TcpServer::TcpServer(asio::io_service& io_service, int type, int port, Database* db) :
acceptor_(io_service, tcp::endpoint(tcp::v4(), port)),
context_(asio::ssl::context::sslv3)
{
this->type = type;
this->port = port;
this->db = db;
if(type == GAME_SERVER_SSL || type == GAME_CLIENT_SSL)
{
SSL_CTX_set_cipher_list(context_.native_handle(), "ALL");
SSL_CTX_set_options(context_.native_handle(), SSL_OP_ALL);
SSL_CTX_use_certificate_ASN1(context_.native_handle(), sizeof(SSL_CERT_X509), SSL_CERT_X509);
SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, context_.native_handle(), SSL_CERT_RSA, sizeof(SSL_CERT_RSA));
SSL_CTX_set_verify_depth(context_.native_handle(), 1);
}
start_accept();
debug->notification(1, type, "Created TCP Socket (listening on port %i)", port);
}
LWS_VISIBLE int
lws_context_init_server_ssl(struct lws_context_creation_info *info,
struct lws_vhost *vhost)
{
struct lws_context *context = vhost->context;
struct lws wsi;
unsigned long error;
int n;
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT)) {
vhost->use_ssl = 0;
return 0;
}
/*
* If he is giving a cert filepath, take it as a sign he wants to use
* it on this vhost. User code can leave the cert filepath NULL and
* set the LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX option itself, in
* which case he's expected to set up the cert himself at
* LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS, which
* provides the vhost SSL_CTX * in the user parameter.
*/
if (info->ssl_cert_filepath)
info->options |= LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX;
if (info->port != CONTEXT_PORT_NO_LISTEN) {
vhost->use_ssl = lws_check_opt(info->options,
LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX);
if (vhost->use_ssl && info->ssl_cipher_list)
lwsl_notice(" SSL ciphers: '%s'\n", info->ssl_cipher_list);
if (vhost->use_ssl)
lwsl_notice(" Using SSL mode\n");
else
lwsl_notice(" Using non-SSL mode\n");
}
/*
* give him a fake wsi with context + vhost set, so he can use
* lws_get_context() in the callback
*/
memset(&wsi, 0, sizeof(wsi));
wsi.vhost = vhost;
wsi.context = context;
(void)n;
(void)error;
/*
* Firefox insists on SSLv23 not SSLv3
* Konq disables SSLv2 by default now, SSLv23 works
*
* SSLv23_server_method() is the openssl method for "allow all TLS
* versions", compared to e.g. TLSv1_2_server_method() which only allows
* tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options()
*/
#if !defined(LWS_WITH_MBEDTLS)
{
SSL_METHOD *method;
method = (SSL_METHOD *)SSLv23_server_method();
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
}
vhost->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->ssl_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
}
}
#else
{
const SSL_METHOD *method = TLSv1_2_server_method();
vhost->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->ssl_ctx) {
lwsl_err("problem creating ssl context\n");
return 1;
}
}
#endif
#if !defined(LWS_WITH_MBEDTLS)
/* associate the lws context with the SSL_CTX */
SSL_CTX_set_ex_data(vhost->ssl_ctx,
openssl_SSL_CTX_private_data_index, (char *)vhost->context);
/* Disable SSLv2 and SSLv3 */
SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_NO_COMPRESSION);
#endif
SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (info->ssl_cipher_list)
SSL_CTX_set_cipher_list(vhost->ssl_ctx,
info->ssl_cipher_list);
#endif
/* as a server, are we requiring clients to identify themselves? */
if (lws_check_opt(info->options,
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
int verify_options = SSL_VERIFY_PEER;
if (!lws_check_opt(info->options,
LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
#if !defined(LWS_WITH_MBEDTLS)
SSL_CTX_set_session_id_context(vhost->ssl_ctx,
(unsigned char *)context, sizeof(void *));
/* absolutely require the client cert */
SSL_CTX_set_verify(vhost->ssl_ctx,
verify_options, OpenSSL_verify_callback);
#endif
}
#if !defined(LWS_WITH_MBEDTLS) && !defined(OPENSSL_NO_TLSEXT)
