/* * libwebsockets - mbedTLS-specific server functions * * Copyright (C) 2010-2017 Andy Green * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation: * version 2.1 of the License. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301 USA */ #include "core/private.h" #include int lws_tls_server_client_cert_verify_config(struct lws_vhost *vh) { int verify_options = SSL_VERIFY_PEER; /* as a server, are we requiring clients to identify themselves? */ if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) { lwsl_notice("no client cert required\n"); return 0; } /* * The wrapper has this messed-up mapping: * * else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) * mode = MBEDTLS_SSL_VERIFY_OPTIONAL; * * ie the meaning is inverted. So where we should test for ! we don't */ if (lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED)) verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT; lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name, verify_options); SSL_CTX_set_verify(vh->tls.ssl_ctx, verify_options, NULL); return 0; } static int lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx, const unsigned char *servername, size_t len) { SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx); struct lws_context *context = (struct lws_context *)arg; struct lws_vhost *vhost, *vh; lwsl_notice("%s: %s\n", __func__, servername); /* * We can only get ssl accepted connections by using a vhost's ssl_ctx * find out which listening one took us and only match vhosts on the * same port. */ vh = context->vhost_list; while (vh) { if (!vh->being_destroyed && vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl)) break; vh = vh->vhost_next; } if (!vh) { assert(vh); /* can't match the incoming vh? */ return 0; } vhost = lws_select_vhost(context, vh->listen_port, (const char *)servername); if (!vhost) { lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port); return 0; } lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername, vh->listen_port, vhost->name); /* select the ssl ctx from the selected vhost for this conn */ SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx); return 0; } int lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi, const char *cert, const char *private_key, const char *mem_cert, size_t len_mem_cert, const char *mem_privkey, size_t mem_privkey_len) { int n, f = 0; const char *filepath = private_key; uint8_t *mem = NULL, *p = NULL; size_t mem_len = 0; lws_filepos_t flen; long err; if ((!cert || !private_key) && (!mem_cert || !mem_privkey)) { lwsl_notice("%s: no usable input\n", __func__); return 0; } n = lws_tls_generic_cert_checks(vhost, cert, private_key); if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey)) return 0; /* * we can't read the root-privs files. But if mem_cert is provided, * we should use that. */ if (n == LWS_TLS_EXTANT_NO) n = LWS_TLS_EXTANT_ALTERNATIVE; if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey)) return 1; /* no alternative */ if (n == LWS_TLS_EXTANT_ALTERNATIVE) { /* * Although we have prepared update certs, we no longer have * the rights to read our own cert + key we saved. * * If we were passed copies in memory buffers, use those * instead. * * The passed memory-buffer cert image is in DER, and the * memory-buffer private key image is PEM. */ /* mem cert is already DER */ p = (uint8_t *)mem_cert; flen = len_mem_cert; /* mem private key is PEM, so go through the motions */ mem = (uint8_t *)mem_privkey; mem_len = mem_privkey_len; filepath = NULL; } else { if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, NULL, 0, &p, &flen)) { lwsl_err("couldn't find cert file %s\n", cert); return 1; } f = 1; } err = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, flen, p); if (!err) { free(p); lwsl_err("Problem loading cert\n"); return 1; } if (f) free(p); p = NULL; if (private_key || n == LWS_TLS_EXTANT_ALTERNATIVE) { if (lws_tls_alloc_pem_to_der_file(vhost->context, filepath, (char *)mem, mem_len, &p, &flen)) { lwsl_err("couldn't find private key file %s\n", private_key); return 1; } err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, p, flen); if (!err) { free(p); lwsl_err("Problem loading key\n"); return 1; } } if (p && !mem_privkey) { free(p); p = NULL; } if (!private_key && !mem_privkey && vhost->protocols[0].callback(wsi, LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY, vhost->tls.ssl_ctx, NULL, 0)) { lwsl_err("ssl private key not set\n"); return 1; } vhost->tls.skipped_certs = 0; return 0; } int lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, struct lws_vhost *vhost, struct lws *wsi) { const SSL_METHOD *method = TLS_server_method(); uint8_t *p; lws_filepos_t flen; int n; vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */ if (!vhost->tls.ssl_ctx) { lwsl_err("problem creating ssl context\n"); return 1; } if (!vhost->tls.use_ssl || !info->ssl_cert_filepath) return 0; if (info->ssl_ca_filepath) { lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__, vhost->name, info->ssl_ca_filepath); if (lws_tls_alloc_pem_to_der_file(vhost->context, info->ssl_ca_filepath, NULL, 0, &p, &flen)) { lwsl_err("couldn't find client CA file %s\n", info->ssl_ca_filepath); return 1; } if (SSL_CTX_add_client_CA_ASN1(vhost->tls.ssl_ctx, (int)flen, p) != 1) { lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n", __func__); free(p); return 1; } free(p); } n = lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath, info->ssl_private_key_filepath, NULL, 0, NULL, 0); if (n) return n; return 0; } int lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd) { errno = 0; wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx); if (wsi->tls.ssl == NULL) { lwsl_err("SSL_new failed: errno %d\n", errno); lws_ssl_elaborate_error(); return 1; } SSL_set_fd(wsi->tls.ssl, accept_fd); if (wsi->vhost->tls.ssl_info_event_mask) SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback); SSL_set_sni_callback(wsi->tls.ssl, lws_mbedtls_sni_cb, wsi->context); return 0; } int lws_tls_server_abort_connection(struct lws *wsi) { __lws_tls_shutdown(wsi); SSL_free(wsi->tls.ssl); return 0; } enum lws_ssl_capable_status lws_tls_server_accept(struct lws *wsi) { union lws_tls_cert_info_results ir; int m, n; n = SSL_accept(wsi->tls.ssl); if (n == 1) { if (strstr(wsi->vhost->name, ".invalid")) { lwsl_notice("%s: vhost has .invalid, " "rejecting accept\n", __func__); return LWS_SSL_CAPABLE_ERROR; } n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME, &ir, sizeof(ir.ns.name)); if (!n) lwsl_notice("%s: client cert CN '%s'\n", __func__, ir.ns.name); else lwsl_info("%s: couldn't get client cert CN\n", __func__); return LWS_SSL_CAPABLE_DONE; } m = SSL_get_error(wsi->tls.ssl, n); lwsl_debug("%s: %p: accept SSL_get_error %d errno %d\n", __func__, wsi, m, errno); // mbedtls wrapper only if (m == SSL_ERROR_SYSCALL && errno == 11) return LWS_SSL_CAPABLE_MORE_SERVICE_READ; if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL) return LWS_SSL_CAPABLE_ERROR; if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) { if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) { lwsl_info("%s: WANT_READ change_pollfd failed\n", __func__); return LWS_SSL_CAPABLE_ERROR; } lwsl_info("SSL_ERROR_WANT_READ\n"); return LWS_SSL_CAPABLE_MORE_SERVICE_READ; } if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) { lwsl_debug("%s: WANT_WRITE\n", __func__); if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) { lwsl_info("%s: WANT_WRITE change_pollfd failed\n", __func__); return LWS_SSL_CAPABLE_ERROR; } return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE; } return LWS_SSL_CAPABLE_ERROR; } #if defined(LWS_WITH_ACME) /* * mbedtls doesn't support