#if defined(USE_OPENSSL)

#include <openssl/ssl.h>

#include <openssl/pem.h>

#include <openssl/err.h>

#include <openssl/dh.h>

#if defined(OPENSSL_IS_BORINGSSL)

#include "b64.h"

#else

#include <openssl/bn.h>

#include <openssl/bio.h>

#include <openssl/evp.h>

#include <openssl/buffer.h>

#endif

#elif defined(USE_WOLFSSL)

#include <wolfssl/options.h>

#include <wolfssl/ssl.h>

#include "b64.h"

#else

#include "sha1.h"

#include "b64.h"

#endif

#ifndef SSL_SUCCESS

#define SSL_SUCCESS 1

#endif

#include <errno.h>

#include "worker.h"

#include "event.h"

#include "ssl.h"

#include "log.h"

#include "predict.h"

/**

 * Function initializes SSL context that can be used to serve over https.

 *

 * @param   server	[wss_server_t *] 	"The server instance"

 * @return 			[wss_error_t]       "The error status"

 */

#if defined(USE_OPENSSL)

#if ! defined(OPENSSL_IS_BORINGSSL) && ! defined(LIBRESSL_VERSION_NUMBER)

#endif

    }

    }

    }

    }

    }

#if ! defined(LIBRESSL_VERSION_NUMBER)

#endif

#if ! defined(OPENSSL_IS_BORINGSSL)

#endif

    } else {

    }

    //WSS_log_trace("Allow write buffer to be moving as it is allocated on the heap");

    //SSL_CTX_set_mode(server->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

    }

#if ! defined(LIBRESSL_VERSION_NUMBER)

#endif

#if ! defined(LIBRESSL_VERSION_NUMBER) && ! defined(OPENSSL_IS_BORINGSSL)

    }

#endif

#if ! defined(LIBRESSL_VERSION_NUMBER)

#endif

    }

#if ! defined(LIBRESSL_VERSION_NUMBER) && ! defined(OPENSSL_IS_BORINGSSL)

#else

        if ( NULL != server->config->ssl_cipher_list ) {

            char list[strlen(server->config->ssl_cipher_list)+strlen(server->config->ssl_cipher_list)+2];

            memset(list, '\0', strlen(server->config->ssl_cipher_list)+strlen(server->config->ssl_cipher_list)+2);

            memcpy(list, server->config->ssl_cipher_list, strlen(server->config->ssl_cipher_list));

            list[strlen(server->config->ssl_cipher_list)] = ':';

            memcpy(list+(strlen(server->config->ssl_cipher_list)+1), server->config->ssl_cipher_suites, strlen(server->config->ssl_cipher_suites));

            SSL_CTX_set_cipher_list(server->ssl_ctx, list);

        } else {

            SSL_CTX_set_cipher_list(server->ssl_ctx, server->config->ssl_cipher_suites);

        }

        WSS_log_trace("Setting cipher suites");

#endif

    }

#if ! defined(LIBRESSL_VERSION_NUMBER)

#endif

                }

            } else {

            }

        } else {

        }

    }

#if defined(LIBRESSL_VERSION_NUMBER)

    WSS_log_info("SSL was setup using 'LibreSSL'");

#elif defined(OPENSSL_IS_BORINGSSL)

    WSS_log_info("SSL was setup using 'BoringSSL'");

#else

#endif

#elif defined(USE_WOLFSSL)

    WOLFSSL_METHOD *method;

    int error_size = 1024;

    char error[error_size];

    wolfSSL_Init();

    method = TLS_method();

    server->ssl_ctx = wolfSSL_CTX_new(method);

    if ( unlikely(!server->ssl_ctx) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

        WSS_log_error("Unable to create ssl context: %s", error);

        return WSS_SSL_CTX_ERROR;

    }

    WSS_log_trace("Assign CA certificate(s) to ssl context");

    if ( unlikely(SSL_SUCCESS != wolfSSL_CTX_load_verify_locations(server->ssl_ctx, server->config->ssl_ca_file, server->config->ssl_ca_path)) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

