MBEDTLS_MD_SHA384;
- break;
- case LWS_GENHMAC_TYPE_SHA512:
- t = MBEDTLS_MD_SHA512;
- break;
- default:
- return -1;
- }
-
- ctx->hmac = mbedtls_md_info_from_type(t);
- if (!ctx->hmac)
- return -1;
-
- if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac))
- return -1;
-
- if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len)) {
- mbedtls_md_free(&ctx->ctx);
- ctx->hmac = NULL;
-
- return -1;
- }
-
- return 0;
-}
-
-int
-lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len)
-{
- if (mbedtls_md_hmac_update(&ctx->ctx, in, len))
- return -1;
-
- return 0;
-}
-
-int
-lws_genhmac_destroy(struct lws_genhmac_ctx *ctx, void *result)
-{
- int n = 0;
-
- if (result)
- n = mbedtls_md_hmac_finish(&ctx->ctx, result);
-
- mbedtls_md_free(&ctx->ctx);
- ctx->hmac = NULL;
- if (n)
- return -1;
-
- return 0;
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genrsa.c b/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genrsa.c
deleted file mode 100644
index 99b2e75653..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/lws-genrsa.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- * libwebsockets - generic RSA api hiding the backend
- *
- * Copyright (C) 2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- *
- * lws_genhash provides a hash / hmac abstraction api in lws that works the
- * same whether you are using openssl or mbedtls hash functions underneath.
- */
-#include "core/private.h"
-
-LWS_VISIBLE void
-lws_jwk_destroy_genrsa_elements(struct lws_genrsa_elements *el)
-{
- int n;
-
- for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
- if (el->e[n].buf)
- lws_free_set_NULL(el->e[n].buf);
-}
-
-LWS_VISIBLE int
-lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_genrsa_elements *el)
-{
- memset(ctx, 0, sizeof(*ctx));
- ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
- if (!ctx->ctx)
- return 1;
-
- mbedtls_rsa_init(ctx->ctx, MBEDTLS_RSA_PKCS_V15, 0);
-
- {
- int n;
-
- mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
- &ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
- &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
- &ctx->ctx->QP,
- };
-
- for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
- if (el->e[n].buf &&
- mbedtls_mpi_read_binary(mpi[n], el->e[n].buf,
- el->e[n].len)) {
- lwsl_notice("mpi load failed\n");
- lws_free_set_NULL(ctx->ctx);
-
- return -1;
- }
- }
-
- ctx->ctx->len = el->e[JWK_KEY_N].len;
-
- return 0;
-}
-
-static int
-_rngf(void *context, unsigned char *buf, size_t len)
-{
- if ((size_t)lws_get_random(context, buf, len) == len)
- return 0;
-
- return -1;
-}
-
-LWS_VISIBLE int
-lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx,
- struct lws_genrsa_elements *el, int bits)
-{
- int n;
-
- memset(ctx, 0, sizeof(*ctx));
- ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
- if (!ctx->ctx)
- return -1;
-
- mbedtls_rsa_init(ctx->ctx, MBEDTLS_RSA_PKCS_V15, 0);
-
- n = mbedtls_rsa_gen_key(ctx->ctx, _rngf, context, bits, 65537);
- if (n) {
- lwsl_err("mbedtls_rsa_gen_key failed 0x%x\n", -n);
- goto cleanup_1;
- }
-
- {
- mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
- &ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
- &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
- &ctx->ctx->QP,
- };
-
- for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
- if (mbedtls_mpi_size(mpi[n])) {
- el->e[n].buf = lws_malloc(
- mbedtls_mpi_size(mpi[n]), "genrsakey");
- if (!el->e[n].buf)
- goto cleanup;
- el->e[n].len = mbedtls_mpi_size(mpi[n]);
- mbedtls_mpi_write_binary(mpi[n], el->e[n].buf,
- el->e[n].len);
- }
- }
-
- return 0;
-
-cleanup:
- for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++)
- if (el->e[n].buf)
- lws_free_set_NULL(el->e[n].buf);
-cleanup_1:
- lws_free(ctx->ctx);
-
- return -1;
-}
-
-LWS_VISIBLE int
-lws_genrsa_public_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
- size_t in_len, uint8_t *out, size_t out_max)
-{
- size_t olen = 0;
- int n;
-
- ctx->ctx->len = in_len;
- n = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx->ctx, NULL, NULL,
- MBEDTLS_RSA_PUBLIC,
- &olen, in, out, out_max);
- if (n) {
- lwsl_notice("%s: -0x%x\n", __func__, -n);
-
- return -1;
- }
-
- return olen;
-}
-
-LWS_VISIBLE int
-lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
- size_t in_len, uint8_t *out)
-{
- int n;
-
- ctx->ctx->len = in_len;
- n = mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx->ctx, NULL, NULL,
- MBEDTLS_RSA_PRIVATE,
- in_len, in, out);
- if (n) {
- lwsl_notice("%s: -0x%x\n", __func__, -n);
-
- return -1;
- }
-
- return 0;
-}
-
-static int
-lws_genrsa_genrsa_hash_to_mbed_hash(enum lws_genhash_types hash_type)
-{
- int h = -1;
-
- switch (hash_type) {
- case LWS_GENHASH_TYPE_SHA1:
- h = MBEDTLS_MD_SHA1;
- break;
- case LWS_GENHASH_TYPE_SHA256:
- h = MBEDTLS_MD_SHA256;
- break;
- case LWS_GENHASH_TYPE_SHA384:
- h = MBEDTLS_MD_SHA384;
- break;
- case LWS_GENHASH_TYPE_SHA512:
- h = MBEDTLS_MD_SHA512;
- break;
- }
-
- return h;
-}
-
-LWS_VISIBLE int
-lws_genrsa_public_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in,
- enum lws_genhash_types hash_type, const uint8_t *sig,
- size_t sig_len)
-{
- int n, h = lws_genrsa_genrsa_hash_to_mbed_hash(hash_type);
-
- if (h < 0)
- return -1;
-
- n = mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx->ctx, NULL, NULL,
- MBEDTLS_RSA_PUBLIC,
- h, 0, in, sig);
- if (n < 0) {
- lwsl_notice("%s: -0x%x\n", __func__, -n);
-
- return -1;
- }
-
- return n;
-}
-
-LWS_VISIBLE int
-lws_genrsa_public_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
- enum lws_genhash_types hash_type, uint8_t *sig,
- size_t sig_len)
-{
- int n, h = lws_genrsa_genrsa_hash_to_mbed_hash(hash_type);
-
- if (h < 0)
- return -1;
-
- /*
- * The "sig" buffer must be as large as the size of ctx->N
- * (eg. 128 bytes if RSA-1024 is used).
- */
- if (sig_len < ctx->ctx->len)
- return -1;
-
- n = mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx->ctx, NULL, NULL,
- MBEDTLS_RSA_PRIVATE, h, 0, in,
- sig);
- if (n < 0) {
- lwsl_notice("%s: -0x%x\n", __func__, -n);
-
- return -1;
- }
-
- return ctx->ctx->len;
-}
-
-LWS_VISIBLE int
-lws_genrsa_render_pkey_asn1(struct lws_genrsa_ctx *ctx, int _private,
- uint8_t *pkey_asn1, size_t pkey_asn1_len)
-{
- uint8_t *p = pkey_asn1, *totlen, *end = pkey_asn1 + pkey_asn1_len - 1;
- mbedtls_mpi *mpi[LWS_COUNT_RSA_ELEMENTS] = {
- &ctx->ctx->N, &ctx->ctx->E, &ctx->ctx->D, &ctx->ctx->P,
- &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
- &ctx->ctx->QP,
- };
- int n;
-
- /* 30 82 - sequence
- * 09 29 <-- length(0x0929) less 4 bytes
- * 02 01 <- length (1)
- * 00
- * 02 82
- * 02 01 <- length (513) N
- * ...
- *
- * 02 03 <- length (3) E
- * 01 00 01
- *
- * 02 82
- * 02 00 <- length (512) D P Q EXP1 EXP2 COEFF
- *
- * */
-
- *p++ = 0x30;
- *p++ = 0x82;
- totlen = p;
- p += 2;
-
- *p++ = 0x02;
- *p++ = 0x01;
- *p++ = 0x00;
-
- for (n = 0; n < LWS_COUNT_RSA_ELEMENTS; n++) {
- int m = mbedtls_mpi_size(mpi[n]);
- uint8_t *elen;
-
- *p++ = 0x02;
- elen = p;
- if (m < 0x7f)
- *p++ = m;
- else {
- *p++ = 0x82;
- *p++ = m >> 8;
- *p++ = m & 0xff;
- }
-
- if (p + m > end)
- return -1;
-
- mbedtls_mpi_write_binary(mpi[n], p, m);
- if (p[0] & 0x80) {
- p[0] = 0x00;
- mbedtls_mpi_write_binary(mpi[n], &p[1], m);
- m++;
- }
- if (m < 0x7f)
- *elen = m;
- else {
- *elen++ = 0x82;
- *elen++ = m >> 8;
- *elen = m & 0xff;
- }
- p += m;
- }
-
- n = lws_ptr_diff(p, pkey_asn1);
-
- *totlen++ = (n - 4) >> 8;
- *totlen = (n - 4) & 0xff;
-
- return n;
-}
-
-LWS_VISIBLE void
-lws_genrsa_destroy(struct lws_genrsa_ctx *ctx)
-{
- if (!ctx->ctx)
- return;
- mbedtls_rsa_free(ctx->ctx);
- lws_free(ctx->ctx);
- ctx->ctx = NULL;
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-client.c b/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-client.c
deleted file mode 100644
index 84270c15bc..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-client.c
+++ /dev/null
@@ -1,245 +0,0 @@
-/*
- * libwebsockets - mbedtls-specific client TLS code
- *
- * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-
-static int
-OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
-{
- return 0;
-}
-
-int
-lws_ssl_client_bio_create(struct lws *wsi)
-{
- char hostname[128], *p;
- const char *alpn_comma = wsi->context->tls.alpn_default;
- struct alpn_ctx protos;
-
- if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
- _WSI_TOKEN_CLIENT_HOST) <= 0) {
- lwsl_err("%s: Unable to get hostname\n", __func__);
-
- return -1;
- }
-
- /*
- * remove any :port part on the hostname... necessary for network
- * connection but typical certificates do not contain it
- */
- p = hostname;
- while (*p) {
- if (*p == ':') {
- *p = '\0';
- break;
- }
- p++;
- }
-
- wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_client_ctx);
- if (!wsi->tls.ssl)
- return -1;
-
- if (wsi->vhost->tls.ssl_info_event_mask)
- SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
-
- if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
- X509_VERIFY_PARAM *param = SSL_get0_param(wsi->tls.ssl);
- /* Enable automatic hostname checks */
- // X509_VERIFY_PARAM_set_hostflags(param,
- // X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
- X509_VERIFY_PARAM_set1_host(param, hostname, 0);
- }
-
- if (wsi->vhost->tls.alpn)
- alpn_comma = wsi->vhost->tls.alpn;
-
- if (lws_hdr_copy(wsi, hostname, sizeof(hostname),
- _WSI_TOKEN_CLIENT_ALPN) > 0)
- alpn_comma = hostname;
-
- lwsl_info("%s: %p: client conn sending ALPN list '%s'\n",
- __func__, wsi, alpn_comma);
-
- protos.len = lws_alpn_comma_to_openssl(alpn_comma, protos.data,
- sizeof(protos.data) - 1);
-
- /* with mbedtls, protos is not pointed to after exit from this call */
- SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
-
- /*
- * use server name indication (SNI), if supported,
- * when establishing connection
- */
- SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
- OpenSSL_client_verify_callback);
-
- SSL_set_fd(wsi->tls.ssl, wsi->desc.sockfd);
-
- return 0;
-}
-
-int ERR_get_error(void)
-{
- return 0;
-}
-
-enum lws_ssl_capable_status
-lws_tls_client_connect(struct lws *wsi)
-{
- int m, n = SSL_connect(wsi->tls.ssl);
- const unsigned char *prot;
- unsigned int len;
-
- if (n == 1) {
- SSL_get0_alpn_selected(wsi->tls.ssl, &prot, &len);
- lws_role_call_alpn_negotiated(wsi, (const char *)prot);
- lwsl_info("client connect OK\n");
- return LWS_SSL_CAPABLE_DONE;
- }
-
- m = SSL_get_error(wsi->tls.ssl, n);
-
- if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))
- return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
-
- if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl))
- return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
-
- if (!n) /* we don't know what he wants, but he says to retry */
- return LWS_SSL_CAPABLE_MORE_SERVICE;
-
- return LWS_SSL_CAPABLE_ERROR;
-}
-
-int
-lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)
-{
- int n;
- X509 *peer = SSL_get_peer_certificate(wsi->tls.ssl);
- struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
- char *sb = (char *)&pt->serv_buf[0];
-
- if (!peer) {
- lwsl_info("peer did not provide cert\n");
-
- return -1;
- }
- lwsl_info("peer provided cert\n");
-
- n = SSL_get_verify_result(wsi->tls.ssl);
- lws_latency(wsi->context, wsi,
- "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);
-
- lwsl_debug("get_verify says %d\n", n);
-
- if (n == X509_V_OK)
- return 0;
-
- if (n == X509_V_ERR_HOSTNAME_MISMATCH &&
- (wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
- lwsl_info("accepting certificate for invalid hostname\n");
- return 0;
- }
-
- if (n == X509_V_ERR_INVALID_CA &&
- (wsi->tls.use_ssl & LCCSCF_ALLOW_SELFSIGNED)) {
- lwsl_info("accepting certificate from untrusted CA\n");
- return 0;
- }
-
- if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
- n == X509_V_ERR_CERT_HAS_EXPIRED) &&
- (wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED)) {
- lwsl_info("accepting expired or not yet valid certificate\n");
-
- return 0;
- }
- lws_snprintf(ebuf, ebuf_len,
- "server's cert didn't look good, X509_V_ERR = %d: %s\n",
- n, ERR_error_string(n, sb));
- lwsl_info("%s\n", ebuf);
- lws_ssl_elaborate_error();
-
- return -1;
-}
-
-int
-lws_tls_client_create_vhost_context(struct lws_vhost *vh,
- const struct lws_context_creation_info *info,
- const char *cipher_list,
- const char *ca_filepath,
- const void *ca_mem,
- unsigned int ca_mem_len,
- const char *cert_filepath,
- const char *private_key_filepath)
-{
- X509 *d2i_X509(X509 **cert, const unsigned char *buffer, long len);
- SSL_METHOD *method = (SSL_METHOD *)TLS_client_method();
- unsigned long error;
- lws_filepos_t len;
- uint8_t *buf;
-
- if (!method) {
- error = ERR_get_error();
- lwsl_err("problem creating ssl method %lu: %s\n",
- error, ERR_error_string(error,
- (char *)vh->context->pt[0].serv_buf));
- return 1;
- }
- /* create context */
- vh->tls.ssl_client_ctx = SSL_CTX_new(method);
- if (!vh->tls.ssl_client_ctx) {
- error = ERR_get_error();
- lwsl_err("problem creating ssl context %lu: %s\n",
- error, ERR_error_string(error,
- (char *)vh->context->pt[0].serv_buf));
- return 1;
- }
-
- if (!ca_filepath && (!ca_mem || !ca_mem_len))
- return 0;
-
- if (ca_filepath) {
- if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
- lwsl_err("Load CA cert file %s failed\n", ca_filepath);
- return 1;
- }
- vh->tls.x509_client_CA = d2i_X509(NULL, buf, len);
- free(buf);
- } else {
- vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, ca_mem_len);
- }
-
- if (!vh->tls.x509_client_CA) {
- lwsl_err("client CA: x509 parse failed\n");
- return 1;
- }
-
- if (!vh->tls.ssl_ctx)
- SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
- else
- SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
-
- lwsl_notice("client loaded CA for verification %s\n", ca_filepath);
-
- return 0;
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-server.c b/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-server.c
deleted file mode 100644
index df6ddf2c61..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/mbedtls-server.c
+++ /dev/null
@@ -1,699 +0,0 @@
-/*
- * libwebsockets - mbedTLS-specific server functions
- *
- * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-#include <mbedtls/x509_csr.h>
-
-int
-lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
-{
- int verify_options = SSL_VERIFY_PEER;
-
- /* as a server, are we requiring clients to identify themselves? */
- if (!lws_check_opt(vh->options,
- LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
- lwsl_notice("no client cert required\n");
- return 0;
- }
-
- /*
- * The wrapper has this messed-up mapping:
- *
- * else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- * mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- *
- * ie the meaning is inverted. So where we should test for ! we don't
- */
- if (lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
- verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-
- lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
- verify_options);
-
- SSL_CTX_set_verify(vh->tls.ssl_ctx, verify_options, NULL);
-
- return 0;
-}
-
-static int
-lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx,
- const unsigned char *servername, size_t len)
-{
- SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx);
- struct lws_context *context = (struct lws_context *)arg;
- struct lws_vhost *vhost, *vh;
-
- lwsl_notice("%s: %s\n", __func__, servername);
-
- /*
- * We can only get ssl accepted connections by using a vhost's ssl_ctx
- * find out which listening one took us and only match vhosts on the
- * same port.
- */
- vh = context->vhost_list;
- while (vh) {
- if (!vh->being_destroyed &&
- vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl))
- break;
- vh = vh->vhost_next;
- }
-
- if (!vh) {
- assert(vh); /* can't match the incoming vh? */
- return 0;
- }
-
- vhost = lws_select_vhost(context, vh->listen_port,
- (const char *)servername);
- if (!vhost) {
- lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);
-
- return 0;
- }
-
- lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername,
- vh->listen_port, vhost->name);
-
- /* select the ssl ctx from the selected vhost for this conn */
- SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx);
-
- return 0;
-}
-
-int
-lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
- const char *cert, const char *private_key,
- const char *mem_cert, size_t len_mem_cert,
- const char *mem_privkey, size_t mem_privkey_len)
-{
- int n, f = 0;
- const char *filepath = private_key;
- uint8_t *mem = NULL, *p = NULL;
- size_t mem_len = 0;
- lws_filepos_t flen;
- long err;
-
- if ((!cert || !private_key) && (!mem_cert || !mem_privkey)) {
- lwsl_notice("%s: no usable input\n", __func__);
- return 0;
- }
-
- n = lws_tls_generic_cert_checks(vhost, cert, private_key);
-
- if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
- return 0;
-
- /*
- * we can't read the root-privs files. But if mem_cert is provided,
- * we should use that.
- */
- if (n == LWS_TLS_EXTANT_NO)
- n = LWS_TLS_EXTANT_ALTERNATIVE;
-
- if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey))
- return 1; /* no alternative */
-
- if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
- /*
- * Although we have prepared update certs, we no longer have
- * the rights to read our own cert + key we saved.
- *
- * If we were passed copies in memory buffers, use those
- * instead.
- *
- * The passed memory-buffer cert image is in DER, and the
- * memory-buffer private key image is PEM.
- */
- /* mem cert is already DER */
- p = (uint8_t *)mem_cert;
- flen = len_mem_cert;
- /* mem private key is PEM, so go through the motions */
- mem = (uint8_t *)mem_privkey;
- mem_len = mem_privkey_len;
- filepath = NULL;
- } else {
- if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, NULL,
- 0, &p, &flen)) {
- lwsl_err("couldn't find cert file %s\n", cert);
-
- return 1;
- }
- f = 1;
- }
- err = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, flen, p);
- if (!err) {
- free(p);
- lwsl_err("Problem loading cert\n");
- return 1;
- }
-
- if (f)
- free(p);
- p = NULL;
-
- if (private_key || n == LWS_TLS_EXTANT_ALTERNATIVE) {
- if (lws_tls_alloc_pem_to_der_file(vhost->context, filepath,
- (char *)mem, mem_len, &p,
- &flen)) {
- lwsl_err("couldn't find private key file %s\n",
- private_key);
-
- return 1;
- }
- err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, p, flen);
- if (!err) {
- free(p);
- lwsl_err("Problem loading key\n");
-
- return 1;
- }
- }
-
- if (p && !mem_privkey) {
- free(p);
- p = NULL;
- }
-
- if (!private_key && !mem_privkey &&
- vhost->protocols[0].callback(wsi,
- LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
- vhost->tls.ssl_ctx, NULL, 0)) {
- lwsl_err("ssl private key not set\n");
-
- return 1;
- }
-
- vhost->tls.skipped_certs = 0;
-
- return 0;
-}
-
-int
-lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost, struct lws *wsi)
-{
- const SSL_METHOD *method = TLS_server_method();
- uint8_t *p;
- lws_filepos_t flen;
- int n;
-
- vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */
- if (!vhost->tls.ssl_ctx) {
- lwsl_err("problem creating ssl context\n");
- return 1;
- }
-
- if (!vhost->tls.use_ssl || !info->ssl_cert_filepath)
- return 0;
-
- if (info->ssl_ca_filepath) {
- lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__,
- vhost->name, info->ssl_ca_filepath);
- if (lws_tls_alloc_pem_to_der_file(vhost->context,
- info->ssl_ca_filepath, NULL, 0, &p, &flen)) {
- lwsl_err("couldn't find client CA file %s\n",
- info->ssl_ca_filepath);
-
- return 1;
- }
-
- if (SSL_CTX_add_client_CA_ASN1(vhost->tls.ssl_ctx, (int)flen, p) != 1) {
- lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n",
- __func__);
- free(p);
- return 1;
- }
- free(p);
- }
-
- n = lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
- info->ssl_private_key_filepath, NULL,
- 0, NULL, 0);
- if (n)
- return n;
-
- return 0;
-}
-
-int
-lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd)
-{
- errno = 0;
- wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx);
- if (wsi->tls.ssl == NULL) {
- lwsl_err("SSL_new failed: errno %d\n", errno);
-
- lws_ssl_elaborate_error();
- return 1;
- }
-
- SSL_set_fd(wsi->tls.ssl, accept_fd);
-
- if (wsi->vhost->tls.ssl_info_event_mask)
- SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
-
- SSL_set_sni_callback(wsi->tls.ssl, lws_mbedtls_sni_cb, wsi->context);
-
- return 0;
-}
-
-int
-lws_tls_server_abort_connection(struct lws *wsi)
-{
- __lws_tls_shutdown(wsi);
- SSL_free(wsi->tls.ssl);
-
- return 0;
-}
-
-enum lws_ssl_capable_status
-lws_tls_server_accept(struct lws *wsi)
-{
- union lws_tls_cert_info_results ir;
- int m, n;
-
- n = SSL_accept(wsi->tls.ssl);
- if (n == 1) {
-
- if (strstr(wsi->vhost->name, ".invalid")) {
- lwsl_notice("%s: vhost has .invalid, "
- "rejecting accept\n", __func__);
-
- return LWS_SSL_CAPABLE_ERROR;
- }
-
- n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME,
- &ir, sizeof(ir.ns.name));
- if (!n)
- lwsl_notice("%s: client cert CN '%s'\n",
- __func__, ir.ns.name);
- else
- lwsl_info("%s: couldn't get client cert CN\n",
- __func__);
- return LWS_SSL_CAPABLE_DONE;
- }
-
- m = SSL_get_error(wsi->tls.ssl, n);
- lwsl_debug("%s: %p: accept SSL_get_error %d errno %d\n", __func__,
- wsi, m, errno);
-
- // mbedtls wrapper only
- if (m == SSL_ERROR_SYSCALL && errno == 11)
- return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
-
- if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL)
- return LWS_SSL_CAPABLE_ERROR;
-
- if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
- if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
- lwsl_info("%s: WANT_READ change_pollfd failed\n",
- __func__);
- return LWS_SSL_CAPABLE_ERROR;
- }
-
- lwsl_info("SSL_ERROR_WANT_READ\n");
- return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
- }
- if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
- lwsl_debug("%s: WANT_WRITE\n", __func__);
-
- if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) {
- lwsl_info("%s: WANT_WRITE change_pollfd failed\n",
- __func__);
- return LWS_SSL_CAPABLE_ERROR;
- }
- return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
- }
-
- return LWS_SSL_CAPABLE_ERROR;
-}
-
-#if defined(LWS_WITH_ACME)
-/*
- * mbedtls doesn't support SAN for cert creation. So we use a known-good
- * tls-sni-01 cert from OpenSSL that worked on Let's Encrypt, and just replace
- * the pubkey n part and the signature part.
- *
- * This will need redoing for tls-sni-02...
