summaryrefslogtreecommitdiff
path: root/thirdparty/libwebsockets/lib/tls/tls.c
diff options
context:
space:
mode:
Diffstat (limited to 'thirdparty/libwebsockets/lib/tls/tls.c')
-rw-r--r--thirdparty/libwebsockets/lib/tls/tls.c505
1 files changed, 505 insertions, 0 deletions
diff --git a/thirdparty/libwebsockets/lib/tls/tls.c b/thirdparty/libwebsockets/lib/tls/tls.c
new file mode 100644
index 0000000000..a32951689f
--- /dev/null
+++ b/thirdparty/libwebsockets/lib/tls/tls.c
@@ -0,0 +1,505 @@
+/*
+ * libwebsockets - small server side websockets and web server implementation
+ *
+ * Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation:
+ * version 2.1 of the License.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+
+#include "core/private.h"
+
+/*
+ * fakes POLLIN on all tls guys with buffered rx
+ *
+ * returns nonzero if any tls guys had POLLIN faked
+ */
+
+int
+lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt)
+{
+ int ret = 0;
+
+ lws_start_foreach_dll_safe(struct lws_dll_lws *, p, p1,
+ pt->tls.pending_tls_head.next) {
+ struct lws *wsi = lws_container_of(p, struct lws,
+ tls.pending_tls_list);
+
+ pt->fds[wsi->position_in_fds_table].revents |=
+ pt->fds[wsi->position_in_fds_table].events & LWS_POLLIN;
+ ret |= pt->fds[wsi->position_in_fds_table].revents & LWS_POLLIN;
+
+ } lws_end_foreach_dll_safe(p, p1);
+
+ return !!ret;
+}
+
+void
+__lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi)
+{
+ if (lws_dll_is_null(&wsi->tls.pending_tls_list))
+ return;
+
+ lws_dll_lws_remove(&wsi->tls.pending_tls_list);
+}
+
+void
+lws_ssl_remove_wsi_from_buffered_list(struct lws *wsi)
+{
+ struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
+
+ lws_pt_lock(pt, __func__);
+ __lws_ssl_remove_wsi_from_buffered_list(wsi);
+ lws_pt_unlock(pt);
+}
+
+#if defined(LWS_WITH_ESP32)
+int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
+ lws_filepos_t *amount)
+{
+ nvs_handle nvh;
+ size_t s;
+ int n = 0;
+
+ ESP_ERROR_CHECK(nvs_open("lws-station", NVS_READWRITE, &nvh));
+ if (nvs_get_blob(nvh, filename, NULL, &s) != ESP_OK) {
+ n = 1;
+ goto bail;
+ }
+ *buf = lws_malloc(s + 1, "alloc_file");
+ if (!*buf) {
+ n = 2;
+ goto bail;
+ }
+ if (nvs_get_blob(nvh, filename, (char *)*buf, &s) != ESP_OK) {
+ lws_free(*buf);
+ n = 1;
+ goto bail;
+ }
+
+ *amount = s;
+ (*buf)[s] = '\0';
+
+ lwsl_notice("%s: nvs: read %s, %d bytes\n", __func__, filename, (int)s);
+
+bail:
+ nvs_close(nvh);
+
+ return n;
+}
+#else
+int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
+ lws_filepos_t *amount)
+{
+ FILE *f;
+ size_t s;
+ int n = 0;
+
+ f = fopen(filename, "rb");
+ if (f == NULL) {
+ n = 1;
+ goto bail;
+ }
+
+ if (fseek(f, 0, SEEK_END) != 0) {
+ n = 1;
+ goto bail;
+ }
+
+ s = ftell(f);
+ if (s == (size_t)-1) {
+ n = 1;
+ goto bail;