SSL_CTX_set_tlsext_servername_callback(vhost->ssl_ctx,
lws_ssl_server_name_cb);
SSL_CTX_set_tlsext_servername_arg(vhost->ssl_ctx, context);
#endif
/*
* give user code a chance to load certs into the server
* allowing it to verify incoming client certs
*/
#if !defined(LWS_WITH_MBEDTLS)
if (info->ssl_ca_filepath &&
!SSL_CTX_load_verify_locations(vhost->ssl_ctx,
info->ssl_ca_filepath, NULL)) {
lwsl_err("%s: SSL_CTX_load_verify_locations unhappy\n", __func__);
}
#endif
if (vhost->use_ssl) {
if (lws_context_ssl_init_ecdh_curve(info, vhost))
return -1;
vhost->protocols[0].callback(&wsi,
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS,
vhost->ssl_ctx, NULL, 0);
}
if (lws_check_opt(info->options, LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT))
/* Normally SSL listener rejects non-ssl, optionally allow */
vhost->allow_non_ssl_on_ssl_port = 1;
if (info->ssl_options_set)
SSL_CTX_set_options(vhost->ssl_ctx, info->ssl_options_set);
/* SSL_clear_options introduced in 0.9.8m */
#if !defined(LWS_WITH_MBEDTLS)
#if (OPENSSL_VERSION_NUMBER >= 0x009080df) && !defined(USE_WOLFSSL)
if (info->ssl_options_clear)
SSL_CTX_clear_options(vhost->ssl_ctx, info->ssl_options_clear);
#endif
#endif
lwsl_info(" SSL options 0x%lX\n", SSL_CTX_get_options(vhost->ssl_ctx));
if (vhost->use_ssl && info->ssl_cert_filepath) {
/*
* The user code can choose to either pass the cert and
* key filepaths using the info members like this, or it can
* leave them NULL; force the vhost SSL_CTX init using the info
* options flag LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX; and
* set up the cert himself using the user callback
* LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS, which
* happened just above and has the vhost SSL_CTX * in the user
* parameter.
*/
#if !defined(LWS_WITH_MBEDTLS)
/* set the local certificate from CertFile */
n = SSL_CTX_use_certificate_chain_file(vhost->ssl_ctx,
info->ssl_cert_filepath);
if (n != 1) {
error = ERR_get_error();
lwsl_err("problem getting cert '%s' %lu: %s\n",
info->ssl_cert_filepath,
error,
ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
}
lws_ssl_bind_passphrase(vhost->ssl_ctx, info);
#else
uint8_t *p;
lws_filepos_t flen;
int err;
if (alloc_pem_to_der_file(vhost->context, info->ssl_cert_filepath, &p,
&flen)) {
lwsl_err("couldn't find cert file %s\n",
info->ssl_cert_filepath);
return 1;
}
err = SSL_CTX_use_certificate_ASN1(vhost->ssl_ctx, flen, p);
if (!err) {
lwsl_err("Problem loading cert\n");
return 1;
}
#if !defined(LWS_WITH_ESP32)
free(p);
p = NULL;
#endif
if (info->ssl_private_key_filepath) {
if (alloc_pem_to_der_file(vhost->context,
info->ssl_private_key_filepath, &p, &flen)) {
lwsl_err("couldn't find cert file %s\n",
info->ssl_cert_filepath);
return 1;
}
err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->ssl_ctx, p, flen);
if (!err) {
lwsl_err("Problem loading key\n");
return 1;
}
}
#if !defined(LWS_WITH_ESP32)
free(p);
p = NULL;
#endif
#endif
if (info->ssl_private_key_filepath != NULL) {
#if !defined(LWS_WITH_MBEDTLS)
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(vhost->ssl_ctx,
info->ssl_private_key_filepath,
SSL_FILETYPE_PEM) != 1) {
error = ERR_get_error();
lwsl_err("ssl problem getting key '%s' %lu: %s\n",
info->ssl_private_key_filepath, error,
ERR_error_string(error,
(char *)context->pt[0].serv_buf));
return 1;
}
#endif
} else
if (vhost->protocols[0].callback(&wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
#if !defined(LWS_WITH_MBEDTLS)
/* verify private key */
if (!SSL_CTX_check_private_key(vhost->ssl_ctx)) {
lwsl_err("Private SSL key doesn't match cert\n");
return 1;
}
#endif
}
if (vhost->use_ssl) {
if (lws_context_ssl_init_ecdh(vhost))
return 1;
/*
* SSL is happy and has a cert it's content with
* If we're supporting HTTP2, initialize that
*/
lws_context_init_http2_ssl(vhost);
}
return 0;
}
/*
* this may now get called after the vhost creation, when certs become
* available.