        WSS_log_error("Unable to load CA certificates: %s", error);

        return WSS_SSL_CA_ERROR;

    }

    WSS_log_trace("Assign certificate to ssl context");

    if ( unlikely(SSL_SUCCESS != wolfSSL_CTX_use_certificate_file(server->ssl_ctx, server->config->ssl_cert, SSL_FILETYPE_PEM)) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

        WSS_log_error("Unable to load server certificate: %s", error);

        return WSS_SSL_CERT_ERROR;

    }

    WSS_log_trace("Assign private key to ssl context");

    if ( unlikely(SSL_SUCCESS != wolfSSL_CTX_use_PrivateKey_file(server->ssl_ctx, server->config->ssl_key, SSL_FILETYPE_PEM)) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

        WSS_log_error("Unable to load server private key: %s", error);

        return WSS_SSL_KEY_ERROR;

    }

    WSS_log_trace("Validate private key");

    if ( unlikely(SSL_SUCCESS != wolfSSL_CTX_check_private_key(server->ssl_ctx)) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

        WSS_log_error("Failed check of private key: %s", error);

        return WSS_SSL_KEY_ERROR;

    }

    WSS_log_trace("Use most appropriate client curve");

    wolfSSL_CTX_set_options(server->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);

    if (! server->config->ssl_peer_cert) {

        wolfSSL_CTX_set_verify(server->ssl_ctx, SSL_VERIFY_NONE, 0);

    } else {

        wolfSSL_CTX_set_verify(server->ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);

    }

    WSS_log_trace("Allow writes to be partial");

    wolfSSL_CTX_set_mode(server->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);

    //WSS_log_trace("Allow write buffer to be moving as it is allocated on the heap");

    //wolfSSL_CTX_set_mode(server->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

    WSS_log_trace("Allow read and write buffers to be released when they are no longer needed");

    wolfSSL_CTX_set_mode(server->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);

    if (! server->config->ssl_compression) {

        WSS_log_trace("Do not use compression even if it is supported.");

        wolfSSL_CTX_set_mode(server->ssl_ctx, SSL_OP_NO_COMPRESSION);

    }

    WSS_log_trace("When choosing a cipher, use the server's preferences instead of the client preferences.");

    wolfSSL_CTX_set_mode(server->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

    WSS_log_trace("Disable use of session and ticket cache and resumption");

    wolfSSL_CTX_set_session_cache_mode(server->ssl_ctx, SSL_SESS_CACHE_OFF);

    wolfSSL_CTX_set_options(server->ssl_ctx, SSL_OP_NO_TICKET);

    wolfSSL_CTX_set_options(server->ssl_ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);

    if ( NULL != server->config->ssl_cipher_list ) {

        WSS_log_trace("Setting cipher list");

        wolfSSL_CTX_set_cipher_list(server->ssl_ctx, server->config->ssl_cipher_list);

    }

    if ( NULL != server->config->ssl_cipher_suites ) {

        if ( NULL != server->config->ssl_cipher_list ) {

            char list[strlen(server->config->ssl_cipher_list)+strlen(server->config->ssl_cipher_list)+2];

            memset(list, '\0', strlen(server->config->ssl_cipher_list)+strlen(server->config->ssl_cipher_list)+2);

            memcpy(list, server->config->ssl_cipher_list, strlen(server->config->ssl_cipher_list));

            list[strlen(server->config->ssl_cipher_list)] = ':';

            memcpy(list+(strlen(server->config->ssl_cipher_list)+1), server->config->ssl_cipher_suites, strlen(server->config->ssl_cipher_suites));

            SSL_CTX_set_cipher_list(server->ssl_ctx, list);

        } else {

            SSL_CTX_set_cipher_list(server->ssl_ctx, server->config->ssl_cipher_suites);

        }

        WSS_log_trace("Setting cipher suites");

    }

    if ( NULL != server->config->ssl_dhparam ) {

        if ( SSL_SUCCESS != wolfSSL_SetTmpDH_file(server->ssl_ctx, server->config->ssl_dhparam, SSL_FILETYPE_PEM) ) {

            wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), error, error_size);

            WSS_log_error("Setting dhparam failed: %s", error);

        }

    }

    WSS_log_info("SSL was setup using 'WolfSSL'");

    return WSS_SUCCESS;

#else

    return WSS_SSL_CTX_ERROR;

#endif

}

/**

 * Function frees SSL context that was used to serve over https.

