diff options
Diffstat (limited to 'thirdparty/lws/mbedtls_wrapper')
4 files changed, 96 insertions, 19 deletions
diff --git a/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h b/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h index 45198bc978..2ca438c422 100644 --- a/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h +++ b/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h @@ -215,6 +215,7 @@ struct ssl_st int (*verify_callback) (int ok, X509_STORE_CTX *ctx); int rwstate; + int interrupted_remaining_write; long verify_result; diff --git a/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h b/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h index 2ffd7e7544..eca68f20d1 100644 --- a/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h +++ b/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h @@ -25,11 +25,13 @@ */ #include "string.h" -#if defined(__APPLE__) || defined(__FreeBSD__) +/* GODOT ADDITION */ +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) #include <stdlib.h> #else #include "malloc.h" #endif +/* END GODOT ADDITION */ void *ssl_mem_zalloc(size_t size); diff --git a/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c b/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c index 187fc9f005..d8fdd06fad 100644 --- a/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c +++ b/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c @@ -142,9 +142,9 @@ int SSL_get_error(const SSL *ssl, int ret_code) ret = SSL_ERROR_NONE; else if (ret_code < 0) { - if (SSL_want_read(ssl)) + if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl)) ret = SSL_ERROR_WANT_READ; - else if (SSL_want_write(ssl)) + else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl)) ret = SSL_ERROR_WANT_WRITE; else ret = SSL_ERROR_SYSCALL; //unknown @@ -457,7 +457,7 @@ int SSL_read(SSL *ssl, void *buffer, int len) int SSL_write(SSL *ssl, const void *buffer, int len) { int ret; - int send_bytes; + int send_bytes, bytes; const unsigned char *pbuf; SSL_ASSERT1(ssl); @@ -470,25 +470,36 @@ int SSL_write(SSL *ssl, const void *buffer, int len) pbuf = (const unsigned char *)buffer; do { - int bytes; - if (send_bytes > SSL_SEND_DATA_MAX_LENGTH) bytes = SSL_SEND_DATA_MAX_LENGTH; else bytes = send_bytes; + if (ssl->interrupted_remaining_write) { + bytes = ssl->interrupted_remaining_write; + ssl->interrupted_remaining_write = 0; + } + ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes); + //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes); + /* the return is a NEGATIVE OpenSSL error code, or the length sent */ if (ret > 0) { pbuf += ret; send_bytes -= ret; - } - } while (ret > 0 && send_bytes); + } else + ssl->interrupted_remaining_write = bytes; + } while (ret > 0 && send_bytes && ret == bytes); if (ret >= 0) { ret = len - send_bytes; - ssl->rwstate = SSL_NOTHING; - } else - ret = -1; + if (!ret) + ssl->rwstate = SSL_NOTHING; + } else { + if (send_bytes == len) + ret = -1; + else + ret = len - send_bytes; + } return ret; } diff --git a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c index 536733fbab..4e3d611095 100644 --- a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c +++ b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c @@ -218,7 +218,7 @@ static int ssl_pm_reload_crt(SSL *ssl) struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; if (ssl->verify_mode == SSL_VERIFY_PEER) - mode = MBEDTLS_SSL_VERIFY_REQUIRED; + mode = MBEDTLS_SSL_VERIFY_OPTIONAL; else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) mode = MBEDTLS_SSL_VERIFY_OPTIONAL; else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE) @@ -360,17 +360,52 @@ int ssl_pm_read(SSL *ssl, void *buffer, int len) return ret; } +/* + * This returns -1, or the length sent. + * If -1, then you need to find out if the error was + * fatal or recoverable using SSL_get_error() + */ int ssl_pm_send(SSL *ssl, const void *buffer, int len) { int ret; struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len); + /* + * We can get a positive number, which may be less than len... that + * much was sent successfully and you can call again to send more. + * + * We can get a negative mbedtls error code... if WANT_WRITE or WANT_READ, + * it's nonfatal and means it should be retried as-is. If something else, + * it's fatal actually. + * + * If this function returns something other than a positive value or + * MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context becomes unusable, and + * you should either free it or call mbedtls_ssl_session_reset() on it + * before re-using it for a new connection; the current connection must + * be closed. + * + * When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be + * called later with the same arguments, until it returns a positive value. + */ + if (ret < 0) { - if (ret == MBEDTLS_ERR_NET_CONN_RESET) + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret); + switch (ret) { + case MBEDTLS_ERR_NET_CONN_RESET: ssl->err = SSL_ERROR_SYSCALL; - SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret); - ret = -1; + break; + case MBEDTLS_ERR_SSL_WANT_WRITE: + ssl->err = SSL_ERROR_WANT_WRITE; + break; + case MBEDTLS_ERR_SSL_WANT_READ: + ssl->err = SSL_ERROR_WANT_READ; + break; + default: + break; + } + + ret = -1; } return ret; @@ -677,11 +712,39 @@ long ssl_pm_get_verify_result(const SSL *ssl) struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl); - if (ret) { - SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret); + + if (!ret) + return X509_V_OK; + + if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED || + (ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED)) + // Allows us to use LCCSCF_ALLOW_SELFSIGNED to skip verification + verify_result = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + + else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH) + verify_result = X509_V_ERR_HOSTNAME_MISMATCH; + + else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) || + (ret & MBEDTLS_X509_BADCRL_BAD_KEY)) + verify_result = X509_V_ERR_CA_KEY_TOO_SMALL; + + else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) || + (ret & MBEDTLS_X509_BADCRL_BAD_MD)) + verify_result = X509_V_ERR_CA_MD_TOO_WEAK; + + else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) || + (ret & MBEDTLS_X509_BADCRL_FUTURE)) + verify_result = X509_V_ERR_CERT_NOT_YET_VALID; + + else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) || + (ret & MBEDTLS_X509_BADCRL_EXPIRED)) + verify_result = X509_V_ERR_CERT_HAS_EXPIRED; + + else verify_result = X509_V_ERR_UNSPECIFIED; - } else - verify_result = X509_V_OK; + + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_ssl_get_verify_result() return 0x%x", ret); return verify_result; } |