static void different_SNI_at_ssl(WOLFSSL* ssl)
{
byte type = WOLFSSL_SNI_HOST_NAME;
char name[] = "ww2.yassl.com";
AssertIntEQ(SSL_SUCCESS,
wolfSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name)));
}
int
lws_client_socket_service(struct lws_context *context, struct lws *wsi,
struct lws_pollfd *pollfd)
{
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
unsigned char c;
int n, len;
switch (wsi->mode) {
case LWSCM_WSCL_WAITING_CONNECT:
/*
* we are under PENDING_TIMEOUT_SENT_CLIENT_HANDSHAKE
* timeout protection set in client-handshake.c
*/
if (!lws_client_connect_2(wsi)) {
/* closed */
lwsl_client("closed\n");
return -1;
}
/* either still pending connection, or changed mode */
return 0;
case LWSCM_WSCL_WAITING_PROXY_REPLY:
/* handle proxy hung up on us */
if (pollfd->revents & LWS_POLLHUP) {
lwsl_warn("Proxy connection %p (fd=%d) dead\n",
(void *)wsi, pollfd->fd);
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
n = recv(wsi->sock, sb, LWS_MAX_SOCKET_IO_BUF, 0);
if (n < 0) {
if (LWS_ERRNO == LWS_EAGAIN) {
lwsl_debug("Proxy read returned EAGAIN... retrying\n");
return 0;
}
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
lwsl_err("ERROR reading from proxy socket\n");
return 0;
}
pt->serv_buf[13] = '\0';
if (strcmp(sb, "HTTP/1.0 200 ") &&
strcmp(sb, "HTTP/1.1 200 ")) {
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
lwsl_err("ERROR proxy: %s\n", sb);
return 0;
}
/* clear his proxy connection timeout */
lws_set_timeout(wsi, NO_PENDING_TIMEOUT, 0);
/* fallthru */
case LWSCM_WSCL_ISSUE_HANDSHAKE:
/*
* we are under PENDING_TIMEOUT_SENT_CLIENT_HANDSHAKE
* timeout protection set in client-handshake.c
*
* take care of our lws_callback_on_writable
* happening at a time when there's no real connection yet
*/
if (lws_change_pollfd(wsi, LWS_POLLOUT, 0))
return -1;
lws_libev_io(wsi, LWS_EV_STOP | LWS_EV_WRITE);
#ifdef LWS_OPENSSL_SUPPORT
/* we can retry this... just cook the SSL BIO the first time */
if (wsi->use_ssl && !wsi->ssl) {
#if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
const char *hostname = lws_hdr_simple_ptr(wsi,
_WSI_TOKEN_CLIENT_HOST);
#endif
wsi->ssl = SSL_new(context->ssl_client_ctx);
#ifndef USE_WOLFSSL
SSL_set_mode(wsi->ssl,
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
/*
* use server name indication (SNI), if supported,
* when establishing connection
*/
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
#ifdef CYASSL_SNI_HOST_NAME
CyaSSL_UseSNI(wsi->ssl, CYASSL_SNI_HOST_NAME,
hostname, strlen(hostname));
#endif
#else
#ifdef WOLFSSL_SNI_HOST_NAME
wolfSSL_UseSNI(wsi->ssl, WOLFSSL_SNI_HOST_NAME,
hostname, strlen(hostname));
#endif
#endif
#else
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(wsi->ssl, hostname);
#endif
#endif
#ifdef USE_WOLFSSL
/*
* wolfSSL/CyaSSL does certificate verification differently
* from OpenSSL.
* If we should ignore the certificate, we need to set
* this before SSL_new and SSL_connect is called.
* Otherwise the connect will simply fail with error
* code -155
*/
#ifdef USE_OLD_CYASSL
if (wsi->use_ssl == 2)
CyaSSL_set_verify(wsi->ssl,
SSL_VERIFY_NONE, NULL);
#else
if (wsi->use_ssl == 2)
wolfSSL_set_verify(wsi->ssl,
SSL_VERIFY_NONE, NULL);
#endif
#endif /* USE_WOLFSSL */
wsi->client_bio =
BIO_new_socket(wsi->sock, BIO_NOCLOSE);
SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
CyaSSL_set_using_nonblock(wsi->ssl, 1);
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
#endif
SSL_set_ex_data(wsi->ssl,
openssl_websocket_private_data_index,
context);
}
if (wsi->use_ssl) {
lws_latency_pre(context, wsi);
n = SSL_connect(wsi->ssl);
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
if (n == SSL_ERROR_WANT_READ)
goto some_wait;
if (n == SSL_ERROR_WANT_WRITE) {
/*
* wants us to retry connect due to
* state of the underlying ssl layer...