- */
-
-static uint8_t ss_cert_leadin[] = {
- 0x30, 0x82,
- 0x05, 0x56, /* total length: LEN1 (+2 / +3) (correct for 513 + 512)*/
-
- 0x30, 0x82, /* length: LEN2 (+6 / +7) (correct for 513) */
- 0x03, 0x3e,
-
- /* addition: v3 cert (+5 bytes)*/
- 0xa0, 0x03,
- 0x02, 0x01, 0x02,
-
- 0x02, 0x01, 0x01,
- 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3f,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47,
- 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b,
- 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31,
- 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x74, 0x65,
- 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61,
- 0x6c, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d,
-
- /* from 2017-10-29 ... */
- 0x31, 0x37, 0x31, 0x30, 0x32, 0x39, 0x31, 0x31, 0x34, 0x39, 0x34, 0x35,
- 0x5a, 0x17, 0x0d,
-
- /* thru 2049-10-29 we immediately discard the private key, no worries */
- 0x34, 0x39, 0x31, 0x30, 0x32, 0x39, 0x31, 0x32, 0x34, 0x39, 0x34, 0x35,
- 0x5a,
-
- 0x30, 0x3f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x47, 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x0c, 0x0b, 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e,
- 0x79, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11,
- 0x74, 0x65, 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e,
- 0x76, 0x61, 0x6c, 0x69, 0x64, 0x30,
-
- 0x82,
- 0x02, 0x22, /* LEN3 (+C3 / C4) */
- 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
- 0x03,
-
- 0x82,
- 0x02, 0x0f, /* LEN4 (+D6 / D7) */
-
- 0x00, 0x30, 0x82,
-
- 0x02, 0x0a, /* LEN5 (+ DB / DC) */
-
- 0x02, 0x82,
-
- //0x02, 0x01, /* length of n in bytes (including leading 00 if any) */
- },
-
- /* 1 + (keybits / 8) bytes N */
-
- ss_cert_san_leadin[] = {
- /* e - fixed */
- 0x02, 0x03, 0x01, 0x00, 0x01,
-
- 0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x59, 0x06, 0x03, 0x55, 0x1d,
- 0x11, 0x04, 0x52, 0x30, 0x50, /* <-- SAN length + 2 */
-
- 0x82, 0x4e, /* <-- SAN length */
- },
-
- /* 78 bytes of SAN (tls-sni-01)
- 0x61, 0x64, 0x34, 0x31, 0x61, 0x66, 0x62, 0x65, 0x30, 0x63, 0x61, 0x34,
- 0x36, 0x34, 0x32, 0x66, 0x30, 0x61, 0x34, 0x34, 0x39, 0x64, 0x39, 0x63,
- 0x61, 0x37, 0x36, 0x65, 0x62, 0x61, 0x61, 0x62, 0x2e, 0x32, 0x38, 0x39,
- 0x34, 0x64, 0x34, 0x31, 0x36, 0x63, 0x39, 0x38, 0x33, 0x66, 0x31, 0x32,
- 0x65, 0x64, 0x37, 0x33, 0x31, 0x61, 0x33, 0x30, 0x66, 0x35, 0x63, 0x34,
- 0x34, 0x37, 0x37, 0x66, 0x65, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69,
- 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, */
-
- /* end of LEN2 area */
-
- ss_cert_sig_leadin[] = {
- /* it's saying that the signature is SHA256 + RSA */
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
-
- 0x82,
- 0x02, 0x01,
- 0x00,
- };
-
- /* (keybits / 8) bytes signature to end of LEN1 area */
-
-#define SAN_A_LENGTH 78
-
-LWS_VISIBLE int
-lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
- const char *san_b)
-{
- int buflen = 0x560;
- uint8_t *buf = lws_malloc(buflen, "tmp cert buf"), *p = buf, *pkey_asn1;
- struct lws_genrsa_ctx ctx;
- struct lws_genrsa_elements el;
- uint8_t digest[32];
- struct lws_genhash_ctx hash_ctx;
- int pkey_asn1_len = 3 * 1024;
- int n, m, keybits = lws_plat_recommended_rsa_bits(), adj;
-
- if (!buf)
- return 1;
-
- n = lws_genrsa_new_keypair(vhost->context, &ctx, &el, keybits);
- if (n < 0) {
- lws_jwk_destroy_genrsa_elements(&el);
- goto bail1;
- }
-
- n = sizeof(ss_cert_leadin);
- memcpy(p, ss_cert_leadin, n);
- p += n;
-
- adj = (0x0556 - 0x401) + (keybits / 4) + 1;
- buf[2] = adj >> 8;
- buf[3] = adj & 0xff;
-
- adj = (0x033e - 0x201) + (keybits / 8) + 1;
- buf[6] = adj >> 8;
- buf[7] = adj & 0xff;
-
- adj = (0x0222 - 0x201) + (keybits / 8) + 1;
- buf[0xc3] = adj >> 8;
- buf[0xc4] = adj & 0xff;
-
- adj = (0x020f - 0x201) + (keybits / 8) + 1;
- buf[0xd6] = adj >> 8;
- buf[0xd7] = adj & 0xff;
-
- adj = (0x020a - 0x201) + (keybits / 8) + 1;
- buf[0xdb] = adj >> 8;
- buf[0xdc] = adj & 0xff;
-
- *p++ = ((keybits / 8) + 1) >> 8;
- *p++ = ((keybits / 8) + 1) & 0xff;
-
- /* we need to drop 1 + (keybits / 8) bytes of n in here, 00 + key */
-
- *p++ = 0x00;
- memcpy(p, el.e[JWK_KEY_N].buf, el.e[JWK_KEY_N].len);
- p += el.e[JWK_KEY_N].len;
-
- memcpy(p, ss_cert_san_leadin, sizeof(ss_cert_san_leadin));
- p += sizeof(ss_cert_san_leadin);
-
- /* drop in 78 bytes of san_a */
-
- memcpy(p, san_a, SAN_A_LENGTH);
- p += SAN_A_LENGTH;
- memcpy(p, ss_cert_sig_leadin, sizeof(ss_cert_sig_leadin));
-
- p[17] = ((keybits / 8) + 1) >> 8;
- p[18] = ((keybits / 8) + 1) & 0xff;
-
- p += sizeof(ss_cert_sig_leadin);
-
- /* hash the cert plaintext */
-
- if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256))
- goto bail2;
-
- if (lws_genhash_update(&hash_ctx, buf, lws_ptr_diff(p, buf))) {
- lws_genhash_destroy(&hash_ctx, NULL);
-
- goto bail2;
- }
- if (lws_genhash_destroy(&hash_ctx, digest))
- goto bail2;
-
- /* sign the hash */
-
- n = lws_genrsa_public_sign(&ctx, digest, LWS_GENHASH_TYPE_SHA256, p,
- buflen - lws_ptr_diff(p, buf));
- if (n < 0)
- goto bail2;
- p += n;
-
- pkey_asn1 = lws_malloc(pkey_asn1_len, "mbed crt tmp");
- if (!pkey_asn1)
- goto bail2;
-
- m = lws_genrsa_render_pkey_asn1(&ctx, 1, pkey_asn1, pkey_asn1_len);
- if (m < 0) {
- lws_free(pkey_asn1);
- goto bail2;
- }
-
-// lwsl_hexdump_level(LLL_DEBUG, buf, lws_ptr_diff(p, buf));
- n = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx,
- lws_ptr_diff(p, buf), buf);
- if (n != 1) {
- lws_free(pkey_asn1);
- lwsl_err("%s: generated cert failed to load 0x%x\n",
- __func__, -n);
- } else {
- //lwsl_debug("private key\n");
- //lwsl_hexdump_level(LLL_DEBUG, pkey_asn1, n);
-
- /* and to use our generated private key */
- n = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx,
- pkey_asn1, m);
- lws_free(pkey_asn1);
- if (n != 1) {
- lwsl_err("%s: SSL_CTX_use_PrivateKey_ASN1 failed\n",
- __func__);
- }
- }
-
- lws_genrsa_destroy(&ctx);
- lws_jwk_destroy_genrsa_elements(&el);
-
- lws_free(buf);
-
- return n != 1;
-
-bail2:
- lws_genrsa_destroy(&ctx);
- lws_jwk_destroy_genrsa_elements(&el);
-bail1:
- lws_free(buf);
-
- return -1;
-}
-
-void
-lws_tls_acme_sni_cert_destroy(struct lws_vhost *vhost)
-{
-}
-
-#if defined(LWS_WITH_JWS)
-static int
-_rngf(void *context, unsigned char *buf, size_t len)
-{
- if ((size_t)lws_get_random(context, buf, len) == len)
- return 0;
-
- return -1;
-}
-
-static const char *x5[] = { "C", "ST", "L", "O", "CN" };
-
-/*
- * CSR is output formatted as b64url(DER)
- * Private key is output as a PEM in memory
- */
-LWS_VISIBLE LWS_EXTERN int
-lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[],
- uint8_t *dcsr, size_t csr_len, char **privkey_pem,
- size_t *privkey_len)
-{
- mbedtls_x509write_csr csr;
- mbedtls_pk_context mpk;
- int buf_size = 4096, n;
- char subject[200], *p = subject, *end = p + sizeof(subject) - 1;
- uint8_t *buf = malloc(buf_size); /* malloc because given to user code */
-
- if (!buf)
- return -1;
-
- mbedtls_x509write_csr_init(&csr);
-
- mbedtls_pk_init(&mpk);
- if (mbedtls_pk_setup(&mpk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))) {
- lwsl_notice("%s: pk_setup failed\n", __func__);
- goto fail;
- }
-
- n = mbedtls_rsa_gen_key(mbedtls_pk_rsa(mpk), _rngf, context,
- lws_plat_recommended_rsa_bits(), 65537);
- if (n) {
- lwsl_notice("%s: failed to generate keys\n", __func__);
-
- goto fail1;
- }
-
- /* subject must be formatted like "C=TW,O=warmcat,CN=myserver" */
-
- for (n = 0; n < (int)LWS_ARRAY_SIZE(x5); n++) {
- if (p != subject)
- *p++ = ',';
- if (elements[n])
- p += lws_snprintf(p, end - p, "%s=%s", x5[n],
- elements[n]);
- }
-
- if (mbedtls_x509write_csr_set_subject_name(&csr, subject))
- goto fail1;
-
- mbedtls_x509write_csr_set_key(&csr, &mpk);
- mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);
-
- /*
- * data is written at the end of the buffer! Use the
- * return value to determine where you should start
- * using the buffer
- */
- n = mbedtls_x509write_csr_der(&csr, buf, buf_size, _rngf, context);
- if (n < 0) {
- lwsl_notice("%s: write csr der failed\n", __func__);
- goto fail1;
- }
-
- /* we have it in DER, we need it in b64URL */
-
- n = lws_jws_base64_enc((char *)(buf + buf_size) - n, n,
- (char *)dcsr, csr_len);
- if (n < 0)
- goto fail1;
-
- /*
- * okay, the CSR is done, last we need the private key in PEM
- * re-use the DER CSR buf as the result buffer since we cn do it in
- * one step
- */
-
- if (mbedtls_pk_write_key_pem(&mpk, buf, buf_size)) {
- lwsl_notice("write key pem failed\n");
- goto fail1;
- }
-
- *privkey_pem = (char *)buf;
- *privkey_len = strlen((const char *)buf);
-
- mbedtls_pk_free(&mpk);
- mbedtls_x509write_csr_free(&csr);
-
- return n;
-
-fail1:
- mbedtls_pk_free(&mpk);
-fail:
- mbedtls_x509write_csr_free(&csr);
- free(buf);
-
- return -1;
-}
-#endif
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/ssl.c b/thirdparty/libwebsockets/lib/tls/mbedtls/ssl.c
deleted file mode 100644
index b81f88862b..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/ssl.c
+++ /dev/null
@@ -1,509 +0,0 @@
-/*
- * libwebsockets - mbedTLS-specific lws apis
- *
- * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-#include <mbedtls/oid.h>
-
-void
-lws_ssl_elaborate_error(void)
-{
-}
-
-int
-lws_context_init_ssl_library(const struct lws_context_creation_info *info)
-{
- lwsl_info(" Compiled with MbedTLS support\n");
-
- if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
- lwsl_info(" SSL disabled: no "
- "LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT\n");
-
- return 0;
-}
-
-LWS_VISIBLE void
-lws_ssl_destroy(struct lws_vhost *vhost)
-{
- if (!lws_check_opt(vhost->context->options,
- LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
- return;
-
- if (vhost->tls.ssl_ctx)
- SSL_CTX_free(vhost->tls.ssl_ctx);
- if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
- SSL_CTX_free(vhost->tls.ssl_client_ctx);
-
- if (vhost->tls.x509_client_CA)
- X509_free(vhost->tls.x509_client_CA);
-}
-
-LWS_VISIBLE int
-lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
-{
- struct lws_context *context = wsi->context;
- struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
- int n = 0, m;
-
- if (!wsi->tls.ssl)
- return lws_ssl_capable_read_no_ssl(wsi, buf, len);
-
- lws_stats_atomic_bump(context, pt, LWSSTATS_C_API_READ, 1);
-
- errno = 0;
- n = SSL_read(wsi->tls.ssl, buf, len);
-#if defined(LWS_WITH_ESP32)
- if (!n && errno == LWS_ENOTCONN) {
- lwsl_debug("%p: SSL_read ENOTCONN\n", wsi);
- return LWS_SSL_CAPABLE_ERROR;
- }
-#endif
-#if defined(LWS_WITH_STATS)
- if (!wsi->seen_rx && wsi->accept_start_us) {
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_MS_SSL_RX_DELAY,
- lws_time_in_microseconds() -
- wsi->accept_start_us);
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_C_SSL_CONNS_HAD_RX, 1);
- wsi->seen_rx = 1;
- }
-#endif
-
-
- lwsl_debug("%p: SSL_read says %d\n", wsi, n);
- /* manpage: returning 0 means connection shut down */
- if (!n) {
- wsi->socket_is_permanently_unusable = 1;
-
- return LWS_SSL_CAPABLE_ERROR;
- }
-
- if (n < 0) {
- m = SSL_get_error(wsi->tls.ssl, n);
- lwsl_debug("%p: ssl err %d errno %d\n", wsi, m, errno);
- if (m == SSL_ERROR_ZERO_RETURN ||
- m == SSL_ERROR_SYSCALL)
- return LWS_SSL_CAPABLE_ERROR;
-
- if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
- lwsl_debug("%s: WANT_READ\n", __func__);
- lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
- return LWS_SSL_CAPABLE_MORE_SERVICE;
- }
- if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
- lwsl_debug("%s: WANT_WRITE\n", __func__);
- lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
- return LWS_SSL_CAPABLE_MORE_SERVICE;
- }
- wsi->socket_is_permanently_unusable = 1;
-
- return LWS_SSL_CAPABLE_ERROR;
- }
-
- lws_stats_atomic_bump(context, pt, LWSSTATS_B_READ, n);
-
- if (wsi->vhost)
- wsi->vhost->conn_stats.rx += n;
-
- /*
- * if it was our buffer that limited what we read,
- * check if SSL has additional data pending inside SSL buffers.
- *
- * Because these won't signal at the network layer with POLLIN
- * and if we don't realize, this data will sit there forever
- */
- if (n != len)
- goto bail;
- if (!wsi->tls.ssl)
- goto bail;
-
- if (SSL_pending(wsi->tls.ssl) &&
- lws_dll_is_null(&wsi->tls.pending_tls_list)) {
-
- lws_dll_lws_add_front(&wsi->tls.pending_tls_list,
- &pt->tls.pending_tls_head);
- }
-
- return n;
-bail:
- lws_ssl_remove_wsi_from_buffered_list(wsi);
-
- return n;
-}
-
-LWS_VISIBLE int
-lws_ssl_pending(struct lws *wsi)
-{
- if (!wsi->tls.ssl)
- return 0;
-
- return SSL_pending(wsi->tls.ssl);
-}
-
-LWS_VISIBLE int
-lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
-{
- int n, m;
-
- if (!wsi->tls.ssl)
- return lws_ssl_capable_write_no_ssl(wsi, buf, len);
-
- n = SSL_write(wsi->tls.ssl, buf, len);
- if (n > 0)
- return n;
-
- m = SSL_get_error(wsi->tls.ssl, n);
- if (m != SSL_ERROR_SYSCALL) {
- if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
- lwsl_notice("%s: want read\n", __func__);
-
- return LWS_SSL_CAPABLE_MORE_SERVICE;
- }
-
- if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
- lws_set_blocking_send(wsi);
- lwsl_debug("%s: want write\n", __func__);
-
- return LWS_SSL_CAPABLE_MORE_SERVICE;
- }
- }
-
- lwsl_debug("%s failed: %d\n",__func__, m);
- wsi->socket_is_permanently_unusable = 1;
-
- return LWS_SSL_CAPABLE_ERROR;
-}
-
-int openssl_SSL_CTX_private_data_index;
-
-void
-lws_ssl_info_callback(const SSL *ssl, int where, int ret)
-{
- struct lws *wsi;
- struct lws_context *context;
- struct lws_ssl_info si;
-
- context = (struct lws_context *)SSL_CTX_get_ex_data(
- SSL_get_SSL_CTX(ssl),
- openssl_SSL_CTX_private_data_index);
- if (!context)
- return;
- wsi = wsi_from_fd(context, SSL_get_fd(ssl));
- if (!wsi)
- return;
-
- if (!(where & wsi->vhost->tls.ssl_info_event_mask))
- return;
-
- si.where = where;
- si.ret = ret;
-
- if (user_callback_handle_rxflow(wsi->protocol->callback,
- wsi, LWS_CALLBACK_SSL_INFO,
- wsi->user_space, &si, 0))
- lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
-}
-
-
-LWS_VISIBLE int
-lws_ssl_close(struct lws *wsi)
-{
- lws_sockfd_type n;
-
- if (!wsi->tls.ssl)
- return 0; /* not handled */
-
-#if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
- /* kill ssl callbacks, becausse we will remove the fd from the
- * table linking it to the wsi
- */
- if (wsi->vhost->tls.ssl_info_event_mask)
- SSL_set_info_callback(wsi->tls.ssl, NULL);
-#endif
-
- n = SSL_get_fd(wsi->tls.ssl);
- if (!wsi->socket_is_permanently_unusable)
- SSL_shutdown(wsi->tls.ssl);
- compatible_close(n);
- SSL_free(wsi->tls.ssl);
- wsi->tls.ssl = NULL;
-
- if (!lwsi_role_client(wsi) &&
- wsi->context->simultaneous_ssl_restriction &&
- wsi->context->simultaneous_ssl-- ==
- wsi->context->simultaneous_ssl_restriction)
- /* we made space and can do an accept */
- lws_gate_accepts(wsi->context, 1);
-
-#if defined(LWS_WITH_STATS)
- wsi->context->updated = 1;
-#endif
-
- return 1; /* handled */
-}
-
-void
-lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
-{
- if (vhost->tls.ssl_ctx)
- SSL_CTX_free(vhost->tls.ssl_ctx);
-
- if (!vhost->tls.user_supplied_ssl_ctx && vhost->tls.ssl_client_ctx)
- SSL_CTX_free(vhost->tls.ssl_client_ctx);
-#if defined(LWS_WITH_ACME)
- lws_tls_acme_sni_cert_destroy(vhost);
-#endif
-}
-
-void
-lws_ssl_context_destroy(struct lws_context *context)
-{
-}
-
-lws_tls_ctx *
-lws_tls_ctx_from_wsi(struct lws *wsi)
-{
- if (!wsi->tls.ssl)
- return NULL;
-
- return SSL_get_SSL_CTX(wsi->tls.ssl);
-}
-
-enum lws_ssl_capable_status
-__lws_tls_shutdown(struct lws *wsi)
-{
- int n = SSL_shutdown(wsi->tls.ssl);
-
- lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
-
- switch (n) {
- case 1: /* successful completion */
- n = shutdown(wsi->desc.sockfd, SHUT_WR);
- return LWS_SSL_CAPABLE_DONE;
-
- case 0: /* needs a retry */
- __lws_change_pollfd(wsi, 0, LWS_POLLIN);
- return LWS_SSL_CAPABLE_MORE_SERVICE;
-
- default: /* fatal error, or WANT */
- n = SSL_get_error(wsi->tls.ssl, n);
- if (n != SSL_ERROR_SYSCALL && n != SSL_ERROR_SSL) {
- if (SSL_want_read(wsi->tls.ssl)) {
- lwsl_debug("(wants read)\n");
- __lws_change_pollfd(wsi, 0, LWS_POLLIN);
- return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
- }
- if (SSL_want_write(wsi->tls.ssl)) {
- lwsl_debug("(wants write)\n");
- __lws_change_pollfd(wsi, 0, LWS_POLLOUT);
- return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
- }
- }
- return LWS_SSL_CAPABLE_ERROR;
- }
-}
-
-static time_t
-lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime)
-{
- struct tm t;
-
- if (!xtime || !xtime->year || xtime->year < 0)
- return (time_t)(long long)-1;
-
- memset(&t, 0, sizeof(t));
-
- t.tm_year = xtime->year - 1900;
- t.tm_mon = xtime->mon - 1; /* mbedtls months are 1+, tm are 0+ */
- t.tm_mday = xtime->day - 1; /* mbedtls days are 1+, tm are 0+ */
- t.tm_hour = xtime->hour;
- t.tm_min = xtime->min;
- t.tm_sec = xtime->sec;
- t.tm_isdst = -1;
-
- return mktime(&t);
-}
-
-static int
-lws_tls_mbedtls_get_x509_name(mbedtls_x509_name *name,
- union lws_tls_cert_info_results *buf, size_t len)
-{
- while (name) {
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid)) {
- name = name->next;
- continue;
- }
-
- if (len - 1 < name->val.len)
- return -1;
-
- memcpy(&buf->ns.name[0], name->val.p, name->val.len);
- buf->ns.name[name->val.len] = '\0';
- buf->ns.len = name->val.len;
-
- return 0;
- }
-
- return -1;
-}
-
-static int
-lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type,
- union lws_tls_cert_info_results *buf, size_t len)
-{
- if (!x509)
- return -1;
-
- switch (type) {
- case LWS_TLS_CERT_INFO_VALIDITY_FROM:
- buf->time = lws_tls_mbedtls_time_to_unix(&x509->valid_from);
- if (buf->time == (time_t)(long long)-1)
- return -1;
- break;
-
- case LWS_TLS_CERT_INFO_VALIDITY_TO:
- buf->time = lws_tls_mbedtls_time_to_unix(&x509->valid_to);
- if (buf->time == (time_t)(long long)-1)
- return -1;
- break;
-
- case LWS_TLS_CERT_INFO_COMMON_NAME:
- return lws_tls_mbedtls_get_x509_name(&x509->subject, buf, len);
-
- case LWS_TLS_CERT_INFO_ISSUER_NAME:
- return lws_tls_mbedtls_get_x509_name(&x509->issuer, buf, len);
-
- case LWS_TLS_CERT_INFO_USAGE:
- buf->usage = x509->key_usage;
- break;
-
- case LWS_TLS_CERT_INFO_OPAQUE_PUBLIC_KEY:
- {
- char *p = buf->ns.name;
- size_t r = len, u;
-
- switch (mbedtls_pk_get_type(&x509->pk)) {
- case MBEDTLS_PK_RSA:
- {
- mbedtls_rsa_context *rsa = mbedtls_pk_rsa(x509->pk);
-
- if (mbedtls_mpi_write_string(&rsa->N, 16, p, r, &u))
- return -1;
- r -= u;
- p += u;
- if (mbedtls_mpi_write_string(&rsa->E, 16, p, r, &u))
- return -1;
-
- p += u;
- buf->ns.len = lws_ptr_diff(p, buf->ns.name);
- break;
- }
- case MBEDTLS_PK_ECKEY:
- {
- mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(x509->pk);
-
- if (mbedtls_mpi_write_string(&ecp->Q.X, 16, p, r, &u))
- return -1;
- r -= u;
- p += u;
- if (mbedtls_mpi_write_string(&ecp->Q.Y, 16, p, r, &u))
- return -1;
- r -= u;
- p += u;
- if (mbedtls_mpi_write_string(&ecp->Q.Z, 16, p, r, &u))
- return -1;
- p += u;
- buf->ns.len = lws_ptr_diff(p, buf->ns.name);
- break;
- }
- default:
- lwsl_notice("%s: x509 has unsupported pubkey type %d\n",
- __func__,
- mbedtls_pk_get_type(&x509->pk));
-
- return -1;
- }
- break;
- }
-
- default:
- return -1;
- }
-
- return 0;
-}
-
-LWS_VISIBLE LWS_EXTERN int
-lws_tls_vhost_cert_info(struct lws_vhost *vhost, enum lws_tls_cert_info type,
- union lws_tls_cert_info_results *buf, size_t len)
-{
- mbedtls_x509_crt *x509 = ssl_ctx_get_mbedtls_x509_crt(vhost->tls.ssl_ctx);
-
- return lws_tls_mbedtls_cert_info(x509, type, buf, len);
-}
-
-LWS_VISIBLE int
-lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
- union lws_tls_cert_info_results *buf, size_t len)
-{
- mbedtls_x509_crt *x509;
-
- wsi = lws_get_network_wsi(wsi);
-
- x509 = ssl_get_peer_mbedtls_x509_crt(wsi->tls.ssl);
-
- if (!x509)
- return -1;
-
- switch (type) {
- case LWS_TLS_CERT_INFO_VERIFIED:
- buf->verified = SSL_get_verify_result(wsi->tls.ssl) == X509_V_OK;
- return 0;
- default:
- return lws_tls_mbedtls_cert_info(x509, type, buf, len);
- }
-
- return -1;
-}
-
-static int
-tops_fake_POLLIN_for_buffered_mbedtls(struct lws_context_per_thread *pt)
-{
- return lws_tls_fake_POLLIN_for_buffered(pt);
-}
-
-static int
-tops_periodic_housekeeping_mbedtls(struct lws_context *context, time_t now)
-{
- int n;
-
- n = lws_compare_time_t(context, now, context->tls.last_cert_check_s);
- if ((!context->tls.last_cert_check_s || n > (24 * 60 * 60)) &&
- !lws_tls_check_all_cert_lifetimes(context))
- context->tls.last_cert_check_s = now;
-
- return 0;
-}
-
-const struct lws_tls_ops tls_ops_mbedtls = {
- /* fake_POLLIN_for_buffered */ tops_fake_POLLIN_for_buffered_mbedtls,
- /* periodic_housekeeping */ tops_periodic_housekeeping_mbedtls,
-};
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl3.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl3.h
deleted file mode 100644
index 007b392f3e..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl3.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL3_H_
-#define _SSL3_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-# define SSL3_AD_CLOSE_NOTIFY 0
-# define SSL3_AD_UNEXPECTED_MESSAGE 10/* fatal */
-# define SSL3_AD_BAD_RECORD_MAC 20/* fatal */
-# define SSL3_AD_DECOMPRESSION_FAILURE 30/* fatal */
-# define SSL3_AD_HANDSHAKE_FAILURE 40/* fatal */
-# define SSL3_AD_NO_CERTIFICATE 41
-# define SSL3_AD_BAD_CERTIFICATE 42
-# define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
-# define SSL3_AD_CERTIFICATE_REVOKED 44
-# define SSL3_AD_CERTIFICATE_EXPIRED 45
-# define SSL3_AD_CERTIFICATE_UNKNOWN 46
-# define SSL3_AD_ILLEGAL_PARAMETER 47/* fatal */
-
-# define SSL3_AL_WARNING 1
-# define SSL3_AL_FATAL 2
-
-#define SSL3_VERSION 0x0300
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h
deleted file mode 100644
index 86cf31ad51..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_CERT_H_
-#define _SSL_CERT_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl_types.h"
-
-/**
- * @brief create a certification object include private key object according to input certification
- *
- * @param ic - input certification point
- *
- * @return certification object point
- */
-CERT *__ssl_cert_new(CERT *ic);
-
-/**
- * @brief create a certification object include private key object
- *
- * @param none
- *
- * @return certification object point
- */
-CERT* ssl_cert_new(void);
-
-/**
- * @brief free a certification object
- *
- * @param cert - certification object point
- *
- * @return none
- */
-void ssl_cert_free(CERT *cert);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_code.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_code.h
deleted file mode 100644
index 80fdbb20f3..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_code.h
+++ /dev/null
@@ -1,124 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_CODE_H_
-#define _SSL_CODE_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl3.h"
-#include "tls1.h"
-#include "x509_vfy.h"
-
-/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
-# define SSL_SENT_SHUTDOWN 1
-# define SSL_RECEIVED_SHUTDOWN 2
-
-# define SSL_VERIFY_NONE 0x00
-# define SSL_VERIFY_PEER 0x01
-# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-# define SSL_VERIFY_CLIENT_ONCE 0x04
-
-/*
- * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
- * should not need these
- */
-# define SSL_ST_READ_HEADER 0xF0
-# define SSL_ST_READ_BODY 0xF1
-# define SSL_ST_READ_DONE 0xF2
-
-# define SSL_NOTHING 1
-# define SSL_WRITING 2
-# define SSL_READING 3
-# define SSL_X509_LOOKUP 4
-# define SSL_ASYNC_PAUSED 5
-# define SSL_ASYNC_NO_JOBS 6
-
-
-# define SSL_ERROR_NONE 0
-# define SSL_ERROR_SSL 1
-# define SSL_ERROR_WANT_READ 2
-# define SSL_ERROR_WANT_WRITE 3
-# define SSL_ERROR_WANT_X509_LOOKUP 4
-# define SSL_ERROR_SYSCALL 5/* look at error stack/return value/errno */
-# define SSL_ERROR_ZERO_RETURN 6
-# define SSL_ERROR_WANT_CONNECT 7
-# define SSL_ERROR_WANT_ACCEPT 8
-# define SSL_ERROR_WANT_ASYNC 9
-# define SSL_ERROR_WANT_ASYNC_JOB 10
-
-/* Message flow states */
-typedef enum {
- /* No handshake in progress */
- MSG_FLOW_UNINITED,
- /* A permanent error with this connection */
- MSG_FLOW_ERROR,
- /* We are about to renegotiate */
- MSG_FLOW_RENEGOTIATE,
- /* We are reading messages */
- MSG_FLOW_READING,
- /* We are writing messages */
- MSG_FLOW_WRITING,
- /* Handshake has finished */
- MSG_FLOW_FINISHED
-} MSG_FLOW_STATE;
-
-/* SSL subsystem states */
-typedef enum {
- TLS_ST_BEFORE,
- TLS_ST_OK,
- DTLS_ST_CR_HELLO_VERIFY_REQUEST,
- TLS_ST_CR_SRVR_HELLO,
- TLS_ST_CR_CERT,
- TLS_ST_CR_CERT_STATUS,
- TLS_ST_CR_KEY_EXCH,
- TLS_ST_CR_CERT_REQ,
- TLS_ST_CR_SRVR_DONE,
- TLS_ST_CR_SESSION_TICKET,
- TLS_ST_CR_CHANGE,
- TLS_ST_CR_FINISHED,
- TLS_ST_CW_CLNT_HELLO,
- TLS_ST_CW_CERT,
- TLS_ST_CW_KEY_EXCH,
- TLS_ST_CW_CERT_VRFY,
- TLS_ST_CW_CHANGE,
- TLS_ST_CW_NEXT_PROTO,
- TLS_ST_CW_FINISHED,
- TLS_ST_SW_HELLO_REQ,
- TLS_ST_SR_CLNT_HELLO,
- DTLS_ST_SW_HELLO_VERIFY_REQUEST,
- TLS_ST_SW_SRVR_HELLO,
- TLS_ST_SW_CERT,
- TLS_ST_SW_KEY_EXCH,
- TLS_ST_SW_CERT_REQ,
- TLS_ST_SW_SRVR_DONE,
- TLS_ST_SR_CERT,
- TLS_ST_SR_KEY_EXCH,
- TLS_ST_SR_CERT_VRFY,
- TLS_ST_SR_NEXT_PROTO,
- TLS_ST_SR_CHANGE,
- TLS_ST_SR_FINISHED,
- TLS_ST_SW_SESSION_TICKET,
- TLS_ST_SW_CERT_STATUS,
- TLS_ST_SW_CHANGE,
- TLS_ST_SW_FINISHED
-} OSSL_HANDSHAKE_STATE;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_dbg.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_dbg.h
deleted file mode 100644
index ad32cb92ff..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_dbg.h
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_DEBUG_H_
-#define _SSL_DEBUG_H_
-
-#include "platform/ssl_port.h"
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#ifdef CONFIG_OPENSSL_DEBUG_LEVEL
- #define SSL_DEBUG_LEVEL CONFIG_OPENSSL_DEBUG_LEVEL
-#else
- #define SSL_DEBUG_LEVEL 0
-#endif
-
-#define SSL_DEBUG_ON (SSL_DEBUG_LEVEL + 1)
-#define SSL_DEBUG_OFF (SSL_DEBUG_LEVEL - 1)
-
-#ifdef CONFIG_OPENSSL_DEBUG
- #ifndef SSL_DEBUG_LOG
- #error "SSL_DEBUG_LOG is not defined"
- #endif
-
- #ifndef SSL_DEBUG_FL
- #define SSL_DEBUG_FL "\n"
- #endif
-
- #define SSL_SHOW_LOCATION() \
- SSL_DEBUG_LOG("SSL assert : %s %d\n", \
- __FILE__, __LINE__)
-
- #define SSL_DEBUG(level, fmt, ...) \
- { \
- if (level > SSL_DEBUG_LEVEL) { \
- SSL_DEBUG_LOG(fmt SSL_DEBUG_FL, ##__VA_ARGS__); \
- } \
- }
-#else /* CONFIG_OPENSSL_DEBUG */
- #define SSL_SHOW_LOCATION()
-
- #define SSL_DEBUG(level, fmt, ...)