*/
int
lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
const char *cert, const char *private_key,
const char *mem_cert, size_t mem_cert_len,
const char *mem_privkey, size_t mem_privkey_len)
{
#if !defined(OPENSSL_NO_EC)
const char *ecdh_curve = "prime256v1";
#if !defined(LWS_WITH_BORINGSSL) && defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
STACK_OF(X509) *extra_certs = NULL;
#endif
EC_KEY *ecdh, *EC_key = NULL;
EVP_PKEY *pkey;
X509 *x = NULL;
int ecdh_nid;
int KeyType;
#endif
unsigned long error;
lws_filepos_t flen;
uint8_t *p;
int ret;
int n = lws_tls_generic_cert_checks(vhost, cert, private_key), m;
(void)ret;
if (!cert && !private_key)
n = LWS_TLS_EXTANT_ALTERNATIVE;
if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
return 0;
if (n == LWS_TLS_EXTANT_NO)
n = LWS_TLS_EXTANT_ALTERNATIVE;
if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey))
return 1; /* no alternative */
if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/*
* Although we have prepared update certs, we no longer have
* the rights to read our own cert + key we saved.
*
* If we were passed copies in memory buffers, use those
* in favour of the filepaths we normally want.
*/
cert = NULL;
private_key = NULL;
}
/*
* use the multi-cert interface for backwards compatibility in the
* both simple files case
*/
if (n != LWS_TLS_EXTANT_ALTERNATIVE && cert) {
/* set the local certificate from CertFile */
m = SSL_CTX_use_certificate_chain_file(vhost->tls.ssl_ctx, cert);
if (m != 1) {
error = ERR_get_error();
lwsl_err("problem getting cert '%s' %lu: %s\n",
cert, error, ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
if (private_key) {
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(vhost->tls.ssl_ctx, private_key,
SSL_FILETYPE_PEM) != 1) {
error = ERR_get_error();
lwsl_err("ssl problem getting key '%s' %lu: %s\n",
private_key, error,
ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
} else {
if (vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->tls.ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
}
return 0;
}
/* otherwise allow for DER or PEM, file or memory image */
if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, mem_cert,
mem_cert_len, &p, &flen)) {
lwsl_err("%s: couldn't read cert file\n", __func__);
return 1;
}
#if !defined(USE_WOLFSSL)
ret = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, (int)flen, p);
#else
ret = wolfSSL_CTX_use_certificate_buffer(vhost->tls.ssl_ctx,
(uint8_t *)p, (int)flen,
WOLFSSL_FILETYPE_ASN1);
#endif
lws_free_set_NULL(p);
if (ret != 1) {
lwsl_err("%s: Problem loading cert\n", __func__);
return 1;
}
if (lws_tls_alloc_pem_to_der_file(vhost->context, private_key,
mem_privkey, mem_privkey_len,
&p, &flen)) {
lwsl_notice("unable to convert memory privkey\n");
return 1;
}
#if !defined(USE_WOLFSSL)
ret = SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, vhost->tls.ssl_ctx, p,
(long)(long long)flen);
if (ret != 1) {
ret = SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_EC,
vhost->tls.ssl_ctx, p,
(long)(long long)flen);
}
#else
ret = wolfSSL_CTX_use_PrivateKey_buffer(vhost->tls.ssl_ctx, p, flen,
WOLFSSL_FILETYPE_ASN1);
#endif
lws_free_set_NULL(p);
if (ret != 1) {
lwsl_notice("unable to use memory privkey\n");
return 1;
}
#else
/*
* Although we have prepared update certs, we no longer have
* the rights to read our own cert + key we saved.
*
* If we were passed copies in memory buffers, use those
* instead.
*
* The passed memory-buffer cert image is in DER, and the
* memory-buffer private key image is PEM.