* but since it may be stalled on
* blocked write, no incoming data may
* arrive to trigger the retry.
* Force (possibly many times if the SSL
* state persists in returning the
* condition code, but other sockets
* are getting serviced inbetweentimes)
* us to get called back when writable.
*/
lwsl_info("%s: WANT_WRITE... retrying\n", __func__);
lws_callback_on_writable(wsi);
some_wait:
wsi->mode = LWSCM_WSCL_WAITING_SSL;
return 0; /* no error */
}
n = -1;
}
if (n <= 0) {
/*
* retry if new data comes until we
* run into the connection timeout or win
*/
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
}
} else
wsi->ssl = NULL;
/* fallthru */
case LWSCM_WSCL_WAITING_SSL:
if (wsi->use_ssl) {
if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {
lws_latency_pre(context, wsi);
n = SSL_connect(wsi->ssl);
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_WAITING_SSL",
n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
if (n == SSL_ERROR_WANT_READ)
goto some_wait;
if (n == SSL_ERROR_WANT_WRITE) {
/*
* wants us to retry connect due to
* state of the underlying ssl layer...
* but since it may be stalled on
* blocked write, no incoming data may
* arrive to trigger the retry.
* Force (possibly many times if the SSL
* state persists in returning the
* condition code, but other sockets
* are getting serviced inbetweentimes)
* us to get called back when writable.
*/
lwsl_info("SSL_connect WANT_WRITE... retrying\n");
lws_callback_on_writable(wsi);
goto some_wait;
}
n = -1;
}
if (n <= 0) {
/*
* retry if new data comes until we
* run into the connection timeout or win
*/
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
}
}
#ifndef USE_WOLFSSL
/*
* See comment above about wolfSSL certificate
* verification
*/
lws_latency_pre(context, wsi);
n = SSL_get_verify_result(wsi->ssl);
lws_latency(context, wsi,
"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
n, n > 0);
if (n != X509_V_OK) {
if ((n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) && wsi->use_ssl == 2) {
lwsl_notice("accepting self-signed certificate\n");
} else {
lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",
n, ERR_error_string(n, sb));
lws_close_free_wsi(wsi,
LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
}
#endif /* USE_WOLFSSL */
} else
wsi->ssl = NULL;
#endif
wsi->mode = LWSCM_WSCL_ISSUE_HANDSHAKE2;
lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_CLIENT_HS_SEND,
AWAITING_TIMEOUT);
/* fallthru */
case LWSCM_WSCL_ISSUE_HANDSHAKE2:
p = lws_generate_client_handshake(wsi, p);
if (p == NULL) {
lwsl_err("Failed to generate handshake for client\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
/* send our request to the server */
lws_latency_pre(context, wsi);
n = lws_ssl_capable_write(wsi, (unsigned char *)sb, p - sb);
lws_latency(context, wsi, "send lws_issue_raw", n,
n == p - sb);
switch (n) {
case LWS_SSL_CAPABLE_ERROR:
lwsl_debug("ERROR writing to client socket\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
case LWS_SSL_CAPABLE_MORE_SERVICE:
lws_callback_on_writable(wsi);
break;
}
wsi->u.hdr.parser_state = WSI_TOKEN_NAME_PART;
wsi->u.hdr.lextable_pos = 0;
wsi->mode = LWSCM_WSCL_WAITING_SERVER_REPLY;
lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_SERVER_RESPONSE,
AWAITING_TIMEOUT);
break;
case LWSCM_WSCL_WAITING_SERVER_REPLY:
/* handle server hung up on us */
if (pollfd->revents & LWS_POLLHUP) {
lwsl_debug("Server connection %p (fd=%d) dead\n",
(void *)wsi, pollfd->fd);
goto bail3;
}
if (!(pollfd->revents & LWS_POLLIN))
break;
/* interpret the server response */
/*
* HTTP/1.1 101 Switching Protocols
* Upgrade: websocket
* Connection: Upgrade
* Sec-WebSocket-Accept: me89jWimTRKTWwrS3aRrL53YZSo=
* Sec-WebSocket-Nonce: AQIDBAUGBwgJCgsMDQ4PEC==
* Sec-WebSocket-Protocol: chat
*/
/*
* we have to take some care here to only take from the
* socket bytewise. The browser may (and has been seen to
* in the case that onopen() performs websocket traffic)
* coalesce both handshake response and websocket traffic
* in one packet, since at that point the connection is
* definitively ready from browser pov.