-#endif /* CONFIG_OPENSSL_DEBUG */
-
-/**
- * OpenSSL assert function
- *
- * if select "CONFIG_OPENSSL_ASSERT_DEBUG", SSL_ASSERT* will show error file name and line
- * if select "CONFIG_OPENSSL_ASSERT_EXIT", SSL_ASSERT* will just return error code.
- * if select "CONFIG_OPENSSL_ASSERT_DEBUG_EXIT" SSL_ASSERT* will show error file name and line,
- * then return error code.
- * if select "CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK", SSL_ASSERT* will show error file name and line,
- * then block here with "while (1)"
- *
- * SSL_ASSERT1 may will return "-1", so function's return argument is integer.
- * SSL_ASSERT2 may will return "NULL", so function's return argument is a point.
- * SSL_ASSERT2 may will return nothing, so function's return argument is "void".
- */
-#if defined(CONFIG_OPENSSL_ASSERT_DEBUG)
- #define SSL_ASSERT1(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- } \
- }
-
- #define SSL_ASSERT2(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- } \
- }
-
- #define SSL_ASSERT3(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- } \
- }
-#elif defined(CONFIG_OPENSSL_ASSERT_EXIT)
- #define SSL_ASSERT1(s) \
- { \
- if (!(s)) { \
- return -1; \
- } \
- }
-
- #define SSL_ASSERT2(s) \
- { \
- if (!(s)) { \
- return NULL; \
- } \
- }
-
- #define SSL_ASSERT3(s) \
- { \
- if (!(s)) { \
- return ; \
- } \
- }
-#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_EXIT)
- #define SSL_ASSERT1(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- return -1; \
- } \
- }
-
- #define SSL_ASSERT2(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- return NULL; \
- } \
- }
-
- #define SSL_ASSERT3(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- return ; \
- } \
- }
-#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK)
- #define SSL_ASSERT1(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- while (1); \
- } \
- }
-
- #define SSL_ASSERT2(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- while (1); \
- } \
- }
-
- #define SSL_ASSERT3(s) \
- { \
- if (!(s)) { \
- SSL_SHOW_LOCATION(); \
- while (1); \
- } \
- }
-#else
- #define SSL_ASSERT1(s)
- #define SSL_ASSERT2(s)
- #define SSL_ASSERT3(s)
-#endif
-
-#define SSL_PLATFORM_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_PLATFORM_ERROR_LEVEL SSL_DEBUG_ON
-
-#define SSL_CERT_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_CERT_ERROR_LEVEL SSL_DEBUG_ON
-
-#define SSL_PKEY_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_PKEY_ERROR_LEVEL SSL_DEBUG_ON
-
-#define SSL_X509_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_X509_ERROR_LEVEL SSL_DEBUG_ON
-
-#define SSL_LIB_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_LIB_ERROR_LEVEL SSL_DEBUG_ON
-
-#define SSL_STACK_DEBUG_LEVEL SSL_DEBUG_OFF
-#define SSL_STACK_ERROR_LEVEL SSL_DEBUG_ON
-
-#ifdef __cplusplus
- }
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_lib.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_lib.h
deleted file mode 100644
index 42b2de7501..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_lib.h
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_LIB_H_
-#define _SSL_LIB_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl_types.h"
-
- void _ssl_set_alpn_list(const SSL *ssl);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h
deleted file mode 100644
index cd2f8c0533..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h
+++ /dev/null
@@ -1,121 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_METHODS_H_
-#define _SSL_METHODS_H_
-
-#include "ssl_types.h"
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-/**
- * TLS method function implement
- */
-#define IMPLEMENT_TLS_METHOD_FUNC(func_name, \
- new, free, \
- handshake, shutdown, clear, \
- read, send, pending, \
- set_fd, get_fd, \
- set_bufflen, \
- get_verify_result, \
- get_state) \
- static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \
- new, \
- free, \
- handshake, \
- shutdown, \
- clear, \
- read, \
- send, \
- pending, \
- set_fd, \
- get_fd, \
- set_bufflen, \
- get_verify_result, \
- get_state \
- };
-
-#define IMPLEMENT_TLS_METHOD(ver, mode, fun, func_name) \
- const SSL_METHOD* func_name(void) { \
- static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
- ver, \
- mode, \
- &(fun), \
- }; \
- return &func_name##_data; \
- }
-
-#define IMPLEMENT_SSL_METHOD(ver, mode, fun, func_name) \
- const SSL_METHOD* func_name(void) { \
- static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
- ver, \
- mode, \
- &(fun), \
- }; \
- return &func_name##_data; \
- }
-
-#define IMPLEMENT_X509_METHOD(func_name, \
- new, \
- free, \
- load, \
- show_info) \
- const X509_METHOD* func_name(void) { \
- static const X509_METHOD func_name##_data LOCAL_ATRR = { \
- new, \
- free, \
- load, \
- show_info \
- }; \
- return &func_name##_data; \
- }
-
-#define IMPLEMENT_PKEY_METHOD(func_name, \
- new, \
- free, \
- load) \
- const PKEY_METHOD* func_name(void) { \
- static const PKEY_METHOD func_name##_data LOCAL_ATRR = { \
- new, \
- free, \
- load \
- }; \
- return &func_name##_data; \
- }
-
-/**
- * @brief get X509 object method
- *
- * @param none
- *
- * @return X509 object method point
- */
-const X509_METHOD* X509_method(void);
-
-/**
- * @brief get private key object method
- *
- * @param none
- *
- * @return private key object method point
- */
-const PKEY_METHOD* EVP_PKEY_method(void);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h
deleted file mode 100644
index e790fcc995..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_PKEY_H_
-#define _SSL_PKEY_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl_types.h"
-
-/**
- * @brief create a private key object according to input private key
- *
- * @param ipk - input private key point
- *
- * @return new private key object point
- */
-EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk);
-
-/**
- * @brief create a private key object
- *
- * @param none
- *
- * @return private key object point
- */
-EVP_PKEY* EVP_PKEY_new(void);
-
-/**
- * @brief load a character key context into system context. If '*a' is pointed to the
- * private key, then load key into it. Or create a new private key object
- *
- * @param type - private key type
- * @param a - a point pointed to a private key point
- * @param pp - a point pointed to the key context memory point
- * @param length - key bytes
- *
- * @return private key object point
- */
-EVP_PKEY* d2i_PrivateKey(int type,
- EVP_PKEY **a,
- const unsigned char **pp,
- long length);
-
-/**
- * @brief free a private key object
- *
- * @param pkey - private key object point
- *
- * @return none
- */
-void EVP_PKEY_free(EVP_PKEY *x);
-
-/**
- * @brief load private key into the SSL
- *
- * @param type - private key type
- * @param ssl - SSL point
- * @param len - data bytes
- * @param d - data point
- *
- * @return result
- * 0 : failed
- * 1 : OK
- */
- int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_stack.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_stack.h
deleted file mode 100644
index 7a7051a026..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_stack.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef _SSL_STACK_H_
-#define _SSL_STACK_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl_types.h"
-
-#define STACK_OF(type) struct stack_st_##type
-
-#define SKM_DEFINE_STACK_OF(t1, t2, t3) \
- STACK_OF(t1); \
- static ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
- { \
- return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \
- } \
-
-#define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
-
-/**
- * @brief create a openssl stack object
- *
- * @param c - stack function
- *
- * @return openssl stack object point
- */
-OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c);
-
-/**
- * @brief create a NULL function openssl stack object
- *
- * @param none
- *
- * @return openssl stack object point
- */
-OPENSSL_STACK *OPENSSL_sk_new_null(void);
-
-/**
- * @brief free openssl stack object
- *
- * @param openssl stack object point
- *
- * @return none
- */
-void OPENSSL_sk_free(OPENSSL_STACK *stack);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h
deleted file mode 100644
index 68ac748a28..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h
+++ /dev/null
@@ -1,303 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_TYPES_H_
-#define _SSL_TYPES_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include <lws_config.h>
-#if defined(LWS_WITH_ESP32)
-#undef MBEDTLS_CONFIG_FILE
-#define MBEDTLS_CONFIG_FILE <mbedtls/esp_config.h>
-#endif
-
-#include "ssl_code.h"
-
-typedef void SSL_CIPHER;
-
-typedef void X509_STORE_CTX;
-typedef void X509_STORE;
-
-typedef void RSA;
-
-typedef void STACK;
-typedef void BIO;
-
-#if defined(WIN32) || defined(_WIN32)
-#define ossl_inline __inline
-#else
-#define ossl_inline inline
-#endif
-
-#define SSL_METHOD_CALL(f, s, ...) s->method->func->ssl_##f(s, ##__VA_ARGS__)
-#define X509_METHOD_CALL(f, x, ...) x->method->x509_##f(x, ##__VA_ARGS__)
-#define EVP_PKEY_METHOD_CALL(f, k, ...) k->method->pkey_##f(k, ##__VA_ARGS__)
-
-typedef int (*OPENSSL_sk_compfunc)(const void *, const void *);
-
-struct stack_st;
-typedef struct stack_st OPENSSL_STACK;
-
-struct ssl_method_st;
-typedef struct ssl_method_st SSL_METHOD;
-
-struct ssl_method_func_st;
-typedef struct ssl_method_func_st SSL_METHOD_FUNC;
-
-struct record_layer_st;
-typedef struct record_layer_st RECORD_LAYER;
-
-struct ossl_statem_st;
-typedef struct ossl_statem_st OSSL_STATEM;
-
-struct ssl_session_st;
-typedef struct ssl_session_st SSL_SESSION;
-
-struct ssl_ctx_st;
-typedef struct ssl_ctx_st SSL_CTX;
-
-struct ssl_st;
-typedef struct ssl_st SSL;
-
-struct cert_st;
-typedef struct cert_st CERT;
-
-struct x509_st;
-typedef struct x509_st X509;
-
-struct X509_VERIFY_PARAM_st;
-typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
-
-struct evp_pkey_st;
-typedef struct evp_pkey_st EVP_PKEY;
-
-struct x509_method_st;
-typedef struct x509_method_st X509_METHOD;
-
-struct pkey_method_st;
-typedef struct pkey_method_st PKEY_METHOD;
-
-struct stack_st {
-
- char **data;
-
- int num_alloc;
-
- OPENSSL_sk_compfunc c;
-};
-
-struct evp_pkey_st {
-
- void *pkey_pm;
-
- const PKEY_METHOD *method;
-};
-
-struct x509_st {
-
- /* X509 certification platform private point */
- void *x509_pm;
-
- const X509_METHOD *method;
-};
-
-struct cert_st {
-
- int sec_level;
-
- X509 *x509;
-
- EVP_PKEY *pkey;
-
-};
-
-struct ossl_statem_st {
-
- MSG_FLOW_STATE state;
-
- int hand_state;
-};
-
-struct record_layer_st {
-
- int rstate;
-
- int read_ahead;
-};
-
-struct ssl_session_st {
-
- long timeout;
-
- long time;
-
- X509 *peer;
-};
-
-struct X509_VERIFY_PARAM_st {
-
- int depth;
-
-};
-
-typedef int (*next_proto_cb)(SSL *ssl, unsigned char **out,
- unsigned char *outlen, const unsigned char *in,
- unsigned int inlen, void *arg);
-
-struct ssl_ctx_st
-{
- int version;
-
- int references;
-
- unsigned long options;
-
- const SSL_METHOD *method;
-
- CERT *cert;
-
- X509 *client_CA;
-
- const char **alpn_protos;
-
- next_proto_cb alpn_cb;
-
- int verify_mode;
-
- int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);
-
- long session_timeout;
-
- int read_ahead;
-
- int read_buffer_len;
-
- X509_VERIFY_PARAM param;
-};
-
-struct ssl_st
-{
- /* protocol version(one of SSL3.0, TLS1.0, etc.) */
- int version;
-
- unsigned long options;
-
- /* shut things down(0x01 : sent, 0x02 : received) */
- int shutdown;
-
- CERT *cert;
-
- X509 *client_CA;
-
- SSL_CTX *ctx;
-
- const SSL_METHOD *method;
-
- const char **alpn_protos;
-
- RECORD_LAYER rlayer;
-
- /* where we are */
- OSSL_STATEM statem;
-
- SSL_SESSION *session;
-
- int verify_mode;
-
- int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
-
- int rwstate;
- int interrupted_remaining_write;
-
- long verify_result;
-
- X509_VERIFY_PARAM param;
-
- int err;
-
- void (*info_callback) (const SSL *ssl, int type, int val);
-
- /* SSL low-level system arch point */
- void *ssl_pm;
-};
-
-struct ssl_method_st {
- /* protocol version(one of SSL3.0, TLS1.0, etc.) */
- int version;
-
- /* SSL mode(client(0) , server(1), not known(-1)) */
- int endpoint;
-
- const SSL_METHOD_FUNC *func;
-};
-
-struct ssl_method_func_st {
-
- int (*ssl_new)(SSL *ssl);
-
- void (*ssl_free)(SSL *ssl);
-
- int (*ssl_handshake)(SSL *ssl);
-
- int (*ssl_shutdown)(SSL *ssl);
-
- int (*ssl_clear)(SSL *ssl);
-
- int (*ssl_read)(SSL *ssl, void *buffer, int len);
-
- int (*ssl_send)(SSL *ssl, const void *buffer, int len);
-
- int (*ssl_pending)(const SSL *ssl);
-
- void (*ssl_set_fd)(SSL *ssl, int fd, int mode);
-
- int (*ssl_get_fd)(const SSL *ssl, int mode);
-
- void (*ssl_set_bufflen)(SSL *ssl, int len);
-
- long (*ssl_get_verify_result)(const SSL *ssl);
-
- OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);
-};
-
-struct x509_method_st {
-
- int (*x509_new)(X509 *x, X509 *m_x);
-
- void (*x509_free)(X509 *x);
-
- int (*x509_load)(X509 *x, const unsigned char *buf, int len);
-
- int (*x509_show_info)(X509 *x);
-};
-
-struct pkey_method_st {
-
- int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey);
-
- void (*pkey_free)(EVP_PKEY *pkey);
-
- int (*pkey_load)(EVP_PKEY *pkey, const unsigned char *buf, int len);
-};
-
-#define OPENSSL_NPN_NEGOTIATED 1
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_x509.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_x509.h
deleted file mode 100644
index 7594d064b4..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/ssl_x509.h
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_X509_H_
-#define _SSL_X509_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "ssl_types.h"
-#include "ssl_stack.h"
-
-DEFINE_STACK_OF(X509_NAME)
-
-/**
- * @brief create a X509 certification object according to input X509 certification
- *
- * @param ix - input X509 certification point
- *
- * @return new X509 certification object point
- */
-X509* __X509_new(X509 *ix);
-
-/**
- * @brief create a X509 certification object
- *
- * @param none
- *
- * @return X509 certification object point
- */
-X509* X509_new(void);
-
-/**
- * @brief load a character certification context into system context. If '*cert' is pointed to the
- * certification, then load certification into it. Or create a new X509 certification object
- *
- * @param cert - a point pointed to X509 certification
- * @param buffer - a point pointed to the certification context memory point
- * @param length - certification bytes
- *
- * @return X509 certification object point
- */
-X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len);
-
-/**
- * @brief free a X509 certification object
- *
- * @param x - X509 certification object point
- *
- * @return none
- */
-void X509_free(X509 *x);
-
-/**
- * @brief set SSL context client CA certification
- *
- * @param ctx - SSL context point
- * @param x - X509 certification point
- *
- * @return result
- * 0 : failed
- * 1 : OK
- */
-int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
-
-/**
- * @brief add CA client certification into the SSL
- *
- * @param ssl - SSL point
- * @param x - X509 certification point
- *
- * @return result
- * 0 : failed
- * 1 : OK
- */
-int SSL_add_client_CA(SSL *ssl, X509 *x);
-
-/**
- * @brief load certification into the SSL
- *
- * @param ssl - SSL point
- * @param len - data bytes
- * @param d - data point
- *
- * @return result
- * 0 : failed
- * 1 : OK
- *
- */
-int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
-
-const char *X509_verify_cert_error_string(long n);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/tls1.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/tls1.h
deleted file mode 100644
index 7af1b0157d..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/tls1.h
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _TLS1_H_
-#define _TLS1_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-# define TLS1_AD_DECRYPTION_FAILED 21
-# define TLS1_AD_RECORD_OVERFLOW 22
-# define TLS1_AD_UNKNOWN_CA 48/* fatal */
-# define TLS1_AD_ACCESS_DENIED 49/* fatal */
-# define TLS1_AD_DECODE_ERROR 50/* fatal */
-# define TLS1_AD_DECRYPT_ERROR 51
-# define TLS1_AD_EXPORT_RESTRICTION 60/* fatal */
-# define TLS1_AD_PROTOCOL_VERSION 70/* fatal */
-# define TLS1_AD_INSUFFICIENT_SECURITY 71/* fatal */
-# define TLS1_AD_INTERNAL_ERROR 80/* fatal */
-# define TLS1_AD_INAPPROPRIATE_FALLBACK 86/* fatal */
-# define TLS1_AD_USER_CANCELLED 90
-# define TLS1_AD_NO_RENEGOTIATION 100
-/* codes 110-114 are from RFC3546 */
-# define TLS1_AD_UNSUPPORTED_EXTENSION 110
-# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
-# define TLS1_AD_UNRECOGNIZED_NAME 112
-# define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
-# define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
-# define TLS1_AD_UNKNOWN_PSK_IDENTITY 115/* fatal */
-# define TLS1_AD_NO_APPLICATION_PROTOCOL 120 /* fatal */
-
-/* Special value for method supporting multiple versions */
-#define TLS_ANY_VERSION 0x10000
-
-#define TLS1_VERSION 0x0301
-#define TLS1_1_VERSION 0x0302
-#define TLS1_2_VERSION 0x0303
-
-#define SSL_TLSEXT_ERR_OK 0
-#define SSL_TLSEXT_ERR_NOACK 3
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/x509_vfy.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/x509_vfy.h
deleted file mode 100644
index 26bf6c88a8..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/internal/x509_vfy.h
+++ /dev/null
@@ -1,116 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _X509_VFY_H_
-#define _X509_VFY_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#define X509_V_OK 0
-#define X509_V_ERR_UNSPECIFIED 1
-#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
-#define X509_V_ERR_UNABLE_TO_GET_CRL 3
-#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
-#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
-#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
-#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
-#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
-#define X509_V_ERR_CERT_NOT_YET_VALID 9
-#define X509_V_ERR_CERT_HAS_EXPIRED 10
-#define X509_V_ERR_CRL_NOT_YET_VALID 11
-#define X509_V_ERR_CRL_HAS_EXPIRED 12
-#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
-#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
-#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
-#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
-#define X509_V_ERR_OUT_OF_MEM 17
-#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
-#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
-#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
-#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
-#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
-#define X509_V_ERR_CERT_REVOKED 23
-#define X509_V_ERR_INVALID_CA 24
-#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
-#define X509_V_ERR_INVALID_PURPOSE 26
-#define X509_V_ERR_CERT_UNTRUSTED 27
-#define X509_V_ERR_CERT_REJECTED 28
-/* These are 'informational' when looking for issuer cert */
-#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
-#define X509_V_ERR_AKID_SKID_MISMATCH 30
-#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
-#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
-#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
-#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
-#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
-#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
-#define X509_V_ERR_INVALID_NON_CA 37
-#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
-#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
-#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
-#define X509_V_ERR_INVALID_EXTENSION 41
-#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
-#define X509_V_ERR_NO_EXPLICIT_POLICY 43
-#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
-#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
-#define X509_V_ERR_UNNESTED_RESOURCE 46
-#define X509_V_ERR_PERMITTED_VIOLATION 47
-#define X509_V_ERR_EXCLUDED_VIOLATION 48
-#define X509_V_ERR_SUBTREE_MINMAX 49
-/* The application is not happy */
-#define X509_V_ERR_APPLICATION_VERIFICATION 50
-#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
-#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
-#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
-#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
-/* Another issuer check debug option */
-#define X509_V_ERR_PATH_LOOP 55
-/* Suite B mode algorithm violation */
-#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
-#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
-#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
-#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
-#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
-#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
-/* Host, email and IP check errors */
-#define X509_V_ERR_HOSTNAME_MISMATCH 62
-#define X509_V_ERR_EMAIL_MISMATCH 63
-#define X509_V_ERR_IP_ADDRESS_MISMATCH 64
-/* DANE TLSA errors */
-#define X509_V_ERR_DANE_NO_MATCH 65
-/* security level errors */
-#define X509_V_ERR_EE_KEY_TOO_SMALL 66
-#define X509_V_ERR_CA_KEY_TOO_SMALL 67
-#define X509_V_ERR_CA_MD_TOO_WEAK 68
-/* Caller error */
-#define X509_V_ERR_INVALID_CALL 69
-/* Issuer lookup error */
-#define X509_V_ERR_STORE_LOOKUP 70
-/* Certificate transparency */
-#define X509_V_ERR_NO_VALID_SCTS 71
-
-#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72
-
-typedef void X509_STORE_CTX;
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/openssl/ssl.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/openssl/ssl.h
deleted file mode 100755
index e2b74fc6af..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/openssl/ssl.h
+++ /dev/null
@@ -1,1833 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_H_
-#define _SSL_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include <stdlib.h>
-#include "internal/ssl_x509.h"
-#include "internal/ssl_pkey.h"
-
-/*
-{
-*/
-
-#define SSL_CB_ALERT 0x4000
-
-#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT (1 << 0)
-#define X509_CHECK_FLAG_NO_WILDCARDS (1 << 1)
-#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS (1 << 2)
-#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS (1 << 3)
-#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS (1 << 4)
-
- mbedtls_x509_crt *
- ssl_ctx_get_mbedtls_x509_crt(SSL_CTX *ssl_ctx);
-
- mbedtls_x509_crt *
- ssl_get_peer_mbedtls_x509_crt(SSL *ssl);
-
- int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *,
- const unsigned char *, size_t), void *param);
-
- void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
-
- int SSL_CTX_add_client_CA_ASN1(SSL_CTX *ssl, int len,
- const unsigned char *d);
-
- SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc);
-
-/**
- * @brief create a SSL context
- *
- * @param method - the SSL context method point
- *
- * @return the context point
- */
-SSL_CTX* SSL_CTX_new(const SSL_METHOD *method);
-
-/**
- * @brief free a SSL context
- *
- * @param method - the SSL context point
- *
- * @return none
- */
-void SSL_CTX_free(SSL_CTX *ctx);
-
-/**
- * @brief create a SSL
- *
- * @param ctx - the SSL context point
- *
- * @return the SSL point
- */
-SSL* SSL_new(SSL_CTX *ctx);
-
-/**
- * @brief free the SSL
- *
- * @param ssl - the SSL point
- *
- * @return none
- */
-void SSL_free(SSL *ssl);
-
-/**
- * @brief connect to the remote SSL server
- *
- * @param ssl - the SSL point
- *
- * @return result
- * 1 : OK
- * -1 : failed
- */
-int SSL_connect(SSL *ssl);
-
-/**
- * @brief accept the remote connection
- *
- * @param ssl - the SSL point
- *
- * @return result
- * 1 : OK
- * -1 : failed
- */
-int SSL_accept(SSL *ssl);
-
-/**
- * @brief read data from to remote
- *
- * @param ssl - the SSL point which has been connected
- * @param buffer - the received data buffer point
- * @param len - the received data length
- *
- * @return result
- * > 0 : OK, and return received data bytes
- * = 0 : connection is closed
- * < 0 : an error catch
- */
-int SSL_read(SSL *ssl, void *buffer, int len);
-
-/**
- * @brief send the data to remote
- *
- * @param ssl - the SSL point which has been connected
- * @param buffer - the send data buffer point
- * @param len - the send data length
- *
- * @return result
- * > 0 : OK, and return sent data bytes
- * = 0 : connection is closed
- * < 0 : an error catch
- */
-int SSL_write(SSL *ssl, const void *buffer, int len);
-
-/**
- * @brief get the verifying result of the SSL certification
- *
- * @param ssl - the SSL point
- *
- * @return the result of verifying
- */
-long SSL_get_verify_result(const SSL *ssl);
-
-/**
- * @brief shutdown the connection
- *
- * @param ssl - the SSL point
- *
- * @return result
- * 1 : OK
- * 0 : shutdown is not finished
- * -1 : an error catch
- */
-int SSL_shutdown(SSL *ssl);
-
-/**
- * @brief bind the socket file description into the SSL
- *
- * @param ssl - the SSL point
- * @param fd - socket handle
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_set_fd(SSL *ssl, int fd);
-
-/**
- * @brief These functions load the private key into the SSL_CTX or SSL object
- *
- * @param ctx - the SSL context point
- * @param pkey - private key object point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
-
-/**
- * @brief These functions load the certification into the SSL_CTX or SSL object
- *
- * @param ctx - the SSL context point
- * @param pkey - certification object point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-
-/**
- * @brief create the target SSL context client method
- *
- * @param none
- *
- * @return the SSLV2.3 version SSL context client method
- */
-const SSL_METHOD* SSLv23_client_method(void);
-
-/**
- * @brief create the target SSL context client method
- *
- * @param none
- *
- * @return the TLSV1.0 version SSL context client method
- */
-const SSL_METHOD* TLSv1_client_method(void);
-
-/**
- * @brief create the target SSL context client method
- *
- * @param none
- *
- * @return the SSLV1.0 version SSL context client method
- */
-const SSL_METHOD* SSLv3_client_method(void);
-
-/**
- * @brief create the target SSL context client method
- *
- * @param none
- *
- * @return the TLSV1.1 version SSL context client method
- */
-const SSL_METHOD* TLSv1_1_client_method(void);
-
-/**
- * @brief create the target SSL context client method
- *
- * @param none
- *
- * @return the TLSV1.2 version SSL context client method
- */
-const SSL_METHOD* TLSv1_2_client_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the TLS any version SSL context client method
- */
-const SSL_METHOD* TLS_client_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the SSLV2.3 version SSL context server method
- */
-const SSL_METHOD* SSLv23_server_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the TLSV1.1 version SSL context server method
- */
-const SSL_METHOD* TLSv1_1_server_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the TLSV1.2 version SSL context server method
- */
-const SSL_METHOD* TLSv1_2_server_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the TLSV1.0 version SSL context server method
- */
-const SSL_METHOD* TLSv1_server_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the SSLV3.0 version SSL context server method
- */
-const SSL_METHOD* SSLv3_server_method(void);
-
-/**
- * @brief create the target SSL context server method
- *
- * @param none
- *
- * @return the TLS any version SSL context server method
- */
-const SSL_METHOD* TLS_server_method(void);
-
-
-/**
- * @brief set the SSL context ALPN select callback function
- *
- * @param ctx - SSL context point
- * @param cb - ALPN select callback function
- * @param arg - ALPN select callback function entry private data point
- *
- * @return none
- */
-void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
- int (*cb) (SSL *ssl,
- const unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen,
- void *arg),
- void *arg);
-
-void SSL_set_alpn_select_cb(SSL *ssl, void *arg);
-
-/**
- * @brief set the SSL context ALPN select protocol
- *
- * @param ctx - SSL context point
- * @param protos - ALPN protocol name
- * @param protos_len - ALPN protocol name bytes
- *
- * @return result
- * 0 : OK
- * 1 : failed
- */
-int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len);
-
-/**
- * @brief set the SSL context next ALPN select callback function
- *
- * @param ctx - SSL context point
- * @param cb - ALPN select callback function
- * @param arg - ALPN select callback function entry private data point
- *
- * @return none
- */
-void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
- int (*cb) (SSL *ssl,
- unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen,
- void *arg),
- void *arg);
-
-void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
- unsigned int *len);
-
-void _ssl_set_alpn_list(const SSL *ssl);
-
-/**
- * @brief get SSL error code
- *
- * @param ssl - SSL point
- * @param ret_code - SSL return code
- *
- * @return SSL error number
- */
-int SSL_get_error(const SSL *ssl, int ret_code);
-
-/**
- * @brief clear the SSL error code
- *
- * @param none
- *
- * @return none
- */
-void ERR_clear_error(void);
-
-/**
- * @brief get the current SSL error code
- *
- * @param none
- *
- * @return current SSL error number
- */
-int ERR_get_error(void);
-
-/**
- * @brief register the SSL error strings
- *
- * @param none
- *
- * @return none
- */
-void ERR_load_SSL_strings(void);
-
-/**
- * @brief initialize the SSL library
- *
- * @param none
- *
- * @return none
- */
-void SSL_library_init(void);
-
-/**
- * @brief generates a human-readable string representing the error code e
- * and store it into the "ret" point memory
- *
- * @param e - error code
- * @param ret - memory point to store the string
- *
- * @return the result string point
- */