*/
#ifndef USE_WOLFSSL
if (SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx,
(int)mem_cert_len,
(uint8_t *)mem_cert) != 1) {
#else
if (wolfSSL_CTX_use_certificate_buffer(vhost->tls.ssl_ctx,
(uint8_t *)mem_cert,
(int)mem_cert_len,
WOLFSSL_FILETYPE_ASN1) != 1) {
#endif
lwsl_err("Problem loading update cert\n");
return 1;
}
if (lws_tls_alloc_pem_to_der_file(vhost->context, NULL,
mem_privkey, mem_privkey_len,
&p, &flen)) {
lwsl_notice("unable to convert memory privkey\n");
return 1;
}
#ifndef USE_WOLFSSL
if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA,
vhost->tls.ssl_ctx, p,
(long)(long long)flen) != 1) {
#else
if (wolfSSL_CTX_use_PrivateKey_buffer(vhost->tls.ssl_ctx, p,
flen, WOLFSSL_FILETYPE_ASN1) != 1) {
#endif
lwsl_notice("unable to use memory privkey\n");
return 1;
}
goto check_key;
}
/* set the local certificate from CertFile */
m = SSL_CTX_use_certificate_chain_file(vhost->tls.ssl_ctx, cert);
if (m != 1) {
error = ERR_get_error();
lwsl_err("problem getting cert '%s' %lu: %s\n",
cert, error, ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
if (n != LWS_TLS_EXTANT_ALTERNATIVE && private_key) {
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(vhost->tls.ssl_ctx, private_key,
SSL_FILETYPE_PEM) != 1) {
error = ERR_get_error();
lwsl_err("ssl problem getting key '%s' %lu: %s\n",
private_key, error,
ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
} else {
if (vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->tls.ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
}
check_key:
#endif
/* verify private key */
if (!SSL_CTX_check_private_key(vhost->tls.ssl_ctx)) {
lwsl_err("Private SSL key doesn't match cert\n");
return 1;
}
#if !defined(OPENSSL_NO_EC)
if (vhost->tls.ecdh_curve[0])
ecdh_curve = vhost->tls.ecdh_curve;
ecdh_nid = OBJ_sn2nid(ecdh_curve);
if (NID_undef == ecdh_nid) {
lwsl_err("SSL: Unknown curve name '%s'", ecdh_curve);
return 1;
}
ecdh = EC_KEY_new_by_curve_name(ecdh_nid);
if (NULL == ecdh) {
lwsl_err("SSL: Unable to create curve '%s'", ecdh_curve);
return 1;
}
SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, ecdh);
EC_KEY_free(ecdh);
SSL_CTX_set_options(vhost->tls.ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
lwsl_notice(" SSL ECDH curve '%s'\n", ecdh_curve);
if (lws_check_opt(vhost->context->options, LWS_SERVER_OPTION_SSL_ECDH))
lwsl_notice(" Using ECDH certificate support\n");
/* Get X509 certificate from ssl context */
#if !defined(LWS_WITH_BORINGSSL)
#if !defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
x = sk_X509_value(vhost->tls.ssl_ctx->extra_certs, 0);
#else
SSL_CTX_get_extra_chain_certs_only(vhost->tls.ssl_ctx, &extra_certs);
if (extra_certs)
x = sk_X509_value(extra_certs, 0);
else
lwsl_info("%s: no extra certs\n", __func__);
#endif
if (!x) {
//lwsl_err("%s: x is NULL\n", __func__);
goto post_ecdh;
}
#else
return 0;
#endif
/* Get the public key from certificate */
pkey = X509_get_pubkey(x);
if (!pkey) {
lwsl_err("%s: pkey is NULL\n", __func__);
return 1;
}
/* Get the key type */
KeyType = EVP_PKEY_type(EVP_PKEY_id(pkey));
if (EVP_PKEY_EC != KeyType) {
lwsl_notice("Key type is not EC\n");
return 0;
}
/* Get the key */
EC_key = EVP_PKEY_get1_EC_KEY(pkey);
/* Set ECDH parameter */
if (!EC_key) {
lwsl_err("%s: ECDH key is NULL \n", __func__);
return 1;
}
SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, EC_key);
EC_KEY_free(EC_key);
#else
lwsl_notice(" OpenSSL doesn't support ECDH\n");
#endif
#if !defined(OPENSSL_NO_EC) && !defined(LWS_WITH_BORINGSSL)
post_ecdh:
#endif
vhost->tls.skipped_certs = 0;
return 0;
}
int
lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