*/
len = 1;
while (wsi->u.hdr.parser_state != WSI_PARSING_COMPLETE &&
len > 0) {
n = lws_ssl_capable_read(wsi, &c, 1);
lws_latency(context, wsi, "send lws_issue_raw", n,
n == 1);
switch (n) {
case 0:
case LWS_SSL_CAPABLE_ERROR:
goto bail3;
case LWS_SSL_CAPABLE_MORE_SERVICE:
return 0;
}
if (lws_parse(wsi, c)) {
lwsl_warn("problems parsing header\n");
goto bail3;
}
}
/*
* hs may also be coming in multiple packets, there is a 5-sec
* libwebsocket timeout still active here too, so if parsing did
* not complete just wait for next packet coming in this state
*/
if (wsi->u.hdr.parser_state != WSI_PARSING_COMPLETE)
break;
/*
* otherwise deal with the handshake. If there's any
* packet traffic already arrived we'll trigger poll() again
* right away and deal with it that way
*/
return lws_client_interpret_server_handshake(wsi);
bail3:
lwsl_info("closing conn at LWS_CONNMODE...SERVER_REPLY\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return -1;
case LWSCM_WSCL_WAITING_EXTENSION_CONNECT:
lwsl_ext("LWSCM_WSCL_WAITING_EXTENSION_CONNECT\n");
break;
case LWSCM_WSCL_PENDING_CANDIDATE_CHILD:
lwsl_ext("LWSCM_WSCL_PENDING_CANDIDATE_CHILD\n");
break;
default:
break;
}
return 0;
}
int
lws_ssl_client_bio_create(struct lws *wsi)
{
#if defined(LWS_USE_POLARSSL)
return 0;
#else
#if defined(LWS_USE_MBEDTLS)
#else
struct lws_context *context = wsi->context;
const char *hostname = lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_HOST);
X509_VERIFY_PARAM *param;
(void)hostname;
(void)param;
wsi->ssl = SSL_new(wsi->vhost->ssl_client_ctx);
#if defined LWS_HAVE_X509_VERIFY_PARAM_set1_host
if (!(wsi->use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
param = SSL_get0_param(wsi->ssl);
/* Enable automatic hostname checks */
X509_VERIFY_PARAM_set_hostflags(param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
/* Configure a non-zero callback if desired */
SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0);
}
#endif
#ifndef USE_WOLFSSL
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
/*
* use server name indication (SNI), if supported,
* when establishing connection
*/
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
#ifdef CYASSL_SNI_HOST_NAME
CyaSSL_UseSNI(wsi->ssl, CYASSL_SNI_HOST_NAME, hostname, strlen(hostname));
#endif
#else
#ifdef WOLFSSL_SNI_HOST_NAME
wolfSSL_UseSNI(wsi->ssl, WOLFSSL_SNI_HOST_NAME, hostname, strlen(hostname));
#endif
#endif
#else
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(wsi->ssl, hostname);
#endif
#endif
#ifdef USE_WOLFSSL
/*
* wolfSSL/CyaSSL does certificate verification differently
* from OpenSSL.
* If we should ignore the certificate, we need to set
* this before SSL_new and SSL_connect is called.