-char *ERR_error_string(unsigned long e, char *ret);
-
-/**
- * @brief add the SSL context option
- *
- * @param ctx - SSL context point
- * @param opt - new SSL context option
- *
- * @return the SSL context option
- */
-unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt);
-
-/**
- * @brief add the SSL context mode
- *
- * @param ctx - SSL context point
- * @param mod - new SSL context mod
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_mode(SSL_CTX *ctx, int mod);
-
-/*
-}
-*/
-
-/**
- * @brief perform the SSL handshake
- *
- * @param ssl - SSL point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- * -1 : a error catch
- */
-int SSL_do_handshake(SSL *ssl);
-
-/**
- * @brief get the SSL current version
- *
- * @param ssl - SSL point
- *
- * @return the version string
- */
-const char *SSL_get_version(const SSL *ssl);
-
-/**
- * @brief set the SSL context version
- *
- * @param ctx - SSL context point
- * @param meth - SSL method point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-
-/**
- * @brief get the bytes numbers which are to be read
- *
- * @param ssl - SSL point
- *
- * @return bytes number
- */
-int SSL_pending(const SSL *ssl);
-
-/**
- * @brief check if SSL want nothing
- *
- * @param ssl - SSL point
- *
- * @return result
- * 0 : false
- * 1 : true
- */
-int SSL_want_nothing(const SSL *ssl);
-
-/**
- * @brief check if SSL want to read
- *
- * @param ssl - SSL point
- *
- * @return result
- * 0 : false
- * 1 : true
- */
-int SSL_want_read(const SSL *ssl);
-
-/**
- * @brief check if SSL want to write
- *
- * @param ssl - SSL point
- *
- * @return result
- * 0 : false
- * 1 : true
- */
-int SSL_want_write(const SSL *ssl);
-
-/**
- * @brief get the SSL context current method
- *
- * @param ctx - SSL context point
- *
- * @return the SSL context current method
- */
-const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx);
-
-/**
- * @brief get the SSL current method
- *
- * @param ssl - SSL point
- *
- * @return the SSL current method
- */
-const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
-
-/**
- * @brief set the SSL method
- *
- * @param ssl - SSL point
- * @param meth - SSL method point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method);
-
-/**
- * @brief add CA client certification into the SSL
- *
- * @param ssl - SSL point
- * @param x - CA certification point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_add_client_CA(SSL *ssl, X509 *x);
-
-/**
- * @brief add CA client certification into the SSL context
- *
- * @param ctx - SSL context point
- * @param x - CA certification point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
-
-/**
- * @brief set the SSL CA certification list
- *
- * @param ssl - SSL point
- * @param name_list - CA certification list
- *
- * @return none
- */
-void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list);
-
-/**
- * @brief set the SSL context CA certification list
- *
- * @param ctx - SSL context point
- * @param name_list - CA certification list
- *
- * @return none
- */
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-
-/**
- * @briefget the SSL CA certification list
- *
- * @param ssl - SSL point
- *
- * @return CA certification list
- */
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
-
-/**
- * @brief get the SSL context CA certification list
- *
- * @param ctx - SSL context point
- *
- * @return CA certification list
- */
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
-
-/**
- * @brief get the SSL certification point
- *
- * @param ssl - SSL point
- *
- * @return SSL certification point
- */
-X509 *SSL_get_certificate(const SSL *ssl);
-
-/**
- * @brief get the SSL private key point
- *
- * @param ssl - SSL point
- *
- * @return SSL private key point
- */
-EVP_PKEY *SSL_get_privatekey(const SSL *ssl);
-
-/**
- * @brief set the SSL information callback function
- *
- * @param ssl - SSL point
- * @param cb - information callback function
- *
- * @return none
- */
-void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val));
-
-/**
- * @brief get the SSL state
- *
- * @param ssl - SSL point
- *
- * @return SSL state
- */
-OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
-
-/**
- * @brief set the SSL context read buffer length
- *
- * @param ctx - SSL context point
- * @param len - read buffer length
- *
- * @return none
- */
-void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
-
-/**
- * @brief set the SSL read buffer length
- *
- * @param ssl - SSL point
- * @param len - read buffer length
- *
- * @return none
- */
-void SSL_set_default_read_buffer_len(SSL *ssl, size_t len);
-
-/**
- * @brief set the SSL security level
- *
- * @param ssl - SSL point
- * @param level - security level
- *
- * @return none
- */
-void SSL_set_security_level(SSL *ssl, int level);
-
-/**
- * @brief get the SSL security level
- *
- * @param ssl - SSL point
- *
- * @return security level
- */
-int SSL_get_security_level(const SSL *ssl);
-
-/**
- * @brief get the SSL verifying mode of the SSL context
- *
- * @param ctx - SSL context point
- *
- * @return verifying mode
- */
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-
-/**
- * @brief get the SSL verifying depth of the SSL context
- *
- * @param ctx - SSL context point
- *
- * @return verifying depth
- */
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-
-/**
- * @brief set the SSL context verifying of the SSL context
- *
- * @param ctx - SSL context point
- * @param mode - verifying mode
- * @param verify_callback - verifying callback function
- *
- * @return none
- */
-void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *));
-
-/**
- * @brief set the SSL verifying of the SSL context
- *
- * @param ctx - SSL point
- * @param mode - verifying mode
- * @param verify_callback - verifying callback function
- *
- * @return none
- */
-void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, X509_STORE_CTX *));
-
-/**
- * @brief set the SSL verify depth of the SSL context
- *
- * @param ctx - SSL context point
- * @param depth - verifying depth
- *
- * @return none
- */
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
-
-/**
- * @brief certification verifying callback function
- *
- * @param preverify_ok - verifying result
- * @param x509_ctx - X509 certification point
- *
- * @return verifying result
- */
-int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
-
-/**
- * @brief set the session timeout time
- *
- * @param ctx - SSL context point
- * @param t - new session timeout time
- *
- * @return old session timeout time
- */
-long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
-
-/**
- * @brief get the session timeout time
- *
- * @param ctx - SSL context point
- *
- * @return current session timeout time
- */
-long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-
-/**
- * @brief set the SSL context cipher through the list string
- *
- * @param ctx - SSL context point
- * @param str - cipher controller list string
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
-
-/**
- * @brief set the SSL cipher through the list string
- *
- * @param ssl - SSL point
- * @param str - cipher controller list string
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_set_cipher_list(SSL *ssl, const char *str);
-
-/**
- * @brief get the SSL cipher list string
- *
- * @param ssl - SSL point
- *
- * @return cipher controller list string
- */
-const char *SSL_get_cipher_list(const SSL *ssl, int n);
-
-/**
- * @brief get the SSL cipher
- *
- * @param ssl - SSL point
- *
- * @return current cipher
- */
-const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
-
-/**
- * @brief get the SSL cipher string
- *
- * @param ssl - SSL point
- *
- * @return cipher string
- */
-const char *SSL_get_cipher(const SSL *ssl);
-
-/**
- * @brief get the SSL context object X509 certification storage
- *
- * @param ctx - SSL context point
- *
- * @return x509 certification storage
- */
-X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
-
-/**
- * @brief set the SSL context object X509 certification store
- *
- * @param ctx - SSL context point
- * @param store - X509 certification store
- *
- * @return none
- */
-void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
-
-/**
- * @brief get the SSL specifical statement
- *
- * @param ssl - SSL point
- *
- * @return specifical statement
- */
-int SSL_want(const SSL *ssl);
-
-/**
- * @brief check if the SSL is SSL_X509_LOOKUP state
- *
- * @param ssl - SSL point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_want_x509_lookup(const SSL *ssl);
-
-/**
- * @brief reset the SSL
- *
- * @param ssl - SSL point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_clear(SSL *ssl);
-
-/**
- * @brief get the socket handle of the SSL
- *
- * @param ssl - SSL point
- *
- * @return result
- * >= 0 : yes, and return socket handle
- * < 0 : a error catch
- */
-int SSL_get_fd(const SSL *ssl);
-
-/**
- * @brief get the read only socket handle of the SSL
- *
- * @param ssl - SSL point
- *
- * @return result
- * >= 0 : yes, and return socket handle
- * < 0 : a error catch
- */
-int SSL_get_rfd(const SSL *ssl);
-
-/**
- * @brief get the write only socket handle of the SSL
- *
- * @param ssl - SSL point
- *
- * @return result
- * >= 0 : yes, and return socket handle
- * < 0 : a error catch
- */
-int SSL_get_wfd(const SSL *ssl);
-
-/**
- * @brief set the SSL if we can read as many as data
- *
- * @param ssl - SSL point
- * @param yes - enable the function
- *
- * @return none
- */
-void SSL_set_read_ahead(SSL *s, int yes);
-
-/**
- * @brief set the SSL context if we can read as many as data
- *
- * @param ctx - SSL context point
- * @param yes - enbale the function
- *
- * @return none
- */
-void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
-
-/**
- * @brief get the SSL ahead signal if we can read as many as data
- *
- * @param ssl - SSL point
- *
- * @return SSL context ahead signal
- */
-int SSL_get_read_ahead(const SSL *ssl);
-
-/**
- * @brief get the SSL context ahead signal if we can read as many as data
- *
- * @param ctx - SSL context point
- *
- * @return SSL context ahead signal
- */
-long SSL_CTX_get_read_ahead(SSL_CTX *ctx);
-
-/**
- * @brief check if some data can be read
- *
- * @param ssl - SSL point
- *
- * @return
- * 1 : there are bytes to be read
- * 0 : no data
- */
-int SSL_has_pending(const SSL *ssl);
-
-/**
- * @brief load the X509 certification into SSL context
- *
- * @param ctx - SSL context point
- * @param x - X509 certification point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);//loads the certificate x into ctx
-
-/**
- * @brief load the ASN1 certification into SSL context
- *
- * @param ctx - SSL context point
- * @param len - certification length
- * @param d - data point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
-
-/**
- * @brief load the certification file into SSL context
- *
- * @param ctx - SSL context point
- * @param file - certification file name
- * @param type - certification encoding type
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
-
-/**
- * @brief load the certification chain file into SSL context
- *
- * @param ctx - SSL context point
- * @param file - certification chain file name
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
-
-
-/**
- * @brief load the ASN1 private key into SSL context
- *
- * @param ctx - SSL context point
- * @param d - data point
- * @param len - private key length
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);//adds the private key of type pk stored at memory location d (length len) to ctx
-
-/**
- * @brief load the private key file into SSL context
- *
- * @param ctx - SSL context point
- * @param file - private key file name
- * @param type - private key encoding type
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-
-/**
- * @brief load the RSA private key into SSL context
- *
- * @param ctx - SSL context point
- * @param x - RSA private key point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
-
-/**
- * @brief load the RSA ASN1 private key into SSL context
- *
- * @param ctx - SSL context point
- * @param d - data point
- * @param len - RSA private key length
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
-
-/**
- * @brief load the RSA private key file into SSL context
- *
- * @param ctx - SSL context point
- * @param file - RSA private key file name
- * @param type - private key encoding type
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-
-
-/**
- * @brief check if the private key and certification is matched
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-
-/**
- * @brief set the SSL context server information
- *
- * @param ctx - SSL context point
- * @param serverinfo - server information string
- * @param serverinfo_length - server information length
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length);
-
-/**
- * @brief load the SSL context server infomation file into SSL context
- *
- * @param ctx - SSL context point
- * @param file - server information file
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
-
-/**
- * @brief SSL select next function
- *
- * @param out - point of output data point
- * @param outlen - output data length
- * @param in - input data
- * @param inlen - input data length
- * @param client - client data point
- * @param client_len -client data length
- *
- * @return NPN state
- * OPENSSL_NPN_UNSUPPORTED : not support
- * OPENSSL_NPN_NEGOTIATED : negotiated
- * OPENSSL_NPN_NO_OVERLAP : no overlap
- */
-int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
- const unsigned char *in, unsigned int inlen,
- const unsigned char *client, unsigned int client_len);
-
-/**
- * @brief load the extra certification chain into the SSL context
- *
- * @param ctx - SSL context point
- * @param x509 - X509 certification
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *);
-
-/**
- * @brief control the SSL context
- *
- * @param ctx - SSL context point
- * @param cmd - command
- * @param larg - parameter length
- * @param parg - parameter point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
-
-/**
- * @brief get the SSL context cipher
- *
- * @param ctx - SSL context point
- *
- * @return SSL context cipher
- */
-STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
-
-/**
- * @brief check if the SSL context can read as many as data
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
-
-/**
- * @brief get the SSL context extra data
- *
- * @param ctx - SSL context point
- * @param idx - index
- *
- * @return data point
- */
-char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
-
-/**
- * @brief get the SSL context quiet shutdown option
- *
- * @param ctx - SSL context point
- *
- * @return quiet shutdown option
- */
-int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
-
-/**
- * @brief load the SSL context CA file
- *
- * @param ctx - SSL context point
- * @param CAfile - CA certification file
- * @param CApath - CA certification file path
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
-
-/**
- * @brief add SSL context reference count by '1'
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_up_ref(SSL_CTX *ctx);
-
-/**
- * @brief set SSL context application private data
- *
- * @param ctx - SSL context point
- * @param arg - private data
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);
-
-/**
- * @brief set SSL context client certification callback function
- *
- * @param ctx - SSL context point
- * @param cb - callback function
- *
- * @return none
- */
-void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
-
-/**
- * @brief set the SSL context if we can read as many as data
- *
- * @param ctx - SSL context point
- * @param m - enable the fuction
- *
- * @return none
- */
-void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);
-
-/**
- * @brief set SSL context default verifying path
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-
-/**
- * @brief set SSL context default verifying directory
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
-
-/**
- * @brief set SSL context default verifying file
- *
- * @param ctx - SSL context point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
-
-/**
- * @brief set SSL context extra data
- *
- * @param ctx - SSL context point
- * @param idx - data index
- * @param arg - data point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);
-
-/**
- * @brief clear the SSL context option bit of "op"
- *
- * @param ctx - SSL context point
- * @param op - option
- *
- * @return SSL context option
- */
-unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
-
-/**
- * @brief get the SSL context option
- *
- * @param ctx - SSL context point
- * @param op - option
- *
- * @return SSL context option
- */
-unsigned long SSL_CTX_get_options(SSL_CTX *ctx);
-
-/**
- * @brief set the SSL context quiet shutdown mode
- *
- * @param ctx - SSL context point
- * @param mode - mode
- *
- * @return none
- */
-void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
-
-/**
- * @brief get the SSL context X509 certification
- *
- * @param ctx - SSL context point
- *
- * @return X509 certification
- */
-X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
-
-/**
- * @brief get the SSL context private key
- *
- * @param ctx - SSL context point
- *
- * @return private key
- */
-EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
-
-/**
- * @brief set SSL context PSK identity hint
- *
- * @param ctx - SSL context point
- * @param hint - PSK identity hint
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);
-
-/**
- * @brief set SSL context PSK server callback function
- *
- * @param ctx - SSL context point
- * @param callback - callback function
- *
- * @return none
- */
-void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
- unsigned int (*callback)(SSL *ssl,
- const char *identity,
- unsigned char *psk,
- int max_psk_len));
-/**
- * @brief get alert description string
- *
- * @param value - alert value
- *
- * @return alert description string
- */
-const char *SSL_alert_desc_string(int value);
-
-/**
- * @brief get alert description long string
- *
- * @param value - alert value
- *
- * @return alert description long string
- */
-const char *SSL_alert_desc_string_long(int value);
-
-/**
- * @brief get alert type string
- *
- * @param value - alert value
- *
- * @return alert type string
- */
-const char *SSL_alert_type_string(int value);
-
-/**
- * @brief get alert type long string
- *
- * @param value - alert value
- *
- * @return alert type long string
- */
-const char *SSL_alert_type_string_long(int value);
-
-/**
- * @brief get SSL context of the SSL
- *
- * @param ssl - SSL point
- *
- * @return SSL context
- */
-SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
-
-/**
- * @brief get SSL application data
- *
- * @param ssl - SSL point
- *
- * @return application data
- */
-char *SSL_get_app_data(SSL *ssl);
-
-/**
- * @brief get SSL cipher bits
- *
- * @param ssl - SSL point
- * @param alg_bits - algorithm bits
- *
- * @return strength bits
- */
-int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);
-
-/**
- * @brief get SSL cipher name
- *
- * @param ssl - SSL point
- *
- * @return SSL cipher name
- */
-char *SSL_get_cipher_name(const SSL *ssl);
-
-/**
- * @brief get SSL cipher version
- *
- * @param ssl - SSL point
- *
- * @return SSL cipher version
- */
-char *SSL_get_cipher_version(const SSL *ssl);
-
-/**
- * @brief get SSL extra data
- *
- * @param ssl - SSL point
- * @param idx - data index
- *
- * @return extra data
- */
-char *SSL_get_ex_data(const SSL *ssl, int idx);
-
-/**
- * @brief get index of the SSL extra data X509 storage context
- *
- * @param none
- *
- * @return data index
- */
-int SSL_get_ex_data_X509_STORE_CTX_idx(void);
-
-/**
- * @brief get peer certification chain
- *
- * @param ssl - SSL point
- *
- * @return certification chain
- */
-STACK *SSL_get_peer_cert_chain(const SSL *ssl);
-
-/**
- * @brief get peer certification
- *
- * @param ssl - SSL point
- *
- * @return certification
- */
-X509 *SSL_get_peer_certificate(const SSL *ssl);
-
-/**
- * @brief get SSL quiet shutdown mode
- *
- * @param ssl - SSL point
- *
- * @return quiet shutdown mode
- */
-int SSL_get_quiet_shutdown(const SSL *ssl);
-
-/**
- * @brief get SSL read only IO handle
- *
- * @param ssl - SSL point
- *
- * @return IO handle
- */
-BIO *SSL_get_rbio(const SSL *ssl);
-
-/**
- * @brief get SSL shared ciphers
- *
- * @param ssl - SSL point
- * @param buf - buffer to store the ciphers
- * @param len - buffer len
- *
- * @return shared ciphers
- */
-char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);
-
-/**
- * @brief get SSL shutdown mode
- *
- * @param ssl - SSL point
- *
- * @return shutdown mode
- */
-int SSL_get_shutdown(const SSL *ssl);
-
-/**
- * @brief get SSL session time
- *
- * @param ssl - SSL point
- *
- * @return session time
- */
-long SSL_get_time(const SSL *ssl);
-
-/**
- * @brief get SSL session timeout time
- *
- * @param ssl - SSL point
- *
- * @return session timeout time
- */
-long SSL_get_timeout(const SSL *ssl);
-
-/**
- * @brief get SSL verifying mode
- *
- * @param ssl - SSL point
- *
- * @return verifying mode
- */
-int SSL_get_verify_mode(const SSL *ssl);
-
-/**
- * @brief get SSL verify parameters
- *
- * @param ssl - SSL point
- *
- * @return verify parameters
- */
-X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
-
-/**
- * @brief set expected hostname the peer cert CN should have
- *
- * @param param - verify parameters from SSL_get0_param()
- *
- * @param name - the expected hostname
- *
- * @param namelen - the length of the hostname, or 0 if NUL terminated
- *
- * @return verify parameters
- */
-int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
- const char *name, size_t namelen);
-
-/**
- * @brief set parameters for X509 host verify action
- *
- * @param param -verify parameters from SSL_get0_param()
- *
- * @param flags - bitfield of X509_CHECK_FLAG_... parameters to set
- *
- * @return 1 for success, 0 for failure
- */
-int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
- unsigned long flags);
-
-/**
- * @brief clear parameters for X509 host verify action
- *
- * @param param -verify parameters from SSL_get0_param()
- *
- * @param flags - bitfield of X509_CHECK_FLAG_... parameters to clear
- *
- * @return 1 for success, 0 for failure
- */
-int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
- unsigned long flags);
-
-/**
- * @brief get SSL write only IO handle
- *
- * @param ssl - SSL point
- *
- * @return IO handle
- */
-BIO *SSL_get_wbio(const SSL *ssl);
-
-/**
- * @brief load SSL client CA certification file
- *
- * @param file - file name
- *
- * @return certification loading object
- */
-STACK *SSL_load_client_CA_file(const char *file);
-
-/**
- * @brief add SSL reference by '1'
- *
- * @param ssl - SSL point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_up_ref(SSL *ssl);
-
-/**
- * @brief read and put data into buf, but not clear the SSL low-level storage
- *
- * @param ssl - SSL point
- * @param buf - storage buffer point
- * @param num - data bytes
- *
- * @return result
- * > 0 : OK, and return read bytes
- * = 0 : connect is closed
- * < 0 : a error catch
- */
-int SSL_peek(SSL *ssl, void *buf, int num);
-
-/**
- * @brief make SSL renegotiate
- *
- * @param ssl - SSL point
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_renegotiate(SSL *ssl);
-
-/**
- * @brief get the state string where SSL is reading
- *
- * @param ssl - SSL point
- *
- * @return state string
- */
-const char *SSL_rstate_string(SSL *ssl);
-
-/**
- * @brief get the statement long string where SSL is reading
- *
- * @param ssl - SSL point
- *
- * @return statement long string
- */
-const char *SSL_rstate_string_long(SSL *ssl);
-
-/**
- * @brief set SSL accept statement
- *
- * @param ssl - SSL point
- *
- * @return none
- */
-void SSL_set_accept_state(SSL *ssl);
-
-/**
- * @brief set SSL application data
- *
- * @param ssl - SSL point
- * @param arg - SSL application data point
- *
- * @return none
- */
-void SSL_set_app_data(SSL *ssl, char *arg);
-
-/**
- * @brief set SSL BIO
- *
- * @param ssl - SSL point
- * @param rbio - read only IO
- * @param wbio - write only IO
- *
- * @return none
- */
-void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
-
-/**
- * @brief clear SSL option
- *
- * @param ssl - SSL point
- * @param op - clear option
- *
- * @return SSL option
- */
-unsigned long SSL_clear_options(SSL *ssl, unsigned long op);
-
-/**
- * @brief get SSL option
- *
- * @param ssl - SSL point
- *
- * @return SSL option
- */
-unsigned long SSL_get_options(SSL *ssl);
-
-/**
- * @brief clear SSL option
- *
- * @param ssl - SSL point
- * @param op - setting option
- *
- * @return SSL option
- */
-unsigned long SSL_set_options(SSL *ssl, unsigned long op);
-
-/**
- * @brief set SSL quiet shutdown mode
- *
- * @param ssl - SSL point
- * @param mode - quiet shutdown mode
- *
- * @return none
- */
-void SSL_set_quiet_shutdown(SSL *ssl, int mode);
-
-/**
- * @brief set SSL shutdown mode
- *
- * @param ssl - SSL point
- * @param mode - shutdown mode
- *
- * @return none
- */
-void SSL_set_shutdown(SSL *ssl, int mode);
-
-/**
- * @brief set SSL session time
- *
- * @param ssl - SSL point
- * @param t - session time
- *
- * @return session time
- */
-void SSL_set_time(SSL *ssl, long t);
-
-/**
- * @brief set SSL session timeout time
- *
- * @param ssl - SSL point
- * @param t - session timeout time
- *
- * @return session timeout time
- */
-void SSL_set_timeout(SSL *ssl, long t);
-
-/**
- * @brief get SSL statement string
- *
- * @param ssl - SSL point
- *
- * @return SSL statement string
- */
-char *SSL_state_string(const SSL *ssl);
-
-/**
- * @brief get SSL statement long string
- *
- * @param ssl - SSL point
- *
- * @return SSL statement long string
- */
-char *SSL_state_string_long(const SSL *ssl);
-
-/**
- * @brief get SSL renegotiation count
- *
- * @param ssl - SSL point
- *
- * @return renegotiation count
- */
-long SSL_total_renegotiations(SSL *ssl);
-
-/**
- * @brief get SSL version
- *
- * @param ssl - SSL point
- *
- * @return SSL version
- */
-int SSL_version(const SSL *ssl);
-
-/**
- * @brief set SSL PSK identity hint
- *
- * @param ssl - SSL point
- * @param hint - identity hint
- *
- * @return result
- * 1 : OK
- * 0 : failed
- */
-int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
-
-/**
- * @brief get SSL PSK identity hint
- *
- * @param ssl - SSL point
- *
- * @return identity hint
- */
-const char *SSL_get_psk_identity_hint(SSL *ssl);
-
-/**
- * @brief get SSL PSK identity
- *
- * @param ssl - SSL point
- *
- * @return identity
- */
-const char *SSL_get_psk_identity(SSL *ssl);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h
deleted file mode 100644
index cbbe3aa3a2..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_PM_H_
-#define _SSL_PM_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include <string.h>
-#include "ssl_types.h"
-#include "ssl_port.h"
-
-#define LOCAL_ATRR
-
-int ssl_pm_new(SSL *ssl);
-void ssl_pm_free(SSL *ssl);
-
-int ssl_pm_handshake(SSL *ssl);
-int ssl_pm_shutdown(SSL *ssl);
-int ssl_pm_clear(SSL *ssl);
-
-int ssl_pm_read(SSL *ssl, void *buffer, int len);
-int ssl_pm_send(SSL *ssl, const void *buffer, int len);
-int ssl_pm_pending(const SSL *ssl);
-
-void ssl_pm_set_fd(SSL *ssl, int fd, int mode);
-int ssl_pm_get_fd(const SSL *ssl, int mode);
-
-OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl);
-
-void ssl_pm_set_bufflen(SSL *ssl, int len);
-
-int x509_pm_show_info(X509 *x);
-int x509_pm_new(X509 *x, X509 *m_x);
-void x509_pm_free(X509 *x);
-int x509_pm_load(X509 *x, const unsigned char *buffer, int len);
-
-int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk);
-void pkey_pm_free(EVP_PKEY *pk);
-int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len);
-
-long ssl_pm_get_verify_result(const SSL *ssl);
-
-#ifdef __cplusplus
- }
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_port.h b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_port.h
deleted file mode 100644
index 74c7634355..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/include/platform/ssl_port.h
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_PORT_H_
-#define _SSL_PORT_H_
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include "string.h"
-#include "stdlib.h"
-#if defined(LWS_HAVE_MALLOC_H)
-#include "malloc.h"
-#endif
-
-void *ssl_mem_zalloc(size_t size);
-
-#define ssl_mem_malloc malloc
-#define ssl_mem_free free
-
-#define ssl_memcpy memcpy
-#define ssl_strlen strlen
-
-#define ssl_speed_up_enter()
-#define ssl_speed_up_exit()
-
-#define SSL_DEBUG_FL
-#define SSL_DEBUG_LOG(fmt, ...) ESP_LOGI("openssl", fmt, ##__VA_ARGS__)
-
-#ifdef __cplusplus
- }
-#endif
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_cert.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_cert.c
deleted file mode 100644
index 5c608125ac..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_cert.c
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_cert.h"
-#include "ssl_pkey.h"
-#include "ssl_x509.h"
-#include "ssl_dbg.h"
-#include "ssl_port.h"
-
-/**
- * @brief create a certification object according to input certification
- */
-CERT *__ssl_cert_new(CERT *ic)
-{
- CERT *cert;
-
- X509 *ix;
- EVP_PKEY *ipk;
-
- cert = ssl_mem_zalloc(sizeof(CERT));
- if (!cert) {
- SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "no enough memory > (cert)");
- goto no_mem;
- }
-
- if (ic) {
- ipk = ic->pkey;
- ix = ic->x509;
- } else {
- ipk = NULL;
- ix = NULL;
- }
-
- cert->pkey = __EVP_PKEY_new(ipk);
- if (!cert->pkey) {
- SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL");