SAN for cert creation. So we use a known-good * tls-sni-01 cert from OpenSSL that worked on Let's Encrypt, and just replace * the pubkey n part and the signature part. * * This will need redoing for tls-sni-02... */ static uint8_t ss_cert_leadin[] = { 0x30, 0x82, 0x05, 0x56, /* total length: LEN1 (+2 / +3) (correct for 513 + 512)*/ 0x30, 0x82, /* length: LEN2 (+6 / +7) (correct for 513) */ 0x03, 0x3e, /* addition: v3 cert (+5 bytes)*/ 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x74, 0x65, 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d, /* from 2017-10-29 ... */ 0x31, 0x37, 0x31, 0x30, 0x32, 0x39, 0x31, 0x31, 0x34, 0x39, 0x34, 0x35, 0x5a, 0x17, 0x0d, /* thru 2049-10-29 we immediately discard the private key, no worries */ 0x34, 0x39, 0x31, 0x30, 0x32, 0x39, 0x31, 0x32, 0x34, 0x39, 0x34, 0x35, 0x5a, 0x30, 0x3f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x74, 0x65, 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x30, 0x82, 0x02, 0x22, /* LEN3 (+C3 / C4) */ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, /* LEN4 (+D6 / D7) */ 0x00, 0x30, 0x82, 0x02, 0x0a, /* LEN5 (+ DB / DC) */ 0x02, 0x82, //0x02, 0x01, /* length of n in bytes (including leading 00 if any) */ }, /* 1 + (keybits / 8) bytes N */ ss_cert_san_leadin[] = { /* e - fixed */ 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x59, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x52, 0x30, 0x50, /* <-- SAN length + 2 */ 0x82, 0x4e, /* <-- SAN length */ }, /* 78 bytes of SAN (tls-sni-01) 0x61, 0x64, 0x34, 0x31, 0x61, 0x66, 0x62, 0x65, 0x30, 0x63, 0x61, 0x34, 0x36, 0x34, 0x32, 0x66, 0x30, 0x61, 0x34, 0x34, 0x39, 0x64, 0x39, 0x63, 0x61, 0x37, 0x36, 0x65, 0x62, 0x61, 0x61, 0x62, 0x2e, 0x32, 0x38, 0x39, 0x34, 0x64, 0x34, 0x31, 0x36, 0x63, 0x39, 0x38, 0x33, 0x66, 0x31, 0x32, 0x65, 0x64, 0x37, 0x33, 0x31, 0x61, 0x33, 0x30, 0x66, 0x35, 0x63, 0x34, 0x34, 0x37, 0x37, 0x66, 0x65, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, */ /* end of LEN2 area */ ss_cert_sig_leadin[] = { /* it's saying that the signature is SHA256 + RSA */ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, }; /* (keybits / 8) bytes signature to end of LEN1 area */ #define SAN_A_LENGTH 78 LWS_VISIBLE int lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a, const char *san_b) { int buflen = 0x560; uint8_t *buf = lws_malloc(buflen, "tmp cert buf"), *p = buf, *pkey_asn1; struct lws_genrsa_ctx ctx; struct lws_genrsa_elements el; uint8_t digest[32]; struct lws_genhash_ctx hash_ctx; int pkey_asn1_len = 3 * 1024; int n, m, keybits = lws_plat_recommended_rsa_bits(), adj; if (!buf) return 1; n = lws_genrsa_new_keypair(vhost->context, &ctx, &el, keybits); if (n < 0) { lws_jwk_destroy_genrsa_elements(&el); goto bail1; } n = sizeof(ss_cert_leadin); memcpy(p, ss_cert_leadin, n); p += n; adj = (0x0556 - 0x401) + (keybits / 4) + 1; buf[2] = adj >> 8; buf[3] = adj & 0xff; adj = (0x033e - 0x201) + (keybits / 8) + 1; buf[6] = adj >> 8; buf[7] = adj & 0xff; adj = (0x0222 - 0x201) + (keybits / 8) + 1; buf[0xc3] = adj >> 8; buf[0xc4] = adj & 0xff; adj = (0x020f - 0x201) + (keybits / 8) + 1; buf[0xd6] = adj >> 8; buf[0xd7] = adj & 0xff; adj = (0x020a - 0x201) + (keybits / 8) + 1; buf[0xdb] = adj >> 8; buf[0xdc] = adj & 0xff; *p++ = ((keybits / 8) + 1) >> 8; *p++ = ((keybits / 8) + 1) & 0xff; /* we need to drop 1 + (keybits / 8) bytes of n in here, 00 + key */ *p++ = 0x00; memcpy(p, el.e[JWK_KEY_N].buf, el.e[JWK_KEY_N].len); p += el.e[JWK_KEY_N].len; memcpy(p, ss_cert_san_leadin, sizeof(ss_cert_san_leadin)); p += sizeof(ss_cert_san_leadin); /* drop in 78 bytes of san_a */ memcpy(p, san_a, SAN_A_LENGTH); p += SAN_A_LENGTH; memcpy(p, ss_cert_sig_leadin, sizeof(ss_cert_sig_leadin)); p[17] = ((keybits / 8) + 1) >> 8; p[18] = ((keybits / 8) + 1) & 0xff; p += sizeof(ss_cert_sig_leadin); /* hash the cert plaintext */ if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256)) goto bail2; if (lws_genhash_update(&hash_ctx, buf, lws_ptr_diff(p, buf))) { lws_genhash_destroy(&hash_ctx, NULL); goto bail2; } if (lws_genhash_destroy(&hash_ctx, digest)) goto bail2; /* sign the hash */ n = lws_genrsa_public_sign(&ctx, digest, LWS_GENHASH_TYPE_SHA256, p, buflen - lws_ptr_diff(p, buf)); if (n < 0) goto bail2; p += n; pkey_asn1 = lws_malloc(pkey_asn1_len, "mbed crt tmp"); if (!pkey_asn1) goto bail2; m = lws_genrsa_render_pkey_asn1(&ctx, 1, pkey_asn1, pkey_asn1_len); if (m < 0) { lws_free(pkey_asn1); goto bail2; } // lwsl_hexdump_level(LLL_DEBUG, buf, lws_ptr_diff(p, buf)); n = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, lws_ptr_diff(p, buf), buf); if (n != 1) { lws_free(pkey_asn1); lwsl_err("%s: generated cert failed to load 0x%x\n", __func__, -n); } else { //lwsl_debug("private key\n"); //lwsl_hexdump_level(LLL_DEBUG, pkey_asn1, n); /* and to use our generated private key */ n = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, pkey_asn1, m); lws_free(pkey_asn1); if (n != 1) { lwsl_err("%s: SSL_CTX_use_PrivateKey_ASN1 failed\n", __func__); } } lws_genrsa_destroy(&ctx); lws_jwk_destroy_genrsa_elements(&el); lws_free(buf); return n != 1; bail2: lws_genrsa_destroy(&ctx); lws_jwk_destroy_genrsa_elements(&el); bail1: lws_free(buf); return -1; } void lws_tls_acme_sni_cert_destroy(struct lws_vhost *vhost) { } #if defined(LWS_WITH_JWS) static int _rngf(void *context, unsigned char *buf, size_t len) { if ((size_t)lws_get_random(context, buf, len) == len) return 0; return -1; } static const char *x5[] = { "C", "ST", "L", "O", "CN" }; /* * CSR is output formatted as b64url(DER) * Private key is output as a PEM in memory */ LWS_VISIBLE LWS_EXTERN int lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[], uint8_t *dcsr, size_t csr_len, char **privkey_pem, size_t *privkey_len) { mbedtls_x509write_csr csr; mbedtls_pk_context mpk; int buf_size = 4096, n; char subject[200], *p = subject, *end = p + sizeof(subject) - 1; uint8_t *buf = malloc(buf_size); /* malloc because given to user code */ if (!buf) return -1; mbedtls_x509write_csr_init(&csr); mbedtls_pk_init(&mpk); if (mbedtls_pk_setup(&mpk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))) { lwsl_notice("%s: pk_setup failed\n", __func__); goto fail; } n = mbedtls_rsa_gen_key(mbedtls_pk_rsa(mpk), _rngf, context, lws_plat_recommended_rsa_bits(), 65537); if (n) { lwsl_notice("%s: failed to generate keys\n", __func__); goto fail1; } /* subject must be formatted like "C=TW,O=warmcat,CN=myserver" */ for (n = 0; n < (int)LWS_ARRAY_SIZE(x5); n++) { if (p != subject) *p++ = ','; if (elements[n]) p += lws_snprintf(p, end - p, "%s=%s", x5[n], elements[n]); } if (mbedtls_x509write_csr_set_subject_name(&csr, subject)) goto fail1; mbedtls_x509write_csr_set_key(&csr, &mpk); mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256); /* * data is written at the end of the buffer! Use the * return value to determine where you should start * using the buffer */ n = mbedtls_x509write_csr_der(&csr, buf, buf_size, _rngf, context); if (n < 0) { lwsl_notice("%s: write csr der failed\n", __func__); goto fail1; } /* we have it in DER, we need it in b64URL */ n = lws_jws_base64_enc((char *)(buf + buf_size) - n, n, (char *)dcsr, csr_len); if (n < 0) goto fail1; /* * okay, the CSR is done, last we need the private key in PEM * re-use the DER CSR buf as the result buffer since we cn do it in * one step */ if (mbedtls_pk_write_key_pem(&mpk, buf, buf_size)) { lwsl_notice("write key pem failed\n"); goto fail1; } *privkey_pem = (char *)buf; *privkey_len = strlen((const char *)buf); mbedtls_pk_free(&mpk); mbedtls_x509write_csr_free(&csr); return n; fail1: mbedtls_pk_free(&mpk); fail: mbedtls_x509write_csr_free(&csr); free(buf); return -1; } #endif #endif