struct lws_vhost *vhost, struct lws *wsi)
{
unsigned long error;
SSL_METHOD *method = (SSL_METHOD *)SSLv23_server_method();
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->tls.ssl_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)vhost->context->pt[0].serv_buf));
return 1;
}
SSL_CTX_set_ex_data(vhost->tls.ssl_ctx,
openssl_SSL_CTX_private_data_index,
(char *)vhost->context);
/* Disable SSLv2 and SSLv3 */
SSL_CTX_set_options(vhost->tls.ssl_ctx, SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(vhost->tls.ssl_ctx, SSL_OP_NO_COMPRESSION);
#endif
SSL_CTX_set_options(vhost->tls.ssl_ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_options(vhost->tls.ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (info->ssl_cipher_list)
SSL_CTX_set_cipher_list(vhost->tls.ssl_ctx, info->ssl_cipher_list);
#if defined(LWS_HAVE_SSL_CTX_set_ciphersuites)
if (info->tls1_3_plus_cipher_list)
SSL_CTX_set_ciphersuites(vhost->tls.ssl_ctx,
info->tls1_3_plus_cipher_list);
#endif
#if !defined(OPENSSL_NO_TLSEXT)
SSL_CTX_set_tlsext_servername_callback(vhost->tls.ssl_ctx,
lws_ssl_server_name_cb);
SSL_CTX_set_tlsext_servername_arg(vhost->tls.ssl_ctx, vhost->context);
#endif
if (info->ssl_ca_filepath &&
!SSL_CTX_load_verify_locations(vhost->tls.ssl_ctx,
info->ssl_ca_filepath, NULL)) {
lwsl_err("%s: SSL_CTX_load_verify_locations unhappy\n",
__func__);
}
if (info->ssl_options_set)
SSL_CTX_set_options(vhost->tls.ssl_ctx, info->ssl_options_set);
/* SSL_clear_options introduced in 0.9.8m */
#if (OPENSSL_VERSION_NUMBER >= 0x009080df) && !defined(USE_WOLFSSL)
if (info->ssl_options_clear)
SSL_CTX_clear_options(vhost->tls.ssl_ctx,
info->ssl_options_clear);
#endif
lwsl_info(" SSL options 0x%lX\n",
(unsigned long)SSL_CTX_get_options(vhost->tls.ssl_ctx));
if (!vhost->tls.use_ssl ||
(!info->ssl_cert_filepath && !info->server_ssl_cert_mem))
return 0;
lws_ssl_bind_passphrase(vhost->tls.ssl_ctx, info);
return lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
info->ssl_private_key_filepath,
info->server_ssl_cert_mem,
info->server_ssl_cert_mem_len,
info->server_ssl_private_key_mem,
info->server_ssl_private_key_mem_len);
}
LWS_VISIBLE int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
int buflen = 0x560;
uint8_t *buf = lws_malloc(buflen, "tmp cert buf"), *p = buf, *pkey_asn1;
struct lws_genrsa_ctx ctx;
struct lws_genrsa_elements el;
uint8_t digest[32];
struct lws_genhash_ctx hash_ctx;
int pkey_asn1_len = 3 * 1024;
int n, keybits = lws_plat_recommended_rsa_bits(), adj;
if (!buf)
return 1;
n = lws_genrsa_new_keypair(vhost->context, &ctx, &el, keybits);
if (n < 0) {
lws_jwk_destroy_genrsa_elements(&el);
goto bail1;
}
n = sizeof(ss_cert_leadin);
memcpy(p, ss_cert_leadin, n);
p += n;
adj = (0x0556 - 0x401) + (keybits / 4) + 1;
buf[2] = adj >> 8;
buf[3] = adj & 0xff;
adj = (0x033e - 0x201) + (keybits / 8) + 1;
buf[6] = adj >> 8;
buf[7] = adj & 0xff;
adj = (0x0222 - 0x201) + (keybits / 8) + 1;
buf[0xc3] = adj >> 8;
buf[0xc4] = adj & 0xff;
adj = (0x020f - 0x201) + (keybits / 8) + 1;
buf[0xd6] = adj >> 8;
buf[0xd7] = adj & 0xff;
adj = (0x020a - 0x201) + (keybits / 8) + 1;
buf[0xdb] = adj >> 8;
buf[0xdc] = adj & 0xff;
*p++ = ((keybits / 8) + 1) >> 8;
*p++ = ((keybits / 8) + 1) & 0xff;
/* we need to drop 1 + (keybits / 8) bytes of n in here, 00 + key */
*p++ = 0x00;
memcpy(p, el.e[JWK_KEY_N].buf, el.e[JWK_KEY_N].len);
p += el.e[JWK_KEY_N].len;
memcpy(p, ss_cert_san_leadin, sizeof(ss_cert_san_leadin));
p += sizeof(ss_cert_san_leadin);
/* drop in 78 bytes of san_a */
memcpy(p, san_a, SAN_A_LENGTH);
p += SAN_A_LENGTH;
memcpy(p, ss_cert_sig_leadin, sizeof(ss_cert_sig_leadin));