- goto pkey_err;
- }
-
- cert->x509 = __X509_new(ix);
- if (!cert->x509) {
- SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__X509_new() return NULL");
- goto x509_err;
- }
-
- return cert;
-
-x509_err:
- EVP_PKEY_free(cert->pkey);
-pkey_err:
- ssl_mem_free(cert);
-no_mem:
- return NULL;
-}
-
-/**
- * @brief create a certification object include private key object
- */
-CERT *ssl_cert_new(void)
-{
- return __ssl_cert_new(NULL);
-}
-
-/**
- * @brief free a certification object
- */
-void ssl_cert_free(CERT *cert)
-{
- SSL_ASSERT3(cert);
-
- X509_free(cert->x509);
-
- EVP_PKEY_free(cert->pkey);
-
- ssl_mem_free(cert);
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_lib.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_lib.c
deleted file mode 100644
index 2f688ca9ef..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_lib.c
+++ /dev/null
@@ -1,1736 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_lib.h"
-#include "ssl_pkey.h"
-#include "ssl_x509.h"
-#include "ssl_cert.h"
-#include "ssl_dbg.h"
-#include "ssl_port.h"
-
-char *
-lws_strncpy(char *dest, const char *src, size_t size);
-
-#define SSL_SEND_DATA_MAX_LENGTH 1460
-
-/**
- * @brief create a new SSL session object
- */
-static SSL_SESSION* SSL_SESSION_new(void)
-{
- SSL_SESSION *session;
-
- session = ssl_mem_zalloc(sizeof(SSL_SESSION));
- if (!session) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
- goto failed1;
- }
-
- session->peer = X509_new();
- if (!session->peer) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
- goto failed2;
- }
-
- return session;
-
-failed2:
- ssl_mem_free(session);
-failed1:
- return NULL;
-}
-
-/**
- * @brief free a new SSL session object
- */
-static void SSL_SESSION_free(SSL_SESSION *session)
-{
- X509_free(session->peer);
- ssl_mem_free(session);
-}
-
-/**
- * @brief Discover whether the current connection is in the error state
- */
-int ossl_statem_in_error(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- if (ssl->statem.state == MSG_FLOW_ERROR)
- return 1;
-
- return 0;
-}
-
-/**
- * @brief get the SSL specifical statement
- */
-int SSL_want(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->rwstate;
-}
-
-/**
- * @brief check if SSL want nothing
- */
-int SSL_want_nothing(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- if (ssl->err)
- return 1;
-
- return (SSL_want(ssl) == SSL_NOTHING);
-}
-
-/**
- * @brief check if SSL want to read
- */
-int SSL_want_read(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- if (ssl->err)
- return 0;
-
- return (SSL_want(ssl) == SSL_READING);
-}
-
-/**
- * @brief check if SSL want to write
- */
-int SSL_want_write(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- if (ssl->err)
- return 0;
-
- return (SSL_want(ssl) == SSL_WRITING);
-}
-
-/**
- * @brief check if SSL want to lookup X509 certification
- */
-int SSL_want_x509_lookup(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return (SSL_want(ssl) == SSL_WRITING);
-}
-
-/**
- * @brief get SSL error code
- */
-int SSL_get_error(const SSL *ssl, int ret_code)
-{
- int ret = SSL_ERROR_SYSCALL;
-
- SSL_ASSERT1(ssl);
-
- if (ret_code > 0)
- ret = SSL_ERROR_NONE;
- else if (ret_code < 0)
- {
- if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl))
- ret = SSL_ERROR_WANT_READ;
- else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl))
- ret = SSL_ERROR_WANT_WRITE;
- else
- ret = SSL_ERROR_SYSCALL; //unknown
- }
- else // ret_code == 0
- {
- if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
- ret = SSL_ERROR_ZERO_RETURN;
- else
- ret = SSL_ERROR_SYSCALL;
- }
-
- return ret;
-}
-
-/**
- * @brief get the SSL state
- */
-OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
-{
- OSSL_HANDSHAKE_STATE state;
-
- SSL_ASSERT1(ssl);
-
- state = SSL_METHOD_CALL(get_state, ssl);
-
- return state;
-}
-
-/**
- * @brief create a SSL context
- */
-SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
-{
- SSL_CTX *ctx;
- CERT *cert;
- X509 *client_ca;
-
- if (!method) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
- return NULL;
- }
-
- client_ca = X509_new();
- if (!client_ca) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
- goto failed1;
- }
-
- cert = ssl_cert_new();
- if (!cert) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
- goto failed2;
- }
-
- ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
- if (!ctx) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
- goto failed3;
- }
-
- ctx->method = method;
- ctx->client_CA = client_ca;
- ctx->cert = cert;
-
- ctx->version = method->version;
-
- return ctx;
-
-failed3:
- ssl_cert_free(cert);
-failed2:
- X509_free(client_ca);
-failed1:
- return NULL;
-}
-
-/**
- * @brief free a SSL context
- */
-void SSL_CTX_free(SSL_CTX* ctx)
-{
- SSL_ASSERT3(ctx);
-
- ssl_cert_free(ctx->cert);
-
- X509_free(ctx->client_CA);
-
- if (ctx->alpn_protos)
- ssl_mem_free(ctx->alpn_protos);
-
- ssl_mem_free(ctx);
-}
-
-/**
- * @brief set the SSL context version
- */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
-{
- SSL_ASSERT1(ctx);
- SSL_ASSERT1(meth);
-
- ctx->method = meth;
-
- ctx->version = meth->version;
-
- return 1;
-}
-
-/**
- * @brief get the SSL context current method
- */
-const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
-{
- SSL_ASSERT2(ctx);
-
- return ctx->method;
-}
-
-/**
- * @brief create a SSL
- */
-SSL *SSL_new(SSL_CTX *ctx)
-{
- int ret = 0;
- SSL *ssl;
-
- if (!ctx) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
- return NULL;
- }
-
- ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
- if (!ssl) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
- goto failed1;
- }
-
- ssl->session = SSL_SESSION_new();
- if (!ssl->session) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
- goto failed2;
- }
-
- ssl->cert = __ssl_cert_new(ctx->cert);
- if (!ssl->cert) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
- goto failed3;
- }
-
- ssl->client_CA = __X509_new(ctx->client_CA);
- if (!ssl->client_CA) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
- goto failed4;
- }
-
- ssl->ctx = ctx;
- ssl->method = ctx->method;
-
- ssl->version = ctx->version;
- ssl->options = ctx->options;
-
- ssl->verify_mode = ctx->verify_mode;
-
- ret = SSL_METHOD_CALL(new, ssl);
- if (ret) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
- goto failed5;
- }
-
- _ssl_set_alpn_list(ssl);
-
- ssl->rwstate = SSL_NOTHING;
-
- return ssl;
-
-failed5:
- X509_free(ssl->client_CA);
-failed4:
- ssl_cert_free(ssl->cert);
-failed3:
- SSL_SESSION_free(ssl->session);
-failed2:
- ssl_mem_free(ssl);
-failed1:
- return NULL;
-}
-
-/**
- * @brief free the SSL
- */
-void SSL_free(SSL *ssl)
-{
- SSL_ASSERT3(ssl);
-
- SSL_METHOD_CALL(free, ssl);
-
- X509_free(ssl->client_CA);
-
- ssl_cert_free(ssl->cert);
-
- SSL_SESSION_free(ssl->session);
-
- if (ssl->alpn_protos)
- ssl_mem_free(ssl->alpn_protos);
-
- ssl_mem_free(ssl);
-}
-
-/**
- * @brief perform the SSL handshake
- */
-int SSL_do_handshake(SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_METHOD_CALL(handshake, ssl);
-
- return ret;
-}
-
-/**
- * @brief connect to the remote SSL server
- */
-int SSL_connect(SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return SSL_do_handshake(ssl);
-}
-
-/**
- * @brief accept the remote connection
- */
-int SSL_accept(SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return SSL_do_handshake(ssl);
-}
-
-/**
- * @brief shutdown the connection
- */
-int SSL_shutdown(SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
-
- ret = SSL_METHOD_CALL(shutdown, ssl);
-
- return ret;
-}
-
-/**
- * @brief reset the SSL
- */
-int SSL_clear(SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_shutdown(ssl);
- if (1 != ret) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
- goto failed1;
- }
-
- SSL_METHOD_CALL(free, ssl);
-
- ret = SSL_METHOD_CALL(new, ssl);
- if (!ret) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
- goto failed1;
- }
-
- return 1;
-
-failed1:
- return ret;
-}
-
-/**
- * @brief read data from to remote
- */
-int SSL_read(SSL *ssl, void *buffer, int len)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(buffer);
- SSL_ASSERT1(len);
-
- ssl->rwstate = SSL_READING;
-
- ret = SSL_METHOD_CALL(read, ssl, buffer, len);
-
- if (ret == len)
- ssl->rwstate = SSL_NOTHING;
-
- return ret;
-}
-
-/**
- * @brief send the data to remote
- */
-int SSL_write(SSL *ssl, const void *buffer, int len)
-{
- int ret;
- int send_bytes, bytes;
- const unsigned char *pbuf;
-
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(buffer);
- SSL_ASSERT1(len);
-
- ssl->rwstate = SSL_WRITING;
-
- send_bytes = len;
- pbuf = (const unsigned char *)buffer;
-
- do {
- if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
- bytes = SSL_SEND_DATA_MAX_LENGTH;
- else
- bytes = send_bytes;
-
- if (ssl->interrupted_remaining_write) {
- bytes = ssl->interrupted_remaining_write;
- ssl->interrupted_remaining_write = 0;
- }
-
- ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
- //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes);
- /* the return is a NEGATIVE OpenSSL error code, or the length sent */
- if (ret > 0) {
- pbuf += ret;
- send_bytes -= ret;
- } else
- ssl->interrupted_remaining_write = bytes;
- } while (ret > 0 && send_bytes && ret == bytes);
-
- if (ret >= 0) {
- ret = len - send_bytes;
- if (!ret)
- ssl->rwstate = SSL_NOTHING;
- } else {
- if (send_bytes == len)
- ret = -1;
- else
- ret = len - send_bytes;
- }
-
- return ret;
-}
-
-/**
- * @brief get SSL context of the SSL
- */
-SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
-{
- SSL_ASSERT2(ssl);
-
- return ssl->ctx;
-}
-
-/**
- * @brief get the SSL current method
- */
-const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
-{
- SSL_ASSERT2(ssl);
-
- return ssl->method;
-}
-
-/**
- * @brief set the SSL method
- */
-int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(method);
-
- if (ssl->version != method->version) {
-
- ret = SSL_shutdown(ssl);
- if (1 != ret) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
- goto failed1;
- }
-
- SSL_METHOD_CALL(free, ssl);
-
- ssl->method = method;
-
- ret = SSL_METHOD_CALL(new, ssl);
- if (!ret) {
- SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
- goto failed1;
- }
- } else {
- ssl->method = method;
- }
-
-
- return 1;
-
-failed1:
- return ret;
-}
-
-/**
- * @brief get SSL shutdown mode
- */
-int SSL_get_shutdown(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->shutdown;
-}
-
-/**
- * @brief set SSL shutdown mode
- */
-void SSL_set_shutdown(SSL *ssl, int mode)
-{
- SSL_ASSERT3(ssl);
-
- ssl->shutdown = mode;
-}
-
-
-/**
- * @brief get the number of the bytes to be read
- */
-int SSL_pending(const SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_METHOD_CALL(pending, ssl);
-
- return ret;
-}
-
-/**
- * @brief check if some data can be read
- */
-int SSL_has_pending(const SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- if (SSL_pending(ssl))
- ret = 1;
- else
- ret = 0;
-
- return ret;
-}
-
-/**
- * @brief clear the SSL context option bit of "op"
- */
-unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->options &= ~op;
-}
-
-/**
- * @brief get the SSL context option
- */
-unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->options;
-}
-
-/**
- * @brief set the option of the SSL context
- */
-unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->options |= opt;
-}
-
-/**
- * @brief clear SSL option
- */
-unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->options & ~op;
-}
-
-/**
- * @brief get SSL option
- */
-unsigned long SSL_get_options(SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->options;
-}
-
-/**
- * @brief clear SSL option
- */
-unsigned long SSL_set_options(SSL *ssl, unsigned long op)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->options |= op;
-}
-
-/**
- * @brief get the socket handle of the SSL
- */
-int SSL_get_fd(const SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_METHOD_CALL(get_fd, ssl, 0);
-
- return ret;
-}
-
-/**
- * @brief get the read only socket handle of the SSL
- */
-int SSL_get_rfd(const SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_METHOD_CALL(get_fd, ssl, 0);
-
- return ret;
-}
-
-/**
- * @brief get the write only socket handle of the SSL
- */
-int SSL_get_wfd(const SSL *ssl)
-{
- int ret;
-
- SSL_ASSERT1(ssl);
-
- ret = SSL_METHOD_CALL(get_fd, ssl, 0);
-
- return ret;
-}
-
-/**
- * @brief bind the socket file description into the SSL
- */
-int SSL_set_fd(SSL *ssl, int fd)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(fd >= 0);
-
- SSL_METHOD_CALL(set_fd, ssl, fd, 0);
-
- return 1;
-}
-
-/**
- * @brief bind the read only socket file description into the SSL
- */
-int SSL_set_rfd(SSL *ssl, int fd)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(fd >= 0);
-
- SSL_METHOD_CALL(set_fd, ssl, fd, 0);
-
- return 1;
-}
-
-/**
- * @brief bind the write only socket file description into the SSL
- */
-int SSL_set_wfd(SSL *ssl, int fd)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(fd >= 0);
-
- SSL_METHOD_CALL(set_fd, ssl, fd, 0);
-
- return 1;
-}
-
-/**
- * @brief get SSL version
- */
-int SSL_version(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->version;
-}
-
-/**
- * @brief get the SSL version string
- */
-static const char* ssl_protocol_to_string(int version)
-{
- const char *str;
-
- if (version == TLS1_2_VERSION)
- str = "TLSv1.2";
- else if (version == TLS1_1_VERSION)
- str = "TLSv1.1";
- else if (version == TLS1_VERSION)
- str = "TLSv1";
- else if (version == SSL3_VERSION)
- str = "SSLv3";
- else
- str = "unknown";
-
- return str;
-}
-
-/**
- * @brief get the SSL current version
- */
-const char *SSL_get_version(const SSL *ssl)
-{
- SSL_ASSERT2(ssl);
-
- return ssl_protocol_to_string(SSL_version(ssl));
-}
-
-/**
- * @brief get alert description string
- */
-const char* SSL_alert_desc_string(int value)
-{
- const char *str;
-
- switch (value & 0xff)
- {
- case SSL3_AD_CLOSE_NOTIFY:
- str = "CN";
- break;
- case SSL3_AD_UNEXPECTED_MESSAGE:
- str = "UM";
- break;
- case SSL3_AD_BAD_RECORD_MAC:
- str = "BM";
- break;
- case SSL3_AD_DECOMPRESSION_FAILURE:
- str = "DF";
- break;
- case SSL3_AD_HANDSHAKE_FAILURE:
- str = "HF";
- break;
- case SSL3_AD_NO_CERTIFICATE:
- str = "NC";
- break;
- case SSL3_AD_BAD_CERTIFICATE:
- str = "BC";
- break;
- case SSL3_AD_UNSUPPORTED_CERTIFICATE:
- str = "UC";
- break;
- case SSL3_AD_CERTIFICATE_REVOKED:
- str = "CR";
- break;
- case SSL3_AD_CERTIFICATE_EXPIRED:
- str = "CE";
- break;
- case SSL3_AD_CERTIFICATE_UNKNOWN:
- str = "CU";
- break;
- case SSL3_AD_ILLEGAL_PARAMETER:
- str = "IP";
- break;
- case TLS1_AD_DECRYPTION_FAILED:
- str = "DC";
- break;
- case TLS1_AD_RECORD_OVERFLOW:
- str = "RO";
- break;
- case TLS1_AD_UNKNOWN_CA:
- str = "CA";
- break;
- case TLS1_AD_ACCESS_DENIED:
- str = "AD";
- break;
- case TLS1_AD_DECODE_ERROR:
- str = "DE";
- break;
- case TLS1_AD_DECRYPT_ERROR:
- str = "CY";
- break;
- case TLS1_AD_EXPORT_RESTRICTION:
- str = "ER";
- break;
- case TLS1_AD_PROTOCOL_VERSION:
- str = "PV";
- break;
- case TLS1_AD_INSUFFICIENT_SECURITY:
- str = "IS";
- break;
- case TLS1_AD_INTERNAL_ERROR:
- str = "IE";
- break;
- case TLS1_AD_USER_CANCELLED:
- str = "US";
- break;
- case TLS1_AD_NO_RENEGOTIATION:
- str = "NR";
- break;
- case TLS1_AD_UNSUPPORTED_EXTENSION:
- str = "UE";
- break;
- case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
- str = "CO";
- break;
- case TLS1_AD_UNRECOGNIZED_NAME:
- str = "UN";
- break;
- case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
- str = "BR";
- break;
- case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
- str = "BH";
- break;
- case TLS1_AD_UNKNOWN_PSK_IDENTITY:
- str = "UP";
- break;
- default:
- str = "UK";
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get alert description long string
- */
-const char* SSL_alert_desc_string_long(int value)
-{
- const char *str;
-
- switch (value & 0xff)
- {
- case SSL3_AD_CLOSE_NOTIFY:
- str = "close notify";
- break;
- case SSL3_AD_UNEXPECTED_MESSAGE:
- str = "unexpected_message";
- break;
- case SSL3_AD_BAD_RECORD_MAC:
- str = "bad record mac";
- break;
- case SSL3_AD_DECOMPRESSION_FAILURE:
- str = "decompression failure";
- break;
- case SSL3_AD_HANDSHAKE_FAILURE:
- str = "handshake failure";
- break;
- case SSL3_AD_NO_CERTIFICATE:
- str = "no certificate";
- break;
- case SSL3_AD_BAD_CERTIFICATE:
- str = "bad certificate";
- break;
- case SSL3_AD_UNSUPPORTED_CERTIFICATE:
- str = "unsupported certificate";
- break;
- case SSL3_AD_CERTIFICATE_REVOKED:
- str = "certificate revoked";
- break;
- case SSL3_AD_CERTIFICATE_EXPIRED:
- str = "certificate expired";
- break;
- case SSL3_AD_CERTIFICATE_UNKNOWN:
- str = "certificate unknown";
- break;
- case SSL3_AD_ILLEGAL_PARAMETER:
- str = "illegal parameter";
- break;
- case TLS1_AD_DECRYPTION_FAILED:
- str = "decryption failed";
- break;
- case TLS1_AD_RECORD_OVERFLOW:
- str = "record overflow";
- break;
- case TLS1_AD_UNKNOWN_CA:
- str = "unknown CA";
- break;
- case TLS1_AD_ACCESS_DENIED:
- str = "access denied";
- break;
- case TLS1_AD_DECODE_ERROR:
- str = "decode error";
- break;
- case TLS1_AD_DECRYPT_ERROR:
- str = "decrypt error";
- break;
- case TLS1_AD_EXPORT_RESTRICTION:
- str = "export restriction";
- break;
- case TLS1_AD_PROTOCOL_VERSION:
- str = "protocol version";
- break;
- case TLS1_AD_INSUFFICIENT_SECURITY:
- str = "insufficient security";
- break;
- case TLS1_AD_INTERNAL_ERROR:
- str = "internal error";
- break;
- case TLS1_AD_USER_CANCELLED:
- str = "user canceled";
- break;
- case TLS1_AD_NO_RENEGOTIATION:
- str = "no renegotiation";
- break;
- case TLS1_AD_UNSUPPORTED_EXTENSION:
- str = "unsupported extension";
- break;
- case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
- str = "certificate unobtainable";
- break;
- case TLS1_AD_UNRECOGNIZED_NAME:
- str = "unrecognized name";
- break;
- case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
- str = "bad certificate status response";
- break;
- case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
- str = "bad certificate hash value";
- break;
- case TLS1_AD_UNKNOWN_PSK_IDENTITY:
- str = "unknown PSK identity";
- break;
- default:
- str = "unknown";
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get alert type string
- */
-const char *SSL_alert_type_string(int value)
-{
- const char *str;
-
- switch (value >> 8)
- {
- case SSL3_AL_WARNING:
- str = "W";
- break;
- case SSL3_AL_FATAL:
- str = "F";
- break;
- default:
- str = "U";
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get alert type long string
- */
-const char *SSL_alert_type_string_long(int value)
-{
- const char *str;
-
- switch (value >> 8)
- {
- case SSL3_AL_WARNING:
- str = "warning";
- break;
- case SSL3_AL_FATAL:
- str = "fatal";
- break;
- default:
- str = "unknown";
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get the state string where SSL is reading
- */
-const char *SSL_rstate_string(SSL *ssl)
-{
- const char *str;
-
- SSL_ASSERT2(ssl);
-
- switch (ssl->rlayer.rstate)
- {
- case SSL_ST_READ_HEADER:
- str = "RH";
- break;
- case SSL_ST_READ_BODY:
- str = "RB";
- break;
- case SSL_ST_READ_DONE:
- str = "RD";
- break;
- default:
- str = "unknown";
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get the statement long string where SSL is reading
- */
-const char *SSL_rstate_string_long(SSL *ssl)
-{
- const char *str = "unknown";
-
- SSL_ASSERT2(ssl);
-
- switch (ssl->rlayer.rstate)
- {
- case SSL_ST_READ_HEADER:
- str = "read header";
- break;
- case SSL_ST_READ_BODY:
- str = "read body";
- break;
- case SSL_ST_READ_DONE:
- str = "read done";
- break;
- default:
- break;
- }
-
- return str;
-}
-
-/**
- * @brief get SSL statement string
- */
-char *SSL_state_string(const SSL *ssl)
-{
- char *str = "UNKWN ";
-
- SSL_ASSERT2(ssl);
-
- if (ossl_statem_in_error(ssl))
- str = "SSLERR";
- else
- {
- switch (SSL_get_state(ssl))
- {
- case TLS_ST_BEFORE:
- str = "PINIT ";
- break;
- case TLS_ST_OK:
- str = "SSLOK ";
- break;
- case TLS_ST_CW_CLNT_HELLO:
- str = "TWCH";
- break;
- case TLS_ST_CR_SRVR_HELLO:
- str = "TRSH";
- break;
- case TLS_ST_CR_CERT:
- str = "TRSC";
- break;
- case TLS_ST_CR_KEY_EXCH:
- str = "TRSKE";
- break;
- case TLS_ST_CR_CERT_REQ:
- str = "TRCR";
- break;
- case TLS_ST_CR_SRVR_DONE:
- str = "TRSD";
- break;
- case TLS_ST_CW_CERT:
- str = "TWCC";
- break;
- case TLS_ST_CW_KEY_EXCH:
- str = "TWCKE";
- break;
- case TLS_ST_CW_CERT_VRFY:
- str = "TWCV";
- break;
- case TLS_ST_SW_CHANGE:
- case TLS_ST_CW_CHANGE:
- str = "TWCCS";
- break;
- case TLS_ST_SW_FINISHED:
- case TLS_ST_CW_FINISHED:
- str = "TWFIN";
- break;
- case TLS_ST_SR_CHANGE:
- case TLS_ST_CR_CHANGE:
- str = "TRCCS";
- break;
- case TLS_ST_SR_FINISHED:
- case TLS_ST_CR_FINISHED:
- str = "TRFIN";
- break;
- case TLS_ST_SW_HELLO_REQ:
- str = "TWHR";
- break;
- case TLS_ST_SR_CLNT_HELLO:
- str = "TRCH";
- break;
- case TLS_ST_SW_SRVR_HELLO:
- str = "TWSH";
- break;
- case TLS_ST_SW_CERT:
- str = "TWSC";
- break;
- case TLS_ST_SW_KEY_EXCH:
- str = "TWSKE";
- break;
- case TLS_ST_SW_CERT_REQ:
- str = "TWCR";
- break;
- case TLS_ST_SW_SRVR_DONE:
- str = "TWSD";
- break;
- case TLS_ST_SR_CERT:
- str = "TRCC";
- break;
- case TLS_ST_SR_KEY_EXCH:
- str = "TRCKE";
- break;
- case TLS_ST_SR_CERT_VRFY:
- str = "TRCV";
- break;
- case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
- str = "DRCHV";
- break;
- case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- str = "DWCHV";
- break;
- default:
- break;
- }
- }
-
- return str;
-}
-
-/**
- * @brief get SSL statement long string
- */
-char *SSL_state_string_long(const SSL *ssl)
-{
- char *str = "UNKWN ";
-
- SSL_ASSERT2(ssl);
-
- if (ossl_statem_in_error(ssl))
- str = "SSLERR";
- else
- {
- switch (SSL_get_state(ssl))
- {
- case TLS_ST_BEFORE:
- str = "before SSL initialization";
- break;
- case TLS_ST_OK:
- str = "SSL negotiation finished successfully";
- break;
- case TLS_ST_CW_CLNT_HELLO:
- str = "SSLv3/TLS write client hello";
- break;
- case TLS_ST_CR_SRVR_HELLO:
- str = "SSLv3/TLS read server hello";
- break;
- case TLS_ST_CR_CERT:
- str = "SSLv3/TLS read server certificate";
- break;
- case TLS_ST_CR_KEY_EXCH:
- str = "SSLv3/TLS read server key exchange";
- break;
- case TLS_ST_CR_CERT_REQ:
- str = "SSLv3/TLS read server certificate request";
- break;
- case TLS_ST_CR_SESSION_TICKET:
- str = "SSLv3/TLS read server session ticket";
- break;
- case TLS_ST_CR_SRVR_DONE:
- str = "SSLv3/TLS read server done";
- break;
- case TLS_ST_CW_CERT:
- str = "SSLv3/TLS write client certificate";
- break;
- case TLS_ST_CW_KEY_EXCH:
- str = "SSLv3/TLS write client key exchange";
- break;
- case TLS_ST_CW_CERT_VRFY:
- str = "SSLv3/TLS write certificate verify";
- break;
- case TLS_ST_CW_CHANGE:
- case TLS_ST_SW_CHANGE:
- str = "SSLv3/TLS write change cipher spec";
- break;
- case TLS_ST_CW_FINISHED:
- case TLS_ST_SW_FINISHED:
- str = "SSLv3/TLS write finished";
- break;
- case TLS_ST_CR_CHANGE:
- case TLS_ST_SR_CHANGE:
- str = "SSLv3/TLS read change cipher spec";
- break;
- case TLS_ST_CR_FINISHED:
- case TLS_ST_SR_FINISHED:
- str = "SSLv3/TLS read finished";
- break;
- case TLS_ST_SR_CLNT_HELLO:
- str = "SSLv3/TLS read client hello";
- break;
- case TLS_ST_SW_HELLO_REQ:
- str = "SSLv3/TLS write hello request";
- break;
- case TLS_ST_SW_SRVR_HELLO:
- str = "SSLv3/TLS write server hello";
- break;
- case TLS_ST_SW_CERT:
- str = "SSLv3/TLS write certificate";
- break;
- case TLS_ST_SW_KEY_EXCH:
- str = "SSLv3/TLS write key exchange";
- break;
- case TLS_ST_SW_CERT_REQ:
- str = "SSLv3/TLS write certificate request";
- break;
- case TLS_ST_SW_SESSION_TICKET:
- str = "SSLv3/TLS write session ticket";
- break;
- case TLS_ST_SW_SRVR_DONE:
- str = "SSLv3/TLS write server done";
- break;
- case TLS_ST_SR_CERT:
- str = "SSLv3/TLS read client certificate";
- break;
- case TLS_ST_SR_KEY_EXCH:
- str = "SSLv3/TLS read client key exchange";
- break;
- case TLS_ST_SR_CERT_VRFY:
- str = "SSLv3/TLS read certificate verify";
- break;
- case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
- str = "DTLS1 read hello verify request";
- break;
- case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- str = "DTLS1 write hello verify request";
- break;
- default:
- break;
- }
- }
-
- return str;
-}
-
-/**
- * @brief set the SSL context read buffer length
- */
-void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
-{
- SSL_ASSERT3(ctx);
-
- ctx->read_buffer_len = len;
-}
-
-/**
- * @brief set the SSL read buffer length
- */
-void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
-{
- SSL_ASSERT3(ssl);
- SSL_ASSERT3(len);
-
- SSL_METHOD_CALL(set_bufflen, ssl, len);
-}
-
-/**
- * @brief set the SSL information callback function
- */
-void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
-{
- SSL_ASSERT3(ssl);
-
- ssl->info_callback = cb;
-}
-
-/**
- * @brief add SSL context reference count by '1'
- */
-int SSL_CTX_up_ref(SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- /**
- * no support multi-thread SSL here
- */
- ctx->references++;
-
- return 1;
-}
-
-/**
- * @brief set the SSL security level
- */
-void SSL_set_security_level(SSL *ssl, int level)
-{
- SSL_ASSERT3(ssl);
-
- ssl->cert->sec_level = level;
-}
-
-/**
- * @brief get the SSL security level
- */
-int SSL_get_security_level(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->cert->sec_level;
-}
-
-/**
- * @brief get the SSL verifying mode of the SSL context
- */
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->verify_mode;
-}
-
-/**
- * @brief set the session timeout time
- */
-long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
-{
- long l;
-
- SSL_ASSERT1(ctx);
-
- l = ctx->session_timeout;
- ctx->session_timeout = t;
-
- return l;
-}
-
-/**
- * @brief get the session timeout time
- */
-long SSL_CTX_get_timeout(const SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->session_timeout;
-}
-
-/**
- * @brief set the SSL if we can read as many as data
- */
-void SSL_set_read_ahead(SSL *ssl, int yes)
-{
- SSL_ASSERT3(ssl);
-
- ssl->rlayer.read_ahead = yes;
-}
-
-/**
- * @brief set the SSL context if we can read as many as data
- */
-void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
-{
- SSL_ASSERT3(ctx);
-
- ctx->read_ahead = yes;
-}
-
-/**
- * @brief get the SSL ahead signal if we can read as many as data
- */
-int SSL_get_read_ahead(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->rlayer.read_ahead;
-}
-
-/**
- * @brief get the SSL context ahead signal if we can read as many as data
- */
-long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->read_ahead;
-}
-
-/**
- * @brief check if the SSL context can read as many as data
- */
-long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->read_ahead;
-}
-
-/**
- * @brief set SSL session time
- */
-long SSL_set_time(SSL *ssl, long t)
-{
- SSL_ASSERT1(ssl);
-
- ssl->session->time = t;
-
- return t;
-}
-
-/**
- * @brief set SSL session timeout time
- */
-long SSL_set_timeout(SSL *ssl, long t)
-{
- SSL_ASSERT1(ssl);
-
- ssl->session->timeout = t;
-
- return t;
-}
-
-/**
- * @brief get the verifying result of the SSL certification
- */
-long SSL_get_verify_result(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return SSL_METHOD_CALL(get_verify_result, ssl);
-}
-
-/**
- * @brief get the SSL verifying depth of the SSL context
- */
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
-{
- SSL_ASSERT1(ctx);
-
- return ctx->param.depth;
-}
-
-/**
- * @brief set the SSL verify depth of the SSL context
- */
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
-{
- SSL_ASSERT3(ctx);
-
- ctx->param.depth = depth;
-}
-
-/**
- * @brief get the SSL verifying depth of the SSL
- */
-int SSL_get_verify_depth(const SSL *ssl)
-{
- SSL_ASSERT1(ssl);
-
- return ssl->param.depth;
-}
-
-/**
- * @brief set the SSL verify depth of the SSL
- */
-void SSL_set_verify_depth(SSL *ssl, int depth)
-{
- SSL_ASSERT3(ssl);
-
- ssl->param.depth = depth;
-}
-
-/**
- * @brief set the SSL context verifying of the SSL context
- */
-void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
-{
- SSL_ASSERT3(ctx);
-
- ctx->verify_mode = mode;
- ctx->default_verify_callback = verify_callback;
-}
-
-/**
- * @brief set the SSL verifying of the SSL context
- */
-void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
-{
- SSL_ASSERT3(ssl);
-
- ssl->verify_mode = mode;
- ssl->verify_callback = verify_callback;
-}
-
-void ERR_error_string_n(unsigned long e, char *buf, size_t len)
-{
- lws_strncpy(buf, "unknown", len);
-}
-
-void ERR_free_strings(void)
-{
-}
-
-char *ERR_error_string(unsigned long e, char *buf)
-{
- if (!buf)
- return "unknown";
-
- switch(e) {
- case X509_V_ERR_INVALID_CA:
- strcpy(buf, "CA is not trusted");
- break;
- case X509_V_ERR_HOSTNAME_MISMATCH:
- strcpy(buf, "Hostname mismatch");
- break;
- case X509_V_ERR_CA_KEY_TOO_SMALL:
- strcpy(buf, "CA key too small");
- break;
- case X509_V_ERR_CA_MD_TOO_WEAK:
- strcpy(buf, "MD key too weak");
- break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- strcpy(buf, "Cert from the future");
- break;
- case X509_V_ERR_CERT_HAS_EXPIRED:
- strcpy(buf, "Cert expired");
- break;
- default:
- strcpy(buf, "unknown");
- break;
- }
-
- return buf;
-}
-
-void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
-{
- return NULL;
-}
-
-/*
- * Openssl wants the valid protocol names supplied like this:
- *
- * (unsigned char *)"\x02h2\x08http/1.1", 6 + 9
- *
- * Mbedtls wants this:
- *
- * Pointer to a NULL-terminated list of supported protocols, in decreasing
- * preference order. The pointer to the list is recorded by the library for
- * later reference as required, so the lifetime of the table must be at least
- * as long as the lifetime of the SSL configuration structure.