+ }
+
+ if (fseek(f, 0, SEEK_SET) != 0) {
+ n = 1;
+ goto bail;
+ }
+
+ *buf = lws_malloc(s, "alloc_file");
+ if (!*buf) {
+ n = 2;
+ goto bail;
+ }
+
+ if (fread(*buf, s, 1, f) != 1) {
+ lws_free(*buf);
+ n = 1;
+ goto bail;
+ }
+
+ *amount = s;
+
+bail:
+ if (f)
+ fclose(f);
+
+ return n;
+
+}
+#endif
+
+int
+lws_tls_alloc_pem_to_der_file(struct lws_context *context, const char *filename,
+ const char *inbuf, lws_filepos_t inlen,
+ uint8_t **buf, lws_filepos_t *amount)
+{
+ const uint8_t *pem, *p, *end;
+ lws_filepos_t len;
+ uint8_t *q;
+ int n;
+
+ if (filename) {
+ n = alloc_file(context, filename, (uint8_t **)&pem, &len);
+ if (n)
+ return n;
+ } else {
+ pem = (const uint8_t *)inbuf;
+ len = inlen;
+ }
+
+ /* trim the first line */
+
+ p = pem;
+ end = p + len;
+ if (strncmp((char *)p, "-----", 5))
+ goto bail;
+ p += 5;
+ while (p < end && *p != '\n' && *p != '-')
+ p++;
+
+ if (*p != '-')
+ goto bail;
+
+ while (p < end && *p != '\n')
+ p++;
+
+ if (p >= end)
+ goto bail;
+
+ p++;
+
+ /* trim the last line */
+
+ q = (uint8_t *)end - 2;
+
+ while (q > pem && *q != '\n')
+ q--;
+
+ if (*q != '\n')
+ goto bail;
+
+ *q = '\0';
+
+ *amount = lws_b64_decode_string((char *)p, (char *)pem,
+ (int)(long long)len);
+ *buf = (uint8_t *)pem;
+
+ return 0;
+
+bail:
+ lws_free((uint8_t *)pem);
+
+ return 4;
+}
+
+int
+lws_tls_check_cert_lifetime(struct lws_vhost *v)
+{
+ time_t now = (time_t)lws_now_secs(), life = 0;
+ struct lws_acme_cert_aging_args caa;
+ union lws_tls_cert_info_results ir;
+ int n;
+
+ if (v->tls.ssl_ctx && !v->tls.skipped_certs) {
+
+ if (now < 1542933698) /* Nov 23 2018 00:42 UTC */
+ /* our clock is wrong and we can't judge the certs */
+ return -1;
+
+ n = lws_tls_vhost_cert_info(v, LWS_TLS_CERT_INFO_VALIDITY_TO,
+ &ir, 0);
+ if (n)
+ return 1;
+
+ life = (ir.time - now) / (24 * 3600);
+ lwsl_notice(" vhost %s: cert expiry: %dd\n", v->name,
+ (int)life);
+ } else
+ lwsl_notice(" vhost %s: no cert\n", v->name);
+
+ memset(&caa, 0, sizeof(caa));
+ caa.vh = v;
+ lws_broadcast(v->context, LWS_CALLBACK_VHOST_CERT_AGING, (void *)&caa,
+ (size_t)(ssize_t)life);
+
+ return 0;
+}
+
+int
+lws_tls_check_all_cert_lifetimes(struct lws_context *context)
+{
+ struct lws_vhost *v = context->vhost_list;
+
+ while (v) {
+ if (lws_tls_check_cert_lifetime(v) < 0)
+ return -1;
+ v = v->vhost_next;
+ }
+
+ return 0;
+}
+#if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE)
+static int
+lws_tls_extant(const char *name)
+{
+ /* it exists if we can open it... */
+ int fd = open(name, O_RDONLY), n;
+ char buf[1];
+
+ if (fd < 0)
+ return 1;
+
+ /* and we can read at least one byte out of it */
+ n = read(fd, buf, 1);
+ close(fd);
+
+ return n != 1;
+}
+#endif
+/*
+ * Returns 0 if the filepath "name" exists and can be read from.