* Otherwise the connect will simply fail with error code -155
*/
#ifdef USE_OLD_CYASSL
if (wsi->use_ssl == 2)
CyaSSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, NULL);
#else
if (wsi->use_ssl == 2)
wolfSSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, NULL);
#endif
#endif /* USE_WOLFSSL */
wsi->client_bio = BIO_new_socket(wsi->sock, BIO_NOCLOSE);
SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
CyaSSL_set_using_nonblock(wsi->ssl, 1);
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
#endif
SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index,
context);
return 0;
#endif
#endif
}
static void different_SNI_at_ssl(WOLFSSL* ssl)
{
AssertIntEQ(SSL_SUCCESS,
wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, "ww2.wolfssl.com", 15));
}
static void test_wolfSSL_UseSNI(void)
{
#ifdef HAVE_SNI
callback_functions client_callbacks = {wolfSSLv23_client_method, 0, 0, 0};
callback_functions server_callbacks = {wolfSSLv23_server_method, 0, 0, 0};
WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
WOLFSSL *ssl = wolfSSL_new(ctx);
AssertNotNull(ctx);
AssertNotNull(ssl);
/* error cases */
AssertIntNE(SSL_SUCCESS,
wolfSSL_CTX_UseSNI(NULL, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(SSL_SUCCESS,
wolfSSL_UseSNI( NULL, 0, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(SSL_SUCCESS,
wolfSSL_CTX_UseSNI(ctx, -1, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(SSL_SUCCESS,
wolfSSL_UseSNI( ssl, -1, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(SSL_SUCCESS,
wolfSSL_CTX_UseSNI(ctx, 0, (void *) NULL, XSTRLEN("ctx")));
AssertIntNE(SSL_SUCCESS,
wolfSSL_UseSNI( ssl, 0, (void *) NULL, XSTRLEN("ssl")));
/* success case */
AssertIntEQ(SSL_SUCCESS,
wolfSSL_CTX_UseSNI(ctx, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntEQ(SSL_SUCCESS,
wolfSSL_UseSNI( ssl, 0, (void *) "ssl", XSTRLEN("ssl")));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
/* Testing success case at ctx */
client_callbacks.ctx_ready = server_callbacks.ctx_ready = use_SNI_at_ctx;
server_callbacks.on_result = verify_SNI_real_matching;
test_wolfSSL_client_server(&client_callbacks, &server_callbacks);
/* Testing success case at ssl */
client_callbacks.ctx_ready = server_callbacks.ctx_ready = NULL;
client_callbacks.ssl_ready = server_callbacks.ssl_ready = use_SNI_at_ssl;
test_wolfSSL_client_server(&client_callbacks, &server_callbacks);
/* Testing default mismatch behaviour */
client_callbacks.ssl_ready = different_SNI_at_ssl;
client_callbacks.on_result = verify_SNI_abort_on_client;
server_callbacks.on_result = verify_SNI_abort_on_server;
test_wolfSSL_client_server(&client_callbacks, &server_callbacks);
client_callbacks.on_result = NULL;
/* Testing continue on mismatch */
client_callbacks.ssl_ready = different_SNI_at_ssl;
server_callbacks.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl;
server_callbacks.on_result = verify_SNI_no_matching;
test_wolfSSL_client_server(&client_callbacks, &server_callbacks);
/* Testing fake answer on mismatch */
server_callbacks.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl;
server_callbacks.on_result = verify_SNI_fake_matching;
test_wolfSSL_client_server(&client_callbacks, &server_callbacks);
test_wolfSSL_SNI_GetFromBuffer();
#endif
}
int
lws_ssl_client_bio_create(struct lws *wsi)
{
struct lws_context *context = wsi->context;
#if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
const char *hostname = lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_HOST);
#endif
wsi->ssl = SSL_new(wsi->vhost->ssl_client_ctx);
#ifndef USE_WOLFSSL
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
/*
* use server name indication (SNI), if supported,
* when establishing connection
*/
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
#ifdef CYASSL_SNI_HOST_NAME
CyaSSL_UseSNI(wsi->ssl, CYASSL_SNI_HOST_NAME, hostname, strlen(hostname));
#endif
#else
#ifdef WOLFSSL_SNI_HOST_NAME
wolfSSL_UseSNI(wsi->ssl, WOLFSSL_SNI_HOST_NAME, hostname, strlen(hostname));
#endif
#endif
#else
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(wsi->ssl, hostname);
#endif
#endif
#ifdef USE_WOLFSSL
/*
* wolfSSL/CyaSSL does certificate verification differently
* from OpenSSL.
* If we should ignore the certificate, we need to set
* this before SSL_new and SSL_connect is called.
* Otherwise the connect will simply fail with error code -155
*/
#ifdef USE_OLD_CYASSL
if (wsi->use_ssl == 2)
CyaSSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, NULL);
#else
if (wsi->use_ssl == 2)
wolfSSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, NULL);
#endif
#endif /* USE_WOLFSSL */
wsi->client_bio = BIO_new_socket(wsi->sock, BIO_NOCLOSE);
SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
CyaSSL_set_using_nonblock(wsi->ssl, 1);
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
#endif
SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index,
context);
return 0;
}
static void test_wolfSSL_UseSNI_params(void)
{
WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
WOLFSSL *ssl = wolfSSL_new(ctx);
AssertNotNull(ctx);
AssertNotNull(ssl);
/* invalid [ctx|ssl] */
AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(NULL, 0, "ctx", 3));
AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( NULL, 0, "ssl", 3));
/* invalid type */
AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, -1, "ctx", 3));
AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( ssl, -1, "ssl", 3));
/* invalid data */
AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, NULL, 3));
AssertIntNE(SSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, NULL, 3));
/* success case */
AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UseSNI(ctx, 0, "ctx", 3));
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseSNI( ssl, 0, "ssl", 3));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
}