- *
- * So accept the OpenSSL style and convert to mbedtls style
- */
-
-struct alpn_ctx {
- unsigned char data[23];
- unsigned char len;
-};
-
-static void
-_openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)
-{
- unsigned char *p = ac->data, *q;
- unsigned char len;
- char **alpn_protos;
- int count = 0;
-
- /* find out how many entries he gave us */
-
- len = *p++;
- while (p - ac->data < ac->len) {
- if (len--) {
- p++;
- continue;
- }
- count++;
- len = *p++;
- if (!len)
- break;
- }
-
- if (!len)
- count++;
-
- if (!count)
- return;
-
- /* allocate space for count + 1 pointers and the data afterwards */
-
- alpn_protos = ssl_mem_zalloc((count + 1) * sizeof(char *) + ac->len + 1);
- if (!alpn_protos)
- return;
-
- *palpn_protos = alpn_protos;
-
- /* convert to mbedtls format */
-
- q = (unsigned char *)alpn_protos + (count + 1) * sizeof(char *);
- p = ac->data;
- count = 0;
-
- len = *p++;
- alpn_protos[count] = (char *)q;
- while (p - ac->data < ac->len) {
- if (len--) {
- *q++ = *p++;
- continue;
- }
- *q++ = '\0';
- count++;
- len = *p++;
- alpn_protos[count] = (char *)q;
- if (!len)
- break;
- }
- if (!len) {
- *q++ = '\0';
- count++;
- len = *p++;
- alpn_protos[count] = (char *)q;
- }
- alpn_protos[count] = NULL; /* last pointer ends list with NULL */
-}
-
-void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg)
-{
- struct alpn_ctx *ac = arg;
-
- ctx->alpn_cb = cb;
-
- _openssl_alpn_to_mbedtls(ac, (char ***)&ctx->alpn_protos);
-}
-
-void SSL_set_alpn_select_cb(SSL *ssl, void *arg)
-{
- struct alpn_ctx *ac = arg;
-
- _openssl_alpn_to_mbedtls(ac, (char ***)&ssl->alpn_protos);
-
- _ssl_set_alpn_list(ssl);
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c
deleted file mode 100644
index 0002360846..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_methods.h"
-#include "ssl_pm.h"
-
-/**
- * TLS method function collection
- */
-IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
- ssl_pm_new, ssl_pm_free,
- ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear,
- ssl_pm_read, ssl_pm_send, ssl_pm_pending,
- ssl_pm_set_fd, ssl_pm_get_fd,
- ssl_pm_set_bufflen,
- ssl_pm_get_verify_result,
- ssl_pm_get_state);
-
-/**
- * TLS or SSL client method collection
- */
-IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 0, TLS_method_func, TLS_client_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 0, TLS_method_func, TLSv1_2_client_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 0, TLS_method_func, TLSv1_1_client_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_client_method);
-
-IMPLEMENT_SSL_METHOD(SSL3_VERSION, 0, TLS_method_func, SSLv3_client_method);
-
-/**
- * TLS or SSL server method collection
- */
-IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 1, TLS_method_func, TLS_server_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 1, TLS_method_func, TLSv1_1_server_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 1, TLS_method_func, TLSv1_2_server_method);
-
-IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_server_method);
-
-IMPLEMENT_SSL_METHOD(SSL3_VERSION, 1, TLS_method_func, SSLv3_server_method);
-
-/**
- * TLS or SSL method collection
- */
-IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, -1, TLS_method_func, TLS_method);
-
-IMPLEMENT_SSL_METHOD(TLS1_2_VERSION, -1, TLS_method_func, TLSv1_2_method);
-
-IMPLEMENT_SSL_METHOD(TLS1_1_VERSION, -1, TLS_method_func, TLSv1_1_method);
-
-IMPLEMENT_SSL_METHOD(TLS1_VERSION, -1, TLS_method_func, TLSv1_method);
-
-IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method);
-
-/**
- * @brief get X509 object method
- */
-IMPLEMENT_X509_METHOD(X509_method,
- x509_pm_new, x509_pm_free,
- x509_pm_load, x509_pm_show_info);
-
-/**
- * @brief get private key object method
- */
-IMPLEMENT_PKEY_METHOD(EVP_PKEY_method,
- pkey_pm_new, pkey_pm_free,
- pkey_pm_load);
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_pkey.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_pkey.c
deleted file mode 100644
index 567a33e2c2..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_pkey.c
+++ /dev/null
@@ -1,239 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_pkey.h"
-#include "ssl_methods.h"
-#include "ssl_dbg.h"
-#include "ssl_port.h"
-
-/**
- * @brief create a private key object according to input private key
- */
-EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk)
-{
- int ret;
- EVP_PKEY *pkey;
-
- pkey = ssl_mem_zalloc(sizeof(EVP_PKEY));
- if (!pkey) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "no enough memory > (pkey)");
- goto no_mem;
- }
-
- if (ipk) {
- pkey->method = ipk->method;
- } else {
- pkey->method = EVP_PKEY_method();
- }
-
- ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk);
- if (ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret);
- goto failed;
- }
-
- return pkey;
-
-failed:
- ssl_mem_free(pkey);
-no_mem:
- return NULL;
-}
-
-/**
- * @brief create a private key object
- */
-EVP_PKEY* EVP_PKEY_new(void)
-{
- return __EVP_PKEY_new(NULL);
-}
-
-/**
- * @brief free a private key object
- */
-void EVP_PKEY_free(EVP_PKEY *pkey)
-{
- SSL_ASSERT3(pkey);
-
- EVP_PKEY_METHOD_CALL(free, pkey);
-
- ssl_mem_free(pkey);
-}
-
-/**
- * @brief load a character key context into system context. If '*a' is pointed to the
- * private key, then load key into it. Or create a new private key object
- */
-EVP_PKEY *d2i_PrivateKey(int type,
- EVP_PKEY **a,
- const unsigned char **pp,
- long length)
-{
- int m = 0;
- int ret;
- EVP_PKEY *pkey;
-
- SSL_ASSERT2(pp);
- SSL_ASSERT2(*pp);
- SSL_ASSERT2(length);
-
- if (a && *a) {
- pkey = *a;
- } else {
- pkey = EVP_PKEY_new();;
- if (!pkey) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL");
- goto failed1;
- }
-
- m = 1;
- }
-
- ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length);
- if (ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(load) return %d", ret);
- goto failed2;
- }
-
- if (a)
- *a = pkey;
-
- return pkey;
-
-failed2:
- if (m)
- EVP_PKEY_free(pkey);
-failed1:
- return NULL;
-}
-
-/**
- * @brief set the SSL context private key
- */
-int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
-{
- SSL_ASSERT1(ctx);
- SSL_ASSERT1(pkey);
-
- if (ctx->cert->pkey == pkey)
- return 1;
-
- if (ctx->cert->pkey)
- EVP_PKEY_free(ctx->cert->pkey);
-
- ctx->cert->pkey = pkey;
-
- return 1;
-}
-
-/**
- * @brief set the SSL private key
- */
-int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(pkey);
-
- if (ssl->cert->pkey == pkey)
- return 1;
-
- if (ssl->cert->pkey)
- EVP_PKEY_free(ssl->cert->pkey);
-
- ssl->cert->pkey = pkey;
-
- return 1;
-}
-
-/**
- * @brief load private key into the SSL context
- */
-int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
- const unsigned char *d, long len)
-{
- int ret;
- EVP_PKEY *pk;
-
- pk = d2i_PrivateKey(0, NULL, &d, len);
- if (!pk) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
- goto failed1;
- }
-
- ret = SSL_CTX_use_PrivateKey(ctx, pk);
- if (!ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_PrivateKey() return %d", ret);
- goto failed2;
- }
-
- return 1;
-
-failed2:
- EVP_PKEY_free(pk);
-failed1:
- return 0;
-}
-
-/**
- * @brief load private key into the SSL
- */
-int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
- const unsigned char *d, long len)
-{
- int ret;
- EVP_PKEY *pk;
-
- pk = d2i_PrivateKey(0, NULL, &d, len);
- if (!pk) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
- goto failed1;
- }
-
- ret = SSL_use_PrivateKey(ssl, pk);
- if (!ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_PrivateKey() return %d", ret);
- goto failed2;
- }
-
- return 1;
-
-failed2:
- EVP_PKEY_free(pk);
-failed1:
- return 0;
-}
-
-/**
- * @brief load the private key file into SSL context
- */
-int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-{
- return 0;
-}
-
-/**
- * @brief load the private key file into SSL
- */
-int SSL_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-{
- return 0;
-}
-
-/**
- * @brief load the RSA ASN1 private key into SSL context
- */
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
-{
- return SSL_CTX_use_PrivateKey_ASN1(0, ctx, d, len);
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_stack.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_stack.c
deleted file mode 100644
index da836daf9c..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_stack.c
+++ /dev/null
@@ -1,74 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_stack.h"
-#include "ssl_dbg.h"
-#include "ssl_port.h"
-
-#ifndef CONFIG_MIN_NODES
- #define MIN_NODES 4
-#else
- #define MIN_NODES CONFIG_MIN_NODES
-#endif
-
-/**
- * @brief create a openssl stack object
- */
-OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
-{
- OPENSSL_STACK *stack;
- char **data;
-
- stack = ssl_mem_zalloc(sizeof(OPENSSL_STACK));
- if (!stack) {
- SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (stack)");
- goto no_mem1;
- }
-
- data = ssl_mem_zalloc(sizeof(*data) * MIN_NODES);
- if (!data) {
- SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (data)");
- goto no_mem2;
- }
-
- stack->data = data;
- stack->num_alloc = MIN_NODES;
- stack->c = c;
-
- return stack;
-
-no_mem2:
- ssl_mem_free(stack);
-no_mem1:
- return NULL;
-}
-
-/**
- * @brief create a NULL function openssl stack object
- */
-OPENSSL_STACK *OPENSSL_sk_new_null(void)
-{
- return OPENSSL_sk_new((OPENSSL_sk_compfunc)NULL);
-}
-
-/**
- * @brief free openssl stack object
- */
-void OPENSSL_sk_free(OPENSSL_STACK *stack)
-{
- SSL_ASSERT3(stack);
-
- ssl_mem_free(stack->data);
- ssl_mem_free(stack);
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_x509.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_x509.c
deleted file mode 100644
index ed79150831..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_x509.c
+++ /dev/null
@@ -1,354 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_x509.h"
-#include "ssl_methods.h"
-#include "ssl_dbg.h"
-#include "ssl_port.h"
-
-#include <assert.h>
-
-/**
- * @brief show X509 certification information
- */
-int __X509_show_info(X509 *x)
-{
- return X509_METHOD_CALL(show_info, x);
-}
-
-/**
- * @brief create a X509 certification object according to input X509 certification
- */
-X509* __X509_new(X509 *ix)
-{
- int ret;
- X509 *x;
-
- x = ssl_mem_zalloc(sizeof(X509));
- if (!x) {
- SSL_DEBUG(SSL_X509_ERROR_LEVEL, "no enough memory > (x)");
- goto no_mem;
- }
-
- if (ix)
- x->method = ix->method;
- else
- x->method = X509_method();
-
- ret = X509_METHOD_CALL(new, x, ix);
- if (ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(new) return %d", ret);
- goto failed;
- }
-
- return x;
-
-failed:
- ssl_mem_free(x);
-no_mem:
- return NULL;
-}
-
-/**
- * @brief create a X509 certification object
- */
-X509* X509_new(void)
-{
- return __X509_new(NULL);
-}
-
-/**
- * @brief free a X509 certification object
- */
-void X509_free(X509 *x)
-{
- SSL_ASSERT3(x);
-
- X509_METHOD_CALL(free, x);
-
- ssl_mem_free(x);
-};
-
-/**
- * @brief load a character certification context into system context. If '*cert' is pointed to the
- * certification, then load certification into it. Or create a new X509 certification object
- */
-X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len)
-{
- int m = 0;
- int ret;
- X509 *x;
-
- SSL_ASSERT2(buffer);
- SSL_ASSERT2(len);
-
- if (cert && *cert) {
- x = *cert;
- } else {
- x = X509_new();
- if (!x) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL");
- goto failed1;
- }
- m = 1;
- }
-
- ret = X509_METHOD_CALL(load, x, buffer, len);
- if (ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret);
- goto failed2;
- }
-
- return x;
-
-failed2:
- if (m)
- X509_free(x);
-failed1:
- return NULL;
-}
-
-/**
- * @brief return SSL X509 verify parameters
- */
-
-X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
-{
- return &ssl->param;
-}
-
-/**
- * @brief set X509 host verification flags
- */
-
-int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
- unsigned long flags)
-{
- /* flags not supported yet */
- return 0;
-}
-
-/**
- * @brief clear X509 host verification flags
- */
-
-int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
- unsigned long flags)
-{
- /* flags not supported yet */
- return 0;
-}
-
-/**
- * @brief set SSL context client CA certification
- */
-int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
-{
- SSL_ASSERT1(ctx);
- SSL_ASSERT1(x);
- assert(ctx);
- if (ctx->client_CA == x)
- return 1;
-
- X509_free(ctx->client_CA);
-
- ctx->client_CA = x;
-
- return 1;
-}
-
-/**
- * @brief add CA client certification into the SSL
- */
-int SSL_CTX_add_client_CA_ASN1(SSL_CTX *ctx, int len,
- const unsigned char *d)
-{
- X509 *x;
-
- x = d2i_X509(NULL, d, len);
- if (!x) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
- return 0;
- }
- SSL_ASSERT1(ctx);
-
- X509_free(ctx->client_CA);
-
- ctx->client_CA = x;
-
- return 1;
-}
-
-/**
- * @brief add CA client certification into the SSL
- */
-int SSL_add_client_CA(SSL *ssl, X509 *x)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(x);
-
- if (ssl->client_CA == x)
- return 1;
-
- X509_free(ssl->client_CA);
-
- ssl->client_CA = x;
-
- return 1;
-}
-
-/**
- * @brief set the SSL context certification
- */
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
-{
- SSL_ASSERT1(ctx);
- SSL_ASSERT1(x);
-
- if (ctx->cert->x509 == x)
- return 1;
-
- X509_free(ctx->cert->x509);
-
- ctx->cert->x509 = x;
-
- return 1;
-}
-
-/**
- * @brief set the SSL certification
- */
-int SSL_use_certificate(SSL *ssl, X509 *x)
-{
- SSL_ASSERT1(ssl);
- SSL_ASSERT1(x);
-
- if (ssl->cert->x509 == x)
- return 1;
-
- X509_free(ssl->cert->x509);
-
- ssl->cert->x509 = x;
-
- return 1;
-}
-
-/**
- * @brief get the SSL certification point
- */
-X509 *SSL_get_certificate(const SSL *ssl)
-{
- SSL_ASSERT2(ssl);
-
- return ssl->cert->x509;
-}
-
-/**
- * @brief load certification into the SSL context
- */
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
- const unsigned char *d)
-{
- int ret;
- X509 *x;
-
- x = d2i_X509(NULL, d, len);
- if (!x) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
- goto failed1;
- }
-
- ret = SSL_CTX_use_certificate(ctx, x);
- if (!ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret);
- goto failed2;
- }
-
- return 1;
-
-failed2:
- X509_free(x);
-failed1:
- return 0;
-}
-
-/**
- * @brief load certification into the SSL
- */
-int SSL_use_certificate_ASN1(SSL *ssl, int len,
- const unsigned char *d)
-{
- int ret;
- X509 *x;
-
- x = d2i_X509(NULL, d, len);
- if (!x) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
- goto failed1;
- }
-
- ret = SSL_use_certificate(ssl, x);
- if (!ret) {
- SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_certificate() return %d", ret);
- goto failed2;
- }
-
- return 1;
-
-failed2:
- X509_free(x);
-failed1:
- return 0;
-}
-
-/**
- * @brief load the certification file into SSL context
- */
-int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
-{
- return 0;
-}
-
-/**
- * @brief load the certification file into SSL
- */
-int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
-{
- return 0;
-}
-
-/**
- * @brief get peer certification
- */
-X509 *SSL_get_peer_certificate(const SSL *ssl)
-{
- SSL_ASSERT2(ssl);
-
- return ssl->session->peer;
-}
-
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
-{
- return X509_V_ERR_UNSPECIFIED;
-}
-
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
-{
- return 0;
-}
-
-const char *X509_verify_cert_error_string(long n)
-{
- return "unknown";
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
deleted file mode 100755
index 4716c1ff56..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ /dev/null
@@ -1,907 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_pm.h"
-#include "ssl_port.h"
-#include "ssl_dbg.h"
-
-/* mbedtls include */
-#include "mbedtls/platform.h"
-#include "mbedtls/net_sockets.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/error.h"
-#include "mbedtls/certs.h"
-
-#include <libwebsockets.h>
-
-#define X509_INFO_STRING_LENGTH 8192
-
-struct ssl_pm
-{
- /* local socket file description */
- mbedtls_net_context fd;
- /* remote client socket file description */
- mbedtls_net_context cl_fd;
-
- mbedtls_ssl_config conf;
-
- mbedtls_ctr_drbg_context ctr_drbg;
-
- mbedtls_ssl_context ssl;
-
- mbedtls_entropy_context entropy;
-
- SSL *owner;
-};
-
-struct x509_pm
-{
- mbedtls_x509_crt *x509_crt;
-
- mbedtls_x509_crt *ex_crt;
-};
-
-struct pkey_pm
-{
- mbedtls_pk_context *pkey;
-
- mbedtls_pk_context *ex_pkey;
-};
-
-unsigned int max_content_len;
-
-/*********************************************************************************************/
-/************************************ SSL arch interface *************************************/
-
-//#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
-
-/* mbedtls debug level */
-#define MBEDTLS_DEBUG_LEVEL 4
-
-/**
- * @brief mbedtls debug function
- */
-static void ssl_platform_debug(void *ctx, int level,
- const char *file, int line,
- const char *str)
-{
- /* Shorten 'file' from the whole file path to just the filename
-
- This is a bit wasteful because the macros are compiled in with
- the full _FILE_ path in each case.
- */
-// char *file_sep = rindex(file, '/');
- // if(file_sep)
- // file = file_sep + 1;
-
- printf("%s:%d %s", file, line, str);
-}
-//#endif
-
-/**
- * @brief create SSL low-level object
- */
-int ssl_pm_new(SSL *ssl)
-{
- struct ssl_pm *ssl_pm;
- int ret;
-
- const unsigned char pers[] = "OpenSSL PM";
- size_t pers_len = sizeof(pers);
-
- int endpoint;
- int version;
-
- const SSL_METHOD *method = ssl->method;
-
- ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
- if (!ssl_pm) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
- goto no_mem;
- }
-
- ssl_pm->owner = ssl;
-
- if (!ssl->ctx->read_buffer_len)
- ssl->ctx->read_buffer_len = 2048;
-
- max_content_len = ssl->ctx->read_buffer_len;
- // printf("ssl->ctx->read_buffer_len = %d ++++++++++++++++++++\n", ssl->ctx->read_buffer_len);
-
- mbedtls_net_init(&ssl_pm->fd);
- mbedtls_net_init(&ssl_pm->cl_fd);
-
- mbedtls_ssl_config_init(&ssl_pm->conf);
- mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg);
- mbedtls_entropy_init(&ssl_pm->entropy);
- mbedtls_ssl_init(&ssl_pm->ssl);
-
- ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
- goto mbedtls_err1;
- }
-
- if (method->endpoint) {
- endpoint = MBEDTLS_SSL_IS_SERVER;
- } else {
- endpoint = MBEDTLS_SSL_IS_CLIENT;
- }
- ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
- goto mbedtls_err2;
- }
-
- if (TLS_ANY_VERSION != ssl->version) {
- if (TLS1_2_VERSION == ssl->version)
- version = MBEDTLS_SSL_MINOR_VERSION_3;
- else if (TLS1_1_VERSION == ssl->version)
- version = MBEDTLS_SSL_MINOR_VERSION_2;
- else if (TLS1_VERSION == ssl->version)
- version = MBEDTLS_SSL_MINOR_VERSION_1;
- else
- version = MBEDTLS_SSL_MINOR_VERSION_0;
-
- mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
- mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
- } else {
- mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
- mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
- }
-
- mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
-
-//#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
- // mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL);
-// mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
-//#else
- mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
-//#endif
-
- ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
- goto mbedtls_err2;
- }
-
- mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
-
- ssl->ssl_pm = ssl_pm;
-
- return 0;
-
-mbedtls_err2:
- mbedtls_ssl_config_free(&ssl_pm->conf);
- mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
-mbedtls_err1:
- mbedtls_entropy_free(&ssl_pm->entropy);
- ssl_mem_free(ssl_pm);
-no_mem:
- return -1;
-}
-
-/**
- * @brief free SSL low-level object
- */
-void ssl_pm_free(SSL *ssl)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
- mbedtls_entropy_free(&ssl_pm->entropy);
- mbedtls_ssl_config_free(&ssl_pm->conf);
- mbedtls_ssl_free(&ssl_pm->ssl);
-
- ssl_mem_free(ssl_pm);
- ssl->ssl_pm = NULL;
-}
-
-/**
- * @brief reload SSL low-level certification object
- */
-static int ssl_pm_reload_crt(SSL *ssl)
-{
- int ret;
- int mode;
- struct ssl_pm *ssl_pm = ssl->ssl_pm;
- struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
-
- struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
- struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
-
- if (ssl->verify_mode == SSL_VERIFY_PEER)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
- mode = MBEDTLS_SSL_VERIFY_UNSET;
- else
- mode = MBEDTLS_SSL_VERIFY_NONE;
-
- mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
-
- if (ca_pm->x509_crt) {
- mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
- } else if (ca_pm->ex_crt) {
- mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
- }
-
- if (crt_pm->x509_crt && pkey_pm->pkey) {
- ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
- } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
- ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
- } else {
- ret = 0;
- }
-
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
- ret = -1;
- }
-
- return ret;
-}
-
-/*
- * Perform the mbedtls SSL handshake instead of mbedtls_ssl_handshake.