+ *
+ * In addition, if "name".upd exists, backup "name" to "name.old.1"
+ * and rename "name".upd to "name" before reporting its existence.
+ *
+ * There are four situations and three results possible:
+ *
+ * 1) LWS_TLS_EXTANT_NO: There are no certs at all (we are waiting for them to
+ * be provisioned). We also feel like this if we need privs we don't have
+ * any more to look in the directory.
+ *
+ * 2) There are provisioned certs written (xxx.upd) and we still have root
+ * privs... in this case we rename any existing cert to have a backup name
+ * and move the upd cert into place with the correct name. This then becomes
+ * situation 4 for the caller.
+ *
+ * 3) LWS_TLS_EXTANT_ALTERNATIVE: There are provisioned certs written (xxx.upd)
+ * but we no longer have the privs needed to read or rename them. In this
+ * case, indicate that the caller should use temp copies if any we do have
+ * rights to access. This is normal after we have updated the cert.
+ *
+ * But if we dropped privs, we can't detect the provisioned xxx.upd cert +
+ * key, because we can't see in the dir. So we have to upgrade NO to
+ * ALTERNATIVE when we actually have the in-memory alternative.
+ *
+ * 4) LWS_TLS_EXTANT_YES: The certs are present with the correct name and we
+ * have the rights to read them.
+ */
+enum lws_tls_extant
+lws_tls_use_any_upgrade_check_extant(const char *name)
+{
+#if !defined(LWS_PLAT_OPTEE)
+
+ int n;
+
+#if !defined(LWS_WITH_ESP32)
+ char buf[256];
+
+ lws_snprintf(buf, sizeof(buf) - 1, "%s.upd", name);
+ if (!lws_tls_extant(buf)) {
+ /* ah there is an updated file... how about the desired file? */
+ if (!lws_tls_extant(name)) {
+ /* rename the desired file */
+ for (n = 0; n < 50; n++) {
+ lws_snprintf(buf, sizeof(buf) - 1,
+ "%s.old.%d", name, n);
+ if (!rename(name, buf))
+ break;
+ }
+ if (n == 50) {
+ lwsl_notice("unable to rename %s\n", name);
+
+ return LWS_TLS_EXTANT_ALTERNATIVE;
+ }
+ lws_snprintf(buf, sizeof(buf) - 1, "%s.upd", name);
+ }
+ /* desired file is out of the way, rename the updated file */
+ if (rename(buf, name)) {
+ lwsl_notice("unable to rename %s to %s\n", buf, name);
+
+ return LWS_TLS_EXTANT_ALTERNATIVE;
+ }
+ }
+
+ if (lws_tls_extant(name))
+ return LWS_TLS_EXTANT_NO;
+#else
+ nvs_handle nvh;
+ size_t s = 8192;
+
+ if (nvs_open("lws-station", NVS_READWRITE, &nvh)) {
+ lwsl_notice("%s: can't open nvs\n", __func__);
+ return LWS_TLS_EXTANT_NO;
+ }
+
+ n = nvs_get_blob(nvh, name, NULL, &s);
+ nvs_close(nvh);
+
+ if (n)
+ return LWS_TLS_EXTANT_NO;
+#endif
+#endif
+ return LWS_TLS_EXTANT_YES;
+}
+
+/*
+ * LWS_TLS_EXTANT_NO : skip adding the cert
+ * LWS_TLS_EXTANT_YES : use the cert and private key paths normally
+ * LWS_TLS_EXTANT_ALTERNATIVE: normal paths not usable, try alternate if poss
+ */
+enum lws_tls_extant
+lws_tls_generic_cert_checks(struct lws_vhost *vhost, const char *cert,
+ const char *private_key)
+{
+ int n, m;
+
+ /*
+ * The user code can choose to either pass the cert and
+ * key filepaths using the info members like this, or it can
+ * leave them NULL; force the vhost SSL_CTX init using the info
+ * options flag LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX; and
+ * set up the cert himself using the user callback
+ * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS, which
+ * happened just above and has the vhost SSL_CTX * in the user
+ * parameter.