p[17] = ((keybits / 8) + 1) >> 8;
p[18] = ((keybits / 8) + 1) & 0xff;
p += sizeof(ss_cert_sig_leadin);
/* hash the cert plaintext */
if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256))
goto bail2;
if (lws_genhash_update(&hash_ctx, buf, lws_ptr_diff(p, buf))) {
lws_genhash_destroy(&hash_ctx, NULL);
goto bail2;
}
if (lws_genhash_destroy(&hash_ctx, digest))
goto bail2;
/* sign the hash */
n = lws_genrsa_public_sign(&ctx, digest, LWS_GENHASH_TYPE_SHA256, p,
buflen - lws_ptr_diff(p, buf));
if (n < 0)
goto bail2;
p += n;
pkey_asn1 = lws_malloc(pkey_asn1_len, "mbed crt tmp");
if (!pkey_asn1)
goto bail2;
n = lws_genrsa_render_pkey_asn1(&ctx, 1, pkey_asn1, pkey_asn1_len);
if (n < 0) {
lws_free(pkey_asn1);
goto bail2;
}
lwsl_debug("private key\n");
lwsl_hexdump_level(LLL_DEBUG, pkey_asn1, n);
/* and to use our generated private key */
n = SSL_CTX_use_PrivateKey_ASN1(0, vhost->ssl_ctx, pkey_asn1, n);
lws_free(pkey_asn1);
if (n != 1) {
lwsl_notice("%s: SSL_CTX_use_PrivateKey_ASN1 failed\n",
__func__);
}
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
if (n == 1) {
lwsl_hexdump_level(LLL_DEBUG, buf, lws_ptr_diff(p, buf));
n = SSL_CTX_use_certificate_ASN1(vhost->ssl_ctx,
lws_ptr_diff(p, buf), buf);
if (n != 1)
lwsl_notice("%s: generated cert failed to load 0x%x\n",
__func__, -n);
}
lws_free(buf);
return n != 1;
bail2:
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
bail1:
lws_free(buf);
return -1;
}
int
lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
const char *cert, const char *private_key,
const char *mem_cert, size_t len_mem_cert,
const char *mem_privkey, size_t mem_privkey_len)
{
int n, f = 0;
const char *filepath = private_key;
uint8_t *mem = NULL, *p = NULL;
size_t mem_len = 0;
lws_filepos_t flen;
long err;
if (!cert || !private_key) {
lwsl_notice("%s: no paths\n", __func__);
return 0;
}
n = lws_tls_generic_cert_checks(vhost, cert, private_key);
if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
return 0;
/*
* we can't read the root-privs files. But if mem_cert is provided,
* we should use that.
*/
if (n == LWS_TLS_EXTANT_NO)
n = LWS_TLS_EXTANT_ALTERNATIVE;
if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey))
return 1; /* no alternative */
if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
/*
* Although we have prepared update certs, we no longer have
* the rights to read our own cert + key we saved.
*
* If we were passed copies in memory buffers, use those
* instead.
*
* The passed memory-buffer cert image is in DER, and the
* memory-buffer private key image is PEM.
*/
/* mem cert is already DER */
p = (uint8_t *)mem_cert;
flen = len_mem_cert;
/* mem private key is PEM, so go through the motions */
mem = (uint8_t *)mem_privkey;
mem_len = mem_privkey_len;
filepath = NULL;
} else {
if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, NULL,
0, &p, &flen)) {
lwsl_err("couldn't find cert file %s\n", cert);
return 1;
}
f = 1;
}
err = SSL_CTX_use_certificate_ASN1(vhost->ssl_ctx, flen, p);
if (!err) {
free(p);
lwsl_err("Problem loading cert\n");
return 1;
}
if (f)
free(p);
p = NULL;
if (private_key || n == LWS_TLS_EXTANT_ALTERNATIVE) {
if (lws_tls_alloc_pem_to_der_file(vhost->context, filepath,
(char *)mem, mem_len, &p,
&flen)) {
lwsl_err("couldn't find private key file %s\n",
private_key);
return 1;
}
err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->ssl_ctx, p, flen);
if (!err) {
free(p);
lwsl_err("Problem loading key\n");
return 1;
}
}
if (p && !mem_privkey) {
free(p);
p = NULL;
}
if (!private_key && !mem_privkey &&
vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
vhost->skipped_certs = 0;
return 0;
}