- * We can add debug here.
- */
-static int mbedtls_handshake( mbedtls_ssl_context *ssl )
-{
- int ret = 0;
-
- while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- ret = mbedtls_ssl_handshake_step(ssl);
-
- lwsl_info("%s: ssl ret -%x state %d\n", __func__, -ret, ssl->state);
-
- if (ret != 0)
- break;
- }
-
- return ret;
-}
-
-#include <errno.h>
-
-int ssl_pm_handshake(SSL *ssl)
-{
- int ret;
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ssl->err = 0;
- errno = 0;
-
- ret = ssl_pm_reload_crt(ssl);
- if (ret) {
- printf("%s: cert reload failed\n", __func__);
- return 0;
- }
-
- if (ssl_pm->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- ssl_speed_up_enter();
-
- /* mbedtls return codes
- * 0 = successful, or MBEDTLS_ERR_SSL_WANT_READ/WRITE
- * anything else = death
- */
- ret = mbedtls_handshake(&ssl_pm->ssl);
- ssl_speed_up_exit();
- } else
- ret = 0;
-
- /*
- * OpenSSL return codes:
- * 0 = did not complete, but may be retried
- * 1 = successfully completed
- * <0 = death
- */
- if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
- ssl->err = ret;
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -ret);
- return 0; /* OpenSSL: did not complete but may be retried */
- }
-
- if (ret == 0) { /* successful */
- struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
-
- x509_pm->ex_crt = (mbedtls_x509_crt *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl);
- return 1; /* openssl successful */
- }
-
- if (errno == 11) {
- ssl->err = ret == MBEDTLS_ERR_SSL_WANT_READ;
-
- return 0;
- }
-
- printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret);
-
- /* it's had it */
-
- ssl->err = SSL_ERROR_SYSCALL;
-
- return -1; /* openssl death */
-}
-
-mbedtls_x509_crt *
-ssl_ctx_get_mbedtls_x509_crt(SSL_CTX *ssl_ctx)
-{
- struct x509_pm *x509_pm = (struct x509_pm *)ssl_ctx->cert->x509->x509_pm;
-
- if (!x509_pm)
- return NULL;
-
- return x509_pm->x509_crt;
-}
-
-mbedtls_x509_crt *
-ssl_get_peer_mbedtls_x509_crt(SSL *ssl)
-{
- struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
-
- if (!x509_pm)
- return NULL;
-
- return x509_pm->ex_crt;
-}
-
-int ssl_pm_shutdown(SSL *ssl)
-{
- int ret;
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_close_notify() return -0x%x", -ret);
- if (ret == MBEDTLS_ERR_NET_CONN_RESET)
- ssl->err = SSL_ERROR_SYSCALL;
- ret = -1; /* OpenSSL: "Call SSL_get_error with the return value to find the reason */
- } else {
- struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
-
- x509_pm->ex_crt = NULL;
- ret = 1; /* OpenSSL: "The shutdown was successfully completed"
- ...0 means retry */
- }
-
- return ret;
-}
-
-int ssl_pm_clear(SSL *ssl)
-{
- return ssl_pm_shutdown(ssl);
-}
-
-
-int ssl_pm_read(SSL *ssl, void *buffer, int len)
-{
- int ret;
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
- if (ret < 0) {
- // lwsl_notice("%s: mbedtls_ssl_read says -0x%x\n", __func__, -ret);
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret);
- if (ret == MBEDTLS_ERR_NET_CONN_RESET ||
- ret <= MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) /* fatal errors */
- ssl->err = SSL_ERROR_SYSCALL;
- ret = -1;
- }
-
- return ret;
-}
-
-/*
- * This returns -1, or the length sent.
- * If -1, then you need to find out if the error was
- * fatal or recoverable using SSL_get_error()
- */
-int ssl_pm_send(SSL *ssl, const void *buffer, int len)
-{
- int ret;
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
- /*
- * We can get a positive number, which may be less than len... that
- * much was sent successfully and you can call again to send more.
- *
- * We can get a negative mbedtls error code... if WANT_WRITE or WANT_READ,
- * it's nonfatal and means it should be retried as-is. If something else,
- * it's fatal actually.
- *
- * If this function returns something other than a positive value or
- * MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context becomes unusable, and
- * you should either free it or call mbedtls_ssl_session_reset() on it
- * before re-using it for a new connection; the current connection must
- * be closed.
- *
- * When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be
- * called later with the same arguments, until it returns a positive value.
- */
-
- if (ret < 0) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
- switch (ret) {
- case MBEDTLS_ERR_NET_SEND_FAILED:
- case MBEDTLS_ERR_NET_CONN_RESET:
- ssl->err = SSL_ERROR_SYSCALL;
- break;
- case MBEDTLS_ERR_SSL_WANT_WRITE:
- ssl->err = SSL_ERROR_WANT_WRITE;
- break;
- case MBEDTLS_ERR_SSL_WANT_READ:
- ssl->err = SSL_ERROR_WANT_READ;
- break;
- default:
- break;
- }
-
- ret = -1;
- }
-
- return ret;
-}
-
-int ssl_pm_pending(const SSL *ssl)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- return mbedtls_ssl_get_bytes_avail(&ssl_pm->ssl);
-}
-
-void ssl_pm_set_fd(SSL *ssl, int fd, int mode)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ssl_pm->fd.fd = fd;
-}
-
-int ssl_pm_get_fd(const SSL *ssl, int mode)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- return ssl_pm->fd.fd;
-}
-
-OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)
-{
- OSSL_HANDSHAKE_STATE state;
-
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- switch (ssl_pm->ssl.state)
- {
- case MBEDTLS_SSL_CLIENT_HELLO:
- state = TLS_ST_CW_CLNT_HELLO;
- break;
- case MBEDTLS_SSL_SERVER_HELLO:
- state = TLS_ST_SW_SRVR_HELLO;
- break;
- case MBEDTLS_SSL_SERVER_CERTIFICATE:
- state = TLS_ST_SW_CERT;
- break;
- case MBEDTLS_SSL_SERVER_HELLO_DONE:
- state = TLS_ST_SW_SRVR_DONE;
- break;
- case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
- state = TLS_ST_CW_KEY_EXCH;
- break;
- case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
- state = TLS_ST_CW_CHANGE;
- break;
- case MBEDTLS_SSL_CLIENT_FINISHED:
- state = TLS_ST_CW_FINISHED;
- break;
- case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
- state = TLS_ST_SW_CHANGE;
- break;
- case MBEDTLS_SSL_SERVER_FINISHED:
- state = TLS_ST_SW_FINISHED;
- break;
- case MBEDTLS_SSL_CLIENT_CERTIFICATE:
- state = TLS_ST_CW_CERT;
- break;
- case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
- state = TLS_ST_SR_KEY_EXCH;
- break;
- case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
- state = TLS_ST_SW_SESSION_TICKET;
- break;
- case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
- state = TLS_ST_SW_CERT_REQ;
- break;
- case MBEDTLS_SSL_HANDSHAKE_OVER:
- state = TLS_ST_OK;
- break;
- default :
- state = TLS_ST_BEFORE;
- break;
- }
-
- return state;
-}
-
-int x509_pm_show_info(X509 *x)
-{
- int ret;
- char *buf;
- mbedtls_x509_crt *x509_crt;
- struct x509_pm *x509_pm = x->x509_pm;
-
- if (x509_pm->x509_crt)
- x509_crt = x509_pm->x509_crt;
- else if (x509_pm->ex_crt)
- x509_crt = x509_pm->ex_crt;
- else
- x509_crt = NULL;
-
- if (!x509_crt)
- return -1;
-
- buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH);
- if (!buf) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)");
- goto no_mem;
- }
-
- ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt);
- if (ret <= 0) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret);
- goto mbedtls_err1;
- }
-
- buf[ret] = 0;
-
- ssl_mem_free(buf);
-
- SSL_DEBUG(SSL_DEBUG_ON, "%s", buf);
-
- return 0;
-
-mbedtls_err1:
- ssl_mem_free(buf);
-no_mem:
- return -1;
-}
-
-int x509_pm_new(X509 *x, X509 *m_x)
-{
- struct x509_pm *x509_pm;
-
- x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm));
- if (!x509_pm) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)");
- goto failed1;
- }
-
- x->x509_pm = x509_pm;
-
- if (m_x) {
- struct x509_pm *m_x509_pm = (struct x509_pm *)m_x->x509_pm;
-
- x509_pm->ex_crt = m_x509_pm->x509_crt;
- }
-
- return 0;
-
-failed1:
- return -1;
-}
-
-void x509_pm_free(X509 *x)
-{
- struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
-
- if (x509_pm->x509_crt) {
- mbedtls_x509_crt_free(x509_pm->x509_crt);
-
- ssl_mem_free(x509_pm->x509_crt);
- x509_pm->x509_crt = NULL;
- }
-
- ssl_mem_free(x->x509_pm);
- x->x509_pm = NULL;
-}
-
-int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
-{
- int ret;
- unsigned char *load_buf;
- struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
-
- if (x509_pm->x509_crt)
- mbedtls_x509_crt_free(x509_pm->x509_crt);
-
- if (!x509_pm->x509_crt) {
- x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
- if (!x509_pm->x509_crt) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
- goto no_mem;
- }
- }
-
- mbedtls_x509_crt_init(x509_pm->x509_crt);
- if (buffer[0] != 0x30) {
- load_buf = ssl_mem_malloc(len + 1);
- if (!load_buf) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
- goto failed;
- }
-
- ssl_memcpy(load_buf, buffer, len);
- load_buf[len] = '\0';
-
- ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1);
- ssl_mem_free(load_buf);
- } else {
- printf("parsing as der\n");
-
- ret = mbedtls_x509_crt_parse_der(x509_pm->x509_crt, buffer, len);
- }
-
- if (ret) {
- printf("mbedtls_x509_crt_parse return -0x%x", -ret);
- goto failed;
- }
-
- return 0;
-
-failed:
- mbedtls_x509_crt_free(x509_pm->x509_crt);
- ssl_mem_free(x509_pm->x509_crt);
- x509_pm->x509_crt = NULL;
-no_mem:
- return -1;
-}
-
-int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey)
-{
- struct pkey_pm *pkey_pm;
-
- pkey_pm = ssl_mem_zalloc(sizeof(struct pkey_pm));
- if (!pkey_pm)
- return -1;
-
- pk->pkey_pm = pkey_pm;
-
- if (m_pkey) {
- struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm;
-
- pkey_pm->ex_pkey = m_pkey_pm->pkey;
- }
-
- return 0;
-}
-
-void pkey_pm_free(EVP_PKEY *pk)
-{
- struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
-
- if (pkey_pm->pkey) {
- mbedtls_pk_free(pkey_pm->pkey);
-
- ssl_mem_free(pkey_pm->pkey);
- pkey_pm->pkey = NULL;
- }
-
- ssl_mem_free(pk->pkey_pm);
- pk->pkey_pm = NULL;
-}
-
-int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
-{
- int ret;
- unsigned char *load_buf;
- struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
-
- if (pkey_pm->pkey)
- mbedtls_pk_free(pkey_pm->pkey);
-
- if (!pkey_pm->pkey) {
- pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context));
- if (!pkey_pm->pkey) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)");
- goto no_mem;
- }
- }
-
- load_buf = ssl_mem_malloc(len + 1);
- if (!load_buf) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
- goto failed;
- }
-
- ssl_memcpy(load_buf, buffer, len);
- load_buf[len] = '\0';
-
- mbedtls_pk_init(pkey_pm->pkey);
-
- ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len + 1, NULL, 0);
- ssl_mem_free(load_buf);
-
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret);
- goto failed;
- }
-
- return 0;
-
-failed:
- mbedtls_pk_free(pkey_pm->pkey);
- ssl_mem_free(pkey_pm->pkey);
- pkey_pm->pkey = NULL;
-no_mem:
- return -1;
-}
-
-
-
-void ssl_pm_set_bufflen(SSL *ssl, int len)
-{
- max_content_len = len;
-}
-
-long ssl_pm_get_verify_result(const SSL *ssl)
-{
- uint32_t ret;
- long verify_result;
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
- if (!ret)
- return X509_V_OK;
-
- if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ||
- (ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED))
- verify_result = X509_V_ERR_INVALID_CA;
-
- else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
- verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
-
- else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) ||
- (ret & MBEDTLS_X509_BADCRL_BAD_KEY))
- verify_result = X509_V_ERR_CA_KEY_TOO_SMALL;
-
- else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) ||
- (ret & MBEDTLS_X509_BADCRL_BAD_MD))
- verify_result = X509_V_ERR_CA_MD_TOO_WEAK;
-
- else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) ||
- (ret & MBEDTLS_X509_BADCRL_FUTURE))
- verify_result = X509_V_ERR_CERT_NOT_YET_VALID;
-
- else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) ||
- (ret & MBEDTLS_X509_BADCRL_EXPIRED))
- verify_result = X509_V_ERR_CERT_HAS_EXPIRED;
-
- else
- verify_result = X509_V_ERR_UNSPECIFIED;
-
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
- "mbedtls_ssl_get_verify_result() return 0x%x", ret);
-
- return verify_result;
-}
-
-/**
- * @brief set expected hostname on peer cert CN
- */
-
-int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
- const char *name, size_t namelen)
-{
- SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
- char *name_cstr = NULL;
-
- if (namelen) {
- name_cstr = malloc(namelen + 1);
- if (!name_cstr)
- return 0;
- memcpy(name_cstr, name, namelen);
- name_cstr[namelen] = '\0';
- name = name_cstr;
- }
-
- mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
-
- if (namelen)
- free(name_cstr);
-
- return 1;
-}
-
-void _ssl_set_alpn_list(const SSL *ssl)
-{
- if (ssl->alpn_protos) {
- if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos))
- fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
-
- return;
- }
- if (!ssl->ctx->alpn_protos)
- return;
- if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos))
- fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
-}
-
-void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
- unsigned int *len)
-{
- const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl);
-
- *data = (const unsigned char *)alp;
- if (alp)
- *len = strlen(alp);
- else
- *len = 0;
-}
-
-int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *,
- const unsigned char *, size_t), void *param)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
-
- mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param);
-
- return 0;
-}
-
-SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc)
-{
- struct ssl_pm *ssl_pm = (struct ssl_pm *)((char *)msc - offsetof(struct ssl_pm, ssl));
-
- return ssl_pm->owner;
-}
-
-#include "ssl_cert.h"
-
-void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
-{
- struct ssl_pm *ssl_pm = ssl->ssl_pm;
- struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm;
- struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm;
-
- struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm;
- int mode;
-
- if (ssl->cert)
- ssl_cert_free(ssl->cert);
- ssl->ctx = ctx;
- ssl->cert = __ssl_cert_new(ctx->cert);
-
- if (ctx->verify_mode == SSL_VERIFY_PEER)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
- mode = MBEDTLS_SSL_VERIFY_UNSET;
- else
- mode = MBEDTLS_SSL_VERIFY_NONE;
-
- // printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode);
-
- /* apply new ctx cert to ssl */
-
- ssl->verify_mode = ctx->verify_mode;
-
- mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL);
- mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey);
- mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode);
-}
diff --git a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_port.c b/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_port.c
deleted file mode 100644
index 8c7a31338b..0000000000
--- a/thirdparty/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_port.c
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "ssl_port.h"
-
-/*********************************************************************************************/
-/********************************* SSL general interface *************************************/
-
-void *ssl_mem_zalloc(size_t size)
-{
- void *p = malloc(size);
-
- if (p)
- memset(p, 0, size);
-
- return p;
-}
-
diff --git a/thirdparty/libwebsockets/lib/tls/private.h b/thirdparty/libwebsockets/lib/tls/private.h
deleted file mode 100644
index ad01bfd4fb..0000000000
--- a/thirdparty/libwebsockets/lib/tls/private.h
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * libwebsockets - small server side websockets and web server implementation
- *
- * Copyright (C) 2010 - 2018 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- *
- * This is included from core/private.h if LWS_WITH_TLS
- */
-
-#if defined(LWS_WITH_TLS)
-
-#if defined(USE_WOLFSSL)
- #if defined(USE_OLD_CYASSL)
- #if defined(_WIN32)
- #include <IDE/WIN/user_settings.h>
- #include <cyassl/ctaocrypt/settings.h>
- #else
- #include <cyassl/options.h>
- #endif
- #include <cyassl/openssl/ssl.h>
- #include <cyassl/error-ssl.h>
- #else
- #if defined(_WIN32)
- #include <IDE/WIN/user_settings.h>
- #include <wolfssl/wolfcrypt/settings.h>
- #else
- #include <wolfssl/options.h>
- #endif
- #include <wolfssl/openssl/ssl.h>
- #include <wolfssl/error-ssl.h>
- #define OPENSSL_NO_TLSEXT
- #endif /* not USE_OLD_CYASSL */
-#else /* WOLFSSL */
- #if defined(LWS_WITH_ESP32)
- #define OPENSSL_NO_TLSEXT
- #undef MBEDTLS_CONFIG_FILE
- #define MBEDTLS_CONFIG_FILE <mbedtls/esp_config.h>
- #include <mbedtls/ssl.h>
- #include <mbedtls/x509_crt.h>
- #include "tls/mbedtls/wrapper/include/openssl/ssl.h" /* wrapper !!!! */
- #else /* not esp32 */
- #if defined(LWS_WITH_MBEDTLS)
- #include <mbedtls/ssl.h>
- #include <mbedtls/x509_crt.h>
- #include <mbedtls/x509_csr.h>
- #include "tls/mbedtls/wrapper/include/openssl/ssl.h" /* wrapper !!!! */
- #else
- #include <openssl/ssl.h>
- #include <openssl/evp.h>
- #include <openssl/err.h>
- #include <openssl/md5.h>
- #include <openssl/sha.h>
- #include <openssl/rsa.h>
- #include <openssl/bn.h>
- #ifdef LWS_HAVE_OPENSSL_ECDH_H
- #include <openssl/ecdh.h>
- #endif
- #include <openssl/x509v3.h>
- #endif /* not mbedtls */
- #if defined(OPENSSL_VERSION_NUMBER)
- #if (OPENSSL_VERSION_NUMBER < 0x0009080afL)
-/*
- * later openssl defines this to negate the presence of tlsext... but it was
- * only introduced at 0.9.8j. Earlier versions don't know it exists so don't
- * define it... making it look like the feature exists...
- */
- #define OPENSSL_NO_TLSEXT
- #endif
- #endif
- #endif /* not ESP32 */
-#endif /* not USE_WOLFSSL */
-
-#endif /* LWS_WITH_TLS */
-
-enum lws_tls_extant {
- LWS_TLS_EXTANT_NO,
- LWS_TLS_EXTANT_YES,
- LWS_TLS_EXTANT_ALTERNATIVE
-};
-
-struct lws_context_per_thread;
-
-struct lws_tls_ops {
- int (*fake_POLLIN_for_buffered)(struct lws_context_per_thread *pt);
- int (*periodic_housekeeping)(struct lws_context *context, time_t now);
-};
-
-#if defined(LWS_WITH_TLS)
-
-typedef SSL lws_tls_conn;
-typedef SSL_CTX lws_tls_ctx;
-typedef BIO lws_tls_bio;
-typedef X509 lws_tls_x509;
-
-
-#define LWS_SSL_ENABLED(context) (context->tls.use_ssl)
-
-extern const struct lws_tls_ops tls_ops_openssl, tls_ops_mbedtls;
-
-struct lws_context_tls {
- char alpn_discovered[32];
- const char *alpn_default;
- time_t last_cert_check_s;
-};
-
-struct lws_pt_tls {
- struct lws_dll_lws pending_tls_head;
-};
-
-struct lws_tls_ss_pieces;
-
-struct alpn_ctx {
- uint8_t data[23];
- uint8_t len;
-};
-
-struct lws_vhost_tls {
- lws_tls_ctx *ssl_ctx;
- lws_tls_ctx *ssl_client_ctx;
- const char *alpn;
- struct lws_tls_ss_pieces *ss; /* for acme tls certs */
- char *alloc_cert_path;
- char *key_path;
-#if defined(LWS_WITH_MBEDTLS)
- lws_tls_x509 *x509_client_CA;
-#endif
- char ecdh_curve[16];
- struct alpn_ctx alpn_ctx;
-
- int use_ssl;
- int allow_non_ssl_on_ssl_port;
- int ssl_info_event_mask;
-
- unsigned int user_supplied_ssl_ctx:1;
- unsigned int skipped_certs:1;
-};
-
-struct lws_lws_tls {
- lws_tls_conn *ssl;
- lws_tls_bio *client_bio;
- struct lws_dll_lws pending_tls_list;
- unsigned int use_ssl;
- unsigned int redirect_to_https:1;
-};
-
-LWS_EXTERN void
-lws_context_init_alpn(struct lws_vhost *vhost);
-LWS_EXTERN enum lws_tls_extant
-lws_tls_use_any_upgrade_check_extant(const char *name);
-LWS_EXTERN int openssl_websocket_private_data_index;
-LWS_EXTERN int LWS_WARN_UNUSED_RESULT
-lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len);
-LWS_EXTERN int LWS_WARN_UNUSED_RESULT
-lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len);
-LWS_EXTERN int LWS_WARN_UNUSED_RESULT
-lws_ssl_pending(struct lws *wsi);
-LWS_EXTERN int
-lws_context_init_ssl_library(const struct lws_context_creation_info *info);
-LWS_EXTERN int LWS_WARN_UNUSED_RESULT
-lws_server_socket_service_ssl(struct lws *new_wsi, lws_sockfd_type accept_fd);
-LWS_EXTERN int
-lws_ssl_close(struct lws *wsi);
-LWS_EXTERN void
-lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost);
-LWS_EXTERN void
-lws_ssl_context_destroy(struct lws_context *context);
-void
-__lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi);
-LWS_VISIBLE void
-lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi);
-LWS_EXTERN int
-lws_ssl_client_bio_create(struct lws *wsi);
-LWS_EXTERN int
-lws_ssl_client_connect1(struct lws *wsi);
-LWS_EXTERN int
-lws_ssl_client_connect2(struct lws *wsi, char *errbuf, int len);
-LWS_EXTERN void
-lws_ssl_elaborate_error(void);
-LWS_EXTERN int
-lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt);
-LWS_EXTERN int
-lws_gate_accepts(struct lws_context *context, int on);
-LWS_EXTERN void
-lws_ssl_bind_passphrase(lws_tls_ctx *ssl_ctx,
- const struct lws_context_creation_info *info);
-LWS_EXTERN void
-lws_ssl_info_callback(const lws_tls_conn *ssl, int where, int ret);
-LWS_EXTERN int
-lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
- union lws_tls_cert_info_results *buf, size_t len);
-LWS_EXTERN int
-lws_tls_check_all_cert_lifetimes(struct lws_context *context);
-LWS_EXTERN int
-lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
- const char *cert, const char *private_key,
- const char *mem_cert, size_t len_mem_cert,
- const char *mem_privkey, size_t mem_privkey_len);
-LWS_EXTERN enum lws_tls_extant
-lws_tls_generic_cert_checks(struct lws_vhost *vhost, const char *cert,
- const char *private_key);
-LWS_EXTERN int
-lws_tls_alloc_pem_to_der_file(struct lws_context *context, const char *filename,
- const char *inbuf, lws_filepos_t inlen,
- uint8_t **buf, lws_filepos_t *amount);
-
-#if !defined(LWS_NO_SERVER)
- LWS_EXTERN int
- lws_context_init_server_ssl(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost);
- void
- lws_tls_acme_sni_cert_destroy(struct lws_vhost *vhost);
-#else
- #define lws_context_init_server_ssl(_a, _b) (0)
- #define lws_tls_acme_sni_cert_destroy(_a)
-#endif
-
-LWS_EXTERN void
-lws_ssl_destroy(struct lws_vhost *vhost);
-LWS_EXTERN char *
-lws_ssl_get_error_string(int status, int ret, char *buf, size_t len);
-
-/*
- * lws_tls_ abstract backend implementations
- */
-
-LWS_EXTERN int
-lws_tls_server_client_cert_verify_config(struct lws_vhost *vh);
-LWS_EXTERN int
-lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost, struct lws *wsi);
-LWS_EXTERN int
-lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd);
-
-LWS_EXTERN enum lws_ssl_capable_status
-lws_tls_server_accept(struct lws *wsi);
-
-LWS_EXTERN enum lws_ssl_capable_status
-lws_tls_server_abort_connection(struct lws *wsi);
-
-LWS_EXTERN enum lws_ssl_capable_status
-__lws_tls_shutdown(struct lws *wsi);
-
-LWS_EXTERN enum lws_ssl_capable_status
-lws_tls_client_connect(struct lws *wsi);
-LWS_EXTERN int
-lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len);
-LWS_EXTERN int
-lws_tls_client_create_vhost_context(struct lws_vhost *vh,
- const struct lws_context_creation_info *info,
- const char *cipher_list,
- const char *ca_filepath,
- const void *ca_mem,
- unsigned int ca_mem_len,
- const char *cert_filepath,
- const char *private_key_filepath);
-
-LWS_EXTERN lws_tls_ctx *
-lws_tls_ctx_from_wsi(struct lws *wsi);
-LWS_EXTERN int
-lws_ssl_get_error(struct lws *wsi, int n);
-
-LWS_EXTERN int
-lws_context_init_client_ssl(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost);
-
-LWS_EXTERN void
-lws_ssl_info_callback(const lws_tls_conn *ssl, int where, int ret);
-
-int
-lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt);
-
-#endif
diff --git a/thirdparty/libwebsockets/lib/tls/tls-client.c b/thirdparty/libwebsockets/lib/tls/tls-client.c
deleted file mode 100644
index f69c685fa7..0000000000
--- a/thirdparty/libwebsockets/lib/tls/tls-client.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * libwebsockets - client-related ssl code independent of backend
- *
- * Copyright (C) 2010-2018 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-
-int
-lws_ssl_client_connect1(struct lws *wsi)
-{
- struct lws_context *context = wsi->context;
- int n = 0;
-
- lws_latency_pre(context, wsi);
- n = lws_tls_client_connect(wsi);
- lws_latency(context, wsi, "SSL_connect hs", n, n > 0);
-
- switch (n) {
- case LWS_SSL_CAPABLE_ERROR:
- return -1;
- case LWS_SSL_CAPABLE_DONE:
- return 1; /* connected */
- case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
- lws_callback_on_writable(wsi);
- /* fallthru */
- case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
- lwsi_set_state(wsi, LRS_WAITING_SSL);
- break;
- case LWS_SSL_CAPABLE_MORE_SERVICE:
- break;
- }
-
- return 0; /* retry */
-}
-
-int
-lws_ssl_client_connect2(struct lws *wsi, char *errbuf, int len)
-{
- int n = 0;
-
- if (lwsi_state(wsi) == LRS_WAITING_SSL) {
- lws_latency_pre(wsi->context, wsi);
-
- n = lws_tls_client_connect(wsi);
- lwsl_debug("%s: SSL_connect says %d\n", __func__, n);
- lws_latency(wsi->context, wsi,
- "SSL_connect LRS_WAITING_SSL", n, n > 0);
-
- switch (n) {
- case LWS_SSL_CAPABLE_ERROR:
- lws_snprintf(errbuf, len, "client connect failed");
- return -1;
- case LWS_SSL_CAPABLE_DONE:
- break; /* connected */
- case LWS_SSL_CAPABLE_MORE_SERVICE_WRITE:
- lws_callback_on_writable(wsi);
- /* fallthru */
- case LWS_SSL_CAPABLE_MORE_SERVICE_READ:
- lwsi_set_state(wsi, LRS_WAITING_SSL);
- /* fallthru */
- case LWS_SSL_CAPABLE_MORE_SERVICE:
- return 0;
- }
- }
-
- if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len))
- return -1;
-
- return 1;
-}
-
-
-int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost)
-{
- const char *private_key_filepath = info->ssl_private_key_filepath;
- const char *cert_filepath = info->ssl_cert_filepath;
- const char *ca_filepath = info->ssl_ca_filepath;
- const char *cipher_list = info->ssl_cipher_list;
- struct lws wsi;
-
- if (vhost->options & LWS_SERVER_OPTION_ONLY_RAW)
- return 0;
-
- /*
- * for backwards-compatibility default to using ssl_... members, but
- * if the newer client-specific ones are given, use those
- */
- if (info->client_ssl_cipher_list)
- cipher_list = info->client_ssl_cipher_list;
- if (info->client_ssl_cert_filepath)
- cert_filepath = info->client_ssl_cert_filepath;
- if (info->client_ssl_private_key_filepath)
- private_key_filepath = info->client_ssl_private_key_filepath;
-
- if (info->client_ssl_ca_filepath)
- ca_filepath = info->client_ssl_ca_filepath;
-
- if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
- return 0;
-
- if (vhost->tls.ssl_client_ctx)
- return 0;
-
- if (info->provided_client_ssl_ctx) {
- /* use the provided OpenSSL context if given one */
- vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
- /* nothing for lib to delete */
- vhost->tls.user_supplied_ssl_ctx = 1;
-
- return 0;
- }
-
- if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
- ca_filepath,
- info->client_ssl_ca_mem,
- info->client_ssl_ca_mem_len,
- cert_filepath,
- private_key_filepath))
- return 1;
-
- lwsl_notice("created client ssl context for %s\n", vhost->name);
-
- /*
- * give him a fake wsi with context set, so he can use
- * lws_get_context() in the callback
- */
- memset(&wsi, 0, sizeof(wsi));
- wsi.vhost = vhost; /* not a real bound wsi */
- wsi.context = vhost->context;
-
- vhost->protocols[0].callback(&wsi,
- LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
- vhost->tls.ssl_client_ctx, NULL, 0);
-
- return 0;
-}
diff --git a/thirdparty/libwebsockets/lib/tls/tls-server.c b/thirdparty/libwebsockets/lib/tls/tls-server.c
deleted file mode 100644
index 9d3f70dbea..0000000000
--- a/thirdparty/libwebsockets/lib/tls/tls-server.c
+++ /dev/null
@@ -1,388 +0,0 @@
-/*
- * libwebsockets - small server side websockets and web server implementation
- *
- * Copyright (C) 2010-2018 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-
-#if defined(LWS_WITH_MBEDTLS) || (defined(OPENSSL_VERSION_NUMBER) && \
- OPENSSL_VERSION_NUMBER >= 0x10002000L)
-static int
-alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
- const unsigned char *in, unsigned int inlen, void *arg)
-{
-#if !defined(LWS_WITH_MBEDTLS)
- struct alpn_ctx *alpn_ctx = (struct alpn_ctx *)arg;
-
- if (SSL_select_next_proto((unsigned char **)out, outlen, alpn_ctx->data,
- alpn_ctx->len, in, inlen) !=
- OPENSSL_NPN_NEGOTIATED)
- return SSL_TLSEXT_ERR_NOACK;
-#endif
-
- return SSL_TLSEXT_ERR_OK;
-}
-#endif
-
-void
-lws_context_init_alpn(struct lws_vhost *vhost)
-{
-#if defined(LWS_WITH_MBEDTLS) || (defined(OPENSSL_VERSION_NUMBER) && \
- OPENSSL_VERSION_NUMBER >= 0x10002000L)
- const char *alpn_comma = vhost->context->tls.alpn_default;
-
- if (vhost->tls.alpn)
- alpn_comma = vhost->tls.alpn;
-
- lwsl_info(" Server '%s' advertising ALPN: %s\n",
- vhost->name, alpn_comma);
- vhost->tls.alpn_ctx.len = lws_alpn_comma_to_openssl(alpn_comma,
- vhost->tls.alpn_ctx.data,
- sizeof(vhost->tls.alpn_ctx.data) - 1);
-
- SSL_CTX_set_alpn_select_cb(vhost->tls.ssl_ctx, alpn_cb,
- &vhost->tls.alpn_ctx);
-#else
- lwsl_err(
- " HTTP2 / ALPN configured but not supported by OpenSSL 0x%lx\n",
- OPENSSL_VERSION_NUMBER);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
-}
-
-int
-lws_tls_server_conn_alpn(struct lws *wsi)
-{
-#if defined(LWS_WITH_MBEDTLS) || (defined(OPENSSL_VERSION_NUMBER) && \
- OPENSSL_VERSION_NUMBER >= 0x10002000L)
- const unsigned char *name = NULL;
- char cstr[10];
- unsigned len;
-
- SSL_get0_alpn_selected(wsi->tls.ssl, &name, &len);
- if (!len) {
- lwsl_info("no ALPN upgrade\n");
- return 0;
- }
-
- if (len > sizeof(cstr) - 1)
- len = sizeof(cstr) - 1;
-
- memcpy(cstr, name, len);
- cstr[len] = '\0';
-
- lwsl_info("negotiated '%s' using ALPN\n", cstr);
- wsi->tls.use_ssl |= LCCSCF_USE_SSL;
-
- return lws_role_call_alpn_negotiated(wsi, (const char *)cstr);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
-
- return 0;
-}
-
-LWS_VISIBLE int
-lws_context_init_server_ssl(const struct lws_context_creation_info *info,
- struct lws_vhost *vhost)
-{
- struct lws_context *context = vhost->context;
- struct lws wsi;
-
- if (!lws_check_opt(info->options,
- LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
- vhost->tls.use_ssl = 0;
-
- return 0;
- }
-
- /*
- * If he is giving a cert filepath, take it as a sign he wants to use
- * it on this vhost. User code can leave the cert filepath NULL and
- * set the LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX option itself, in
- * which case he's expected to set up the cert himself at
- * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS, which
- * provides the vhost SSL_CTX * in the user parameter.