+ */
+
+ if (!cert || !private_key)
+ return LWS_TLS_EXTANT_NO;
+
+ n = lws_tls_use_any_upgrade_check_extant(cert);
+ if (n == LWS_TLS_EXTANT_ALTERNATIVE)
+ return LWS_TLS_EXTANT_ALTERNATIVE;
+ m = lws_tls_use_any_upgrade_check_extant(private_key);
+ if (m == LWS_TLS_EXTANT_ALTERNATIVE)
+ return LWS_TLS_EXTANT_ALTERNATIVE;
+
+ if ((n == LWS_TLS_EXTANT_NO || m == LWS_TLS_EXTANT_NO) &&
+ (vhost->options & LWS_SERVER_OPTION_IGNORE_MISSING_CERT)) {
+ lwsl_notice("Ignoring missing %s or %s\n", cert, private_key);
+ vhost->tls.skipped_certs = 1;
+
+ return LWS_TLS_EXTANT_NO;
+ }
+
+ /*
+ * the cert + key exist
+ */
+
+ return LWS_TLS_EXTANT_YES;
+}
+
+#if !defined(LWS_NO_SERVER)
+/*
+ * update the cert for every vhost using the given path
+ */
+
+LWS_VISIBLE int
+lws_tls_cert_updated(struct lws_context *context, const char *certpath,
+ const char *keypath,
+ const char *mem_cert, size_t len_mem_cert,
+ const char *mem_privkey, size_t len_mem_privkey)
+{
+ struct lws wsi;
+
+ wsi.context = context;
+
+ lws_start_foreach_ll(struct lws_vhost *, v, context->vhost_list) {
+ wsi.vhost = v; /* not a real bound wsi */
+ if (v->tls.alloc_cert_path && v->tls.key_path &&
+ !strcmp(v->tls.alloc_cert_path, certpath) &&
+ !strcmp(v->tls.key_path, keypath)) {
+ lws_tls_server_certs_load(v, &wsi, certpath, keypath,
+ mem_cert, len_mem_cert,
+ mem_privkey, len_mem_privkey);
+
+ if (v->tls.skipped_certs)
+ lwsl_notice("%s: vhost %s: cert unset\n",
+ __func__, v->name);
+ }
+ } lws_end_foreach_ll(v, vhost_next);
+
+ return 0;
+}
+#endif
+
+int
+lws_gate_accepts(struct lws_context *context, int on)
+{
+ struct lws_vhost *v = context->vhost_list;
+
+ lwsl_notice("%s: on = %d\n", __func__, on);
+
+#if defined(LWS_WITH_STATS)
+ context->updated = 1;
+#endif
+
+ while (v) {
+ if (v->tls.use_ssl && v->lserv_wsi &&
+ lws_change_pollfd(v->lserv_wsi, (LWS_POLLIN) * !on,
+ (LWS_POLLIN) * on))
+ lwsl_notice("Unable to set accept POLLIN %d\n", on);
+
+ v = v->vhost_next;
+ }
+
+ return 0;
+}
+
+/* comma-separated alpn list, like "h2,http/1.1" to openssl alpn format */
+
+int
+lws_alpn_comma_to_openssl(const char *comma, uint8_t *os, int len)
+{
+ uint8_t *oos = os, *plen = NULL;
+
+ while (*comma && len > 1) {
+ if (!plen && *comma == ' ') {
+ comma++;
+ continue;
+ }
+ if (!plen) {
+ plen = os++;
+ len--;
+ }
+
+ if (*comma == ',') {
+ *plen = lws_ptr_diff(os, plen + 1);
+ plen = NULL;
+ comma++;
+ } else {
+ *os++ = *comma++;
+ len--;
+ }
+ }
+
+ if (plen)
+ *plen = lws_ptr_diff(os, plen + 1);
+
+ return lws_ptr_diff(os, oos);
+}
+