- */
- if (info->ssl_cert_filepath)
- vhost->options |= LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX;
-
- if (info->port != CONTEXT_PORT_NO_LISTEN) {
-
- vhost->tls.use_ssl = lws_check_opt(vhost->options,
- LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX);
-
- if (vhost->tls.use_ssl && info->ssl_cipher_list)
- lwsl_notice(" SSL ciphers: '%s'\n",
- info->ssl_cipher_list);
-
- if (vhost->tls.use_ssl)
- lwsl_notice(" Using SSL mode\n");
- else
- lwsl_notice(" Using non-SSL mode\n");
- }
-
- /*
- * give him a fake wsi with context + vhost set, so he can use
- * lws_get_context() in the callback
- */
- memset(&wsi, 0, sizeof(wsi));
- wsi.vhost = vhost; /* not a real bound wsi */
- wsi.context = context;
-
- /*
- * as a server, if we are requiring clients to identify themselves
- * then set the backend up for it
- */
- if (lws_check_opt(info->options,
- LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT))
- /* Normally SSL listener rejects non-ssl, optionally allow */
- vhost->tls.allow_non_ssl_on_ssl_port = 1;
-
- /*
- * give user code a chance to load certs into the server
- * allowing it to verify incoming client certs
- */
- if (vhost->tls.use_ssl) {
- if (lws_tls_server_vhost_backend_init(info, vhost, &wsi))
- return -1;
-
- lws_tls_server_client_cert_verify_config(vhost);
-
- if (vhost->protocols[0].callback(&wsi,
- LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS,
- vhost->tls.ssl_ctx, vhost, 0))
- return -1;
- }
-
- if (vhost->tls.use_ssl)
- lws_context_init_alpn(vhost);
-
- return 0;
-}
-
-LWS_VISIBLE int
-lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
-{
- struct lws_context *context = wsi->context;
- struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
- struct lws_vhost *vh;
- char buf[256];
- int n;
-
- (void)buf;
-
- if (!LWS_SSL_ENABLED(wsi->vhost))
- return 0;
-
- switch (lwsi_state(wsi)) {
- case LRS_SSL_INIT:
-
- if (wsi->tls.ssl)
- lwsl_err("%s: leaking ssl\n", __func__);
- if (accept_fd == LWS_SOCK_INVALID)
- assert(0);
- if (context->simultaneous_ssl_restriction &&
- context->simultaneous_ssl >=
- context->simultaneous_ssl_restriction) {
- lwsl_notice("unable to deal with SSL connection\n");
- return 1;
- }
-
- if (lws_tls_server_new_nonblocking(wsi, accept_fd)) {
- if (accept_fd != LWS_SOCK_INVALID)
- compatible_close(accept_fd);
- goto fail;
- }
-
- if (context->simultaneous_ssl_restriction &&
- ++context->simultaneous_ssl ==
- context->simultaneous_ssl_restriction)
- /* that was the last allowed SSL connection */
- lws_gate_accepts(context, 0);
-
-#if defined(LWS_WITH_STATS)
- context->updated = 1;
-#endif
- /*
- * we are not accepted yet, but we need to enter ourselves
- * as a live connection. That way we can retry when more
- * pieces come if we're not sorted yet
- */
- lwsi_set_state(wsi, LRS_SSL_ACK_PENDING);
-
- lws_pt_lock(pt, __func__);
- if (__insert_wsi_socket_into_fds(context, wsi)) {
- lwsl_err("%s: failed to insert into fds\n", __func__);
- goto fail;
- }
- lws_pt_unlock(pt);
-
- lws_set_timeout(wsi, PENDING_TIMEOUT_SSL_ACCEPT,
- context->timeout_secs);
-
- lwsl_debug("inserted SSL accept into fds, trying SSL_accept\n");
-
- /* fallthru */
-
- case LRS_SSL_ACK_PENDING:
-
- if (lws_change_pollfd(wsi, LWS_POLLOUT, 0)) {
- lwsl_err("%s: lws_change_pollfd failed\n", __func__);
- goto fail;
- }
-
- lws_latency_pre(context, wsi);
-
- if (wsi->vhost->tls.allow_non_ssl_on_ssl_port) {
-
- n = recv(wsi->desc.sockfd, (char *)pt->serv_buf,
- context->pt_serv_buf_size, MSG_PEEK);
-
- /*
- * optionally allow non-SSL connect on SSL listening socket
- * This is disabled by default, if enabled it goes around any
- * SSL-level access control (eg, client-side certs) so leave
- * it disabled unless you know it's not a problem for you
- */
- if (n >= 1 && pt->serv_buf[0] >= ' ') {
- /*
- * TLS content-type for Handshake is 0x16, and
- * for ChangeCipherSpec Record, it's 0x14
- *
- * A non-ssl session will start with the HTTP
- * method in ASCII. If we see it's not a legit
- * SSL handshake kill the SSL for this
- * connection and try to handle as a HTTP
- * connection upgrade directly.
- */
- wsi->tls.use_ssl = 0;
-
- lws_tls_server_abort_connection(wsi);
- /*
- * care... this creates wsi with no ssl
- * when ssl is enabled and normally
- * mandatory
- */
- wsi->tls.ssl = NULL;
- if (lws_check_opt(context->options,
- LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS))
- wsi->tls.redirect_to_https = 1;
- lwsl_debug("accepted as non-ssl\n");
- goto accepted;
- }
- if (!n) {
- /*
- * connection is gone, fail out
- */
- lwsl_debug("PEEKed 0\n");
- goto fail;
- }
- if (n < 0 && (LWS_ERRNO == LWS_EAGAIN ||
- LWS_ERRNO == LWS_EWOULDBLOCK)) {
- /*
- * well, we get no way to know ssl or not
- * so go around again waiting for something
- * to come and give us a hint, or timeout the
- * connection.
- */
- if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
- lwsl_info("%s: change_pollfd failed\n",
- __func__);
- return -1;
- }
-
- lwsl_info("SSL_ERROR_WANT_READ\n");
- return 0;
- }
- }
-
- /* normal SSL connection processing path */
-
-#if defined(LWS_WITH_STATS)
- /* only set this the first time around */
- if (!wsi->accept_start_us)
- wsi->accept_start_us = lws_time_in_microseconds();
-#endif
- errno = 0;
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_C_SSL_CONNECTIONS_ACCEPT_SPIN,
- 1);
- n = lws_tls_server_accept(wsi);
- lws_latency(context, wsi,
- "SSL_accept LRS_SSL_ACK_PENDING\n", n, n == 1);
- lwsl_info("SSL_accept says %d\n", n);
- switch (n) {
- case LWS_SSL_CAPABLE_DONE:
- break;
- case LWS_SSL_CAPABLE_ERROR:
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_C_SSL_CONNECTIONS_FAILED,
- 1);
- lwsl_info("SSL_accept failed socket %u: %d\n",
- wsi->desc.sockfd, n);
- wsi->socket_is_permanently_unusable = 1;
- goto fail;
-
- default: /* MORE_SERVICE */
- return 0;
- }
-
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_C_SSL_CONNECTIONS_ACCEPTED, 1);
-#if defined(LWS_WITH_STATS)
- if (wsi->accept_start_us)
- lws_stats_atomic_bump(wsi->context, pt,
- LWSSTATS_MS_SSL_CONNECTIONS_ACCEPTED_DELAY,
- lws_time_in_microseconds() -
- wsi->accept_start_us);
- wsi->accept_start_us = lws_time_in_microseconds();
-#endif
-
-accepted:
-
- /* adapt our vhost to match the SNI SSL_CTX that was chosen */
- vh = context->vhost_list;
- while (vh) {
- if (!vh->being_destroyed && wsi->tls.ssl &&
- vh->tls.ssl_ctx == lws_tls_ctx_from_wsi(wsi)) {
- lwsl_info("setting wsi to vh %s\n", vh->name);
- lws_vhost_bind_wsi(vh, wsi);
- break;
- }
- vh = vh->vhost_next;
- }
-
- /* OK, we are accepted... give him some time to negotiate */
- lws_set_timeout(wsi, PENDING_TIMEOUT_ESTABLISH_WITH_SERVER,
- context->timeout_secs);
-
- lwsi_set_state(wsi, LRS_ESTABLISHED);
- if (lws_tls_server_conn_alpn(wsi))
- goto fail;
- lwsl_debug("accepted new SSL conn\n");
- break;
-
- default:
- break;
- }
-
- return 0;
-
-fail:
- return 1;
-}
-
diff --git a/thirdparty/libwebsockets/lib/tls/tls.c b/thirdparty/libwebsockets/lib/tls/tls.c
deleted file mode 100644
index a32951689f..0000000000
--- a/thirdparty/libwebsockets/lib/tls/tls.c
+++ /dev/null
@@ -1,505 +0,0 @@
-/*
- * libwebsockets - small server side websockets and web server implementation
- *
- * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation:
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301 USA
- */
-
-#include "core/private.h"
-
-/*
- * fakes POLLIN on all tls guys with buffered rx
- *
- * returns nonzero if any tls guys had POLLIN faked
- */
-
-int
-lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt)
-{
- int ret = 0;
-
- lws_start_foreach_dll_safe(struct lws_dll_lws *, p, p1,
- pt->tls.pending_tls_head.next) {
- struct lws *wsi = lws_container_of(p, struct lws,
- tls.pending_tls_list);
-
- pt->fds[wsi->position_in_fds_table].revents |=
- pt->fds[wsi->position_in_fds_table].events & LWS_POLLIN;
- ret |= pt->fds[wsi->position_in_fds_table].revents & LWS_POLLIN;
-
- } lws_end_foreach_dll_safe(p, p1);
-
- return !!ret;
-}
-
-void
-__lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi)
-{
- if (lws_dll_is_null(&wsi->tls.pending_tls_list))
- return;
-
- lws_dll_lws_remove(&wsi->tls.pending_tls_list);
-}
-
-void
-lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi)
-{
- struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
-
- lws_pt_lock(pt, __func__);
- __lws_ssl_remove_wsi_from_buffered_list(wsi);
- lws_pt_unlock(pt);
-}
-
-#if defined(LWS_WITH_ESP32)
-int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
- lws_filepos_t *amount)
-{
- nvs_handle nvh;
- size_t s;
- int n = 0;
-
- ESP_ERROR_CHECK(nvs_open("lws-station", NVS_READWRITE, &nvh));
- if (nvs_get_blob(nvh, filename, NULL, &s) != ESP_OK) {
- n = 1;
- goto bail;
- }
- *buf = lws_malloc(s + 1, "alloc_file");
- if (!*buf) {
- n = 2;
- goto bail;
- }
- if (nvs_get_blob(nvh, filename, (char *)*buf, &s) != ESP_OK) {
- lws_free(*buf);
- n = 1;
- goto bail;
- }
-
- *amount = s;
- (*buf)[s] = '\0';
-
- lwsl_notice("%s: nvs: read %s, %d bytes\n", __func__, filename, (int)s);
-
-bail:
- nvs_close(nvh);
-
- return n;
-}
-#else
-int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
- lws_filepos_t *amount)
-{
- FILE *f;
- size_t s;
- int n = 0;
-
- f = fopen(filename, "rb");
- if (f == NULL) {
- n = 1;
- goto bail;
- }
-
- if (fseek(f, 0, SEEK_END) != 0) {
- n = 1;
- goto bail;
- }
-
- s = ftell(f);
- if (s == (size_t)-1) {
- n = 1;
- goto bail;
- }
-
- if (fseek(f, 0, SEEK_SET) != 0) {
- n = 1;
- goto bail;
- }
-
- *buf = lws_malloc(s, "alloc_file");
- if (!*buf) {
- n = 2;
- goto bail;
- }
-
- if (fread(*buf, s, 1, f) != 1) {
- lws_free(*buf);
- n = 1;
- goto bail;
- }
-
- *amount = s;
-
-bail:
- if (f)
- fclose(f);
-
- return n;
-
-}
-#endif
-
-int
-lws_tls_alloc_pem_to_der_file(struct lws_context *context, const char *filename,
- const char *inbuf, lws_filepos_t inlen,
- uint8_t **buf, lws_filepos_t *amount)
-{
- const uint8_t *pem, *p, *end;
- lws_filepos_t len;
- uint8_t *q;
- int n;
-
- if (filename) {
- n = alloc_file(context, filename, (uint8_t **)&pem, &len);
- if (n)
- return n;
- } else {
- pem = (const uint8_t *)inbuf;
- len = inlen;
- }
-
- /* trim the first line */
-
- p = pem;
- end = p + len;
- if (strncmp((char *)p, "-----", 5))
- goto bail;
- p += 5;
- while (p < end && *p != '\n' && *p != '-')
- p++;
-
- if (*p != '-')
- goto bail;
-
- while (p < end && *p != '\n')
- p++;
-
- if (p >= end)
- goto bail;
-
- p++;
-
- /* trim the last line */
-
- q = (uint8_t *)end - 2;
-
- while (q > pem && *q != '\n')
- q--;
-
- if (*q != '\n')
- goto bail;
-
- *q = '\0';
-
- *amount = lws_b64_decode_string((char *)p, (char *)pem,
- (int)(long long)len);
- *buf = (uint8_t *)pem;
-
- return 0;
-
-bail:
- lws_free((uint8_t *)pem);
-
- return 4;
-}
-
-int
-lws_tls_check_cert_lifetime(struct lws_vhost *v)
-{
- time_t now = (time_t)lws_now_secs(), life = 0;
- struct lws_acme_cert_aging_args caa;
- union lws_tls_cert_info_results ir;
- int n;
-
- if (v->tls.ssl_ctx && !v->tls.skipped_certs) {
-
- if (now < 1542933698) /* Nov 23 2018 00:42 UTC */
- /* our clock is wrong and we can't judge the certs */
- return -1;
-
- n = lws_tls_vhost_cert_info(v, LWS_TLS_CERT_INFO_VALIDITY_TO,
- &ir, 0);
- if (n)
- return 1;
-
- life = (ir.time - now) / (24 * 3600);
- lwsl_notice(" vhost %s: cert expiry: %dd\n", v->name,
- (int)life);
- } else
- lwsl_notice(" vhost %s: no cert\n", v->name);
-
- memset(&caa, 0, sizeof(caa));
- caa.vh = v;
- lws_broadcast(v->context, LWS_CALLBACK_VHOST_CERT_AGING, (void *)&caa,
- (size_t)(ssize_t)life);
-
- return 0;
-}
-
-int
-lws_tls_check_all_cert_lifetimes(struct lws_context *context)
-{
- struct lws_vhost *v = context->vhost_list;
-
- while (v) {
- if (lws_tls_check_cert_lifetime(v) < 0)
- return -1;
- v = v->vhost_next;
- }
-
- return 0;
-}
-#if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE)
-static int
-lws_tls_extant(const char *name)
-{
- /* it exists if we can open it... */
- int fd = open(name, O_RDONLY), n;
- char buf[1];
-
- if (fd < 0)
- return 1;
-
- /* and we can read at least one byte out of it */
- n = read(fd, buf, 1);
- close(fd);
-
- return n != 1;
-}
-#endif
-/*
- * Returns 0 if the filepath "name" exists and can be read from.
- *
- * In addition, if "name".upd exists, backup "name" to "name.old.1"
- * and rename "name".upd to "name" before reporting its existence.
- *
- * There are four situations and three results possible:
- *
- * 1) LWS_TLS_EXTANT_NO: There are no certs at all (we are waiting for them to
- * be provisioned). We also feel like this if we need privs we don't have
- * any more to look in the directory.
- *
- * 2) There are provisioned certs written (xxx.upd) and we still have root
- * privs... in this case we rename any existing cert to have a backup name
- * and move the upd cert into place with the correct name. This then becomes
- * situation 4 for the caller.
- *
- * 3) LWS_TLS_EXTANT_ALTERNATIVE: There are provisioned certs written (xxx.upd)
- * but we no longer have the privs needed to read or rename them. In this
- * case, indicate that the caller should use temp copies if any we do have
- * rights to access. This is normal after we have updated the cert.
- *
- * But if we dropped privs, we can't detect the provisioned xxx.upd cert +
- * key, because we can't see in the dir. So we have to upgrade NO to
- * ALTERNATIVE when we actually have the in-memory alternative.
- *
- * 4) LWS_TLS_EXTANT_YES: The certs are present with the correct name and we
- * have the rights to read them.
- */
-enum lws_tls_extant
-lws_tls_use_any_upgrade_check_extant(const char *name)
-{
-#if !defined(LWS_PLAT_OPTEE)
-
- int n;
-
-#if !defined(LWS_WITH_ESP32)
- char buf[256];
-
- lws_snprintf(buf, sizeof(buf) - 1, "%s.upd", name);
- if (!lws_tls_extant(buf)) {
- /* ah there is an updated file... how about the desired file? */
- if (!lws_tls_extant(name)) {
- /* rename the desired file */
- for (n = 0; n < 50; n++) {
- lws_snprintf(buf, sizeof(buf) - 1,
- "%s.old.%d", name, n);
- if (!rename(name, buf))
- break;
- }
- if (n == 50) {
- lwsl_notice("unable to rename %s\n", name);
-
- return LWS_TLS_EXTANT_ALTERNATIVE;
- }
- lws_snprintf(buf, sizeof(buf) - 1, "%s.upd", name);
- }
- /* desired file is out of the way, rename the updated file */
- if (rename(buf, name)) {
- lwsl_notice("unable to rename %s to %s\n", buf, name);
-
- return LWS_TLS_EXTANT_ALTERNATIVE;
- }
- }
-
- if (lws_tls_extant(name))
- return LWS_TLS_EXTANT_NO;
-#else
- nvs_handle nvh;
- size_t s = 8192;
-
- if (nvs_open("lws-station", NVS_READWRITE, &nvh)) {
- lwsl_notice("%s: can't open nvs\n", __func__);
- return LWS_TLS_EXTANT_NO;
- }
-
- n = nvs_get_blob(nvh, name, NULL, &s);
- nvs_close(nvh);
-
- if (n)
- return LWS_TLS_EXTANT_NO;
-#endif
-#endif
- return LWS_TLS_EXTANT_YES;
-}
-
-/*
- * LWS_TLS_EXTANT_NO : skip adding the cert
- * LWS_TLS_EXTANT_YES : use the cert and private key paths normally
- * LWS_TLS_EXTANT_ALTERNATIVE: normal paths not usable, try alternate if poss
- */
-enum lws_tls_extant
-lws_tls_generic_cert_checks(struct lws_vhost *vhost, const char *cert,
- const char *private_key)
-{
- int n, m;
-
- /*
- * The user code can choose to either pass the cert and
- * key filepaths using the info members like this, or it can
- * leave them NULL; force the vhost SSL_CTX init using the info
- * options flag LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX; and
- * set up the cert himself using the user callback
- * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS, which
- * happened just above and has the vhost SSL_CTX * in the user
- * parameter.
- */
-
- if (!cert || !private_key)
- return LWS_TLS_EXTANT_NO;
-
- n = lws_tls_use_any_upgrade_check_extant(cert);
- if (n == LWS_TLS_EXTANT_ALTERNATIVE)
- return LWS_TLS_EXTANT_ALTERNATIVE;
- m = lws_tls_use_any_upgrade_check_extant(private_key);
- if (m == LWS_TLS_EXTANT_ALTERNATIVE)
- return LWS_TLS_EXTANT_ALTERNATIVE;
-
- if ((n == LWS_TLS_EXTANT_NO || m == LWS_TLS_EXTANT_NO) &&
- (vhost->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT)) {
- lwsl_notice("Ignoring missing %s or %s\n", cert, private_key);
- vhost->tls.skipped_certs = 1;
-
- return LWS_TLS_EXTANT_NO;
- }
-
- /*
- * the cert + key exist
- */
-
- return LWS_TLS_EXTANT_YES;
-}
-
-#if !defined(LWS_NO_SERVER)
-/*
- * update the cert for every vhost using the given path
- */
-
-LWS_VISIBLE int
-lws_tls_cert_updated(struct lws_context *context, const char *certpath,
- const char *keypath,
- const char *mem_cert, size_t len_mem_cert,
- const char *mem_privkey, size_t len_mem_privkey)
-{
- struct lws wsi;
-
- wsi.context = context;
-
- lws_start_foreach_ll(struct lws_vhost *, v, context->vhost_list) {
- wsi.vhost = v; /* not a real bound wsi */
- if (v->tls.alloc_cert_path && v->tls.key_path &&
- !strcmp(v->tls.alloc_cert_path, certpath) &&
- !strcmp(v->tls.key_path, keypath)) {
- lws_tls_server_certs_load(v, &wsi, certpath, keypath,
- mem_cert, len_mem_cert,
- mem_privkey, len_mem_privkey);
-
- if (v->tls.skipped_certs)
- lwsl_notice("%s: vhost %s: cert unset\n",
- __func__, v->name);
- }
- } lws_end_foreach_ll(v, vhost_next);
-
- return 0;
-}
-#endif
-
-int
-lws_gate_accepts(struct lws_context *context, int on)
-{
- struct lws_vhost *v = context->vhost_list;
-
- lwsl_notice("%s: on = %d\n", __func__, on);
-
-#if defined(LWS_WITH_STATS)
- context->updated = 1;
-#endif
-
- while (v) {
- if (v->tls.use_ssl && v->lserv_wsi &&
- lws_change_pollfd(v->lserv_wsi, (LWS_POLLIN) * !on,
- (LWS_POLLIN) * on))
- lwsl_notice("Unable to set accept POLLIN %d\n", on);
-
- v = v->vhost_next;
- }
-
- return 0;
-}
-
-/* comma-separated alpn list, like "h2,http/1.1" to openssl alpn format */
-
-int
-lws_alpn_comma_to_openssl(const char *comma, uint8_t *os, int len)
-{
- uint8_t *oos = os, *plen = NULL;
-
- while (*comma && len > 1) {
- if (!plen && *comma == ' ') {
- comma++;
- continue;
- }
- if (!plen) {
- plen = os++;
- len--;
- }
-
- if (*comma == ',') {
- *plen = lws_ptr_diff(os, plen + 1);
- plen = NULL;
- comma++;
- } else {
- *os++ = *comma++;
- len--;
- }
- }
-
- if (plen)
- *plen = lws_ptr_diff(os, plen + 1);
-
- return lws_ptr_diff(os, oos);
-}
-