 *

 * @param   server	[wss_server_t *] 	"The server instance"

 * @return 			[void]

 */

#if defined(USE_OPENSSL)

#if ! defined(LIBRESSL_VERSION_NUMBER) && ! defined(OPENSSL_IS_BORINGSSL)

#endif

#elif defined(USE_WOLFSSL)

    wolfSSL_CTX_free(server->ssl_ctx);

    wolfSSL_Cleanup();

#endif

}

/**

 * Function that performs a ssl read from the connecting client.

 *

 * @param   server      [wss_server_t *]    "The server implementation"

 * @param   session     [wss_session_t *]   "The connecting client session"

 * @param   buffer      [char *]            "The buffer to use"

 * @return              [int]

 */

#if defined(USE_OPENSSL) | defined(USE_WOLFSSL)

#if defined(USE_OPENSSL)

#elif defined(USE_WOLFSSL)

    n = wolfSSL_read(session->ssl, buffer, server->config->size_buffer);

    err = SSL_get_error(session->ssl, n);

#endif

    // There's no more to read from the kernel

        n = 0;

    } else

    // There's no space to write to the kernel, wait for filedescriptor.

    } else

    // Some error has occured.

        char msg[1024];

#if defined(USE_OPENSSL)

        }

#elif defined(USE_WOLFSSL)

        while ( (err = wolfSSL_ERR_get_error()) != 0 ) {

            memset(msg, '\0', 1024);

            wolfSSL_ERR_error_string_n(err, msg, 1024);

            WSS_log_error("SSL read failed: %s", msg);

        }

#endif

    } else

    // If this was one of the error codes that we do accept, return 0

    }

#else

    return 0;

#endif

}

/**

 * Function that performs a ssl write to the connecting client.

 *

 * @param   session       [wss_session_t *]   "The connecting client session"

 * @param   message_index [unsigned int]      "The message index"

 * @param   message       [wss_message_t *]   "The message"

 * @param   bytes_sent    [unsigned int]      "The amount of bytes currently sent"

 * @return                [bool]

 */

#if defined(USE_OPENSSL) | defined(USE_WOLFSSL)

#if defined(USE_OPENSSL)

#elif defined(USE_WOLFSSL)

    n = wolfSSL_write(session->ssl, message->msg+*bytes_sent, message_length-*bytes_sent);

    err = SSL_get_error(session->ssl, n);

#endif

    // If something more needs to be read in order for the handshake to finish

    }

    // If something more needs to be written in order for the handshake to finish

    }

        char msg[1024];

#if defined(USE_OPENSSL)

        }

#elif defined(USE_WOLFSSL)

        while ( (err = wolfSSL_ERR_get_error()) != 0 ) {

            wolfSSL_ERR_error_string_n(err, msg, 1024);

            WSS_log_error("SSL write failed: %s", msg);

        }

#endif

    } else {

        }

    }

#else

    return false;

#endif

}

/**

 * Function that performs a ssl write to the connecting client.

 *

 * @param   session        [wss_session_t *]   "The connecting client session"

 * @param   message        [char *]            "The message"

 * @param   message_length [size_t]            "The message length"

 * @return                 [void]

 */

#if defined(USE_OPENSSL) | defined(USE_WOLFSSL)

#if defined(USE_OPENSSL)

#elif defined(USE_WOLFSSL)

        n = wolfSSL_write(session->ssl, message+written, message_length-written);

#endif

            break;

        }

#endif

}

/**

 * Function that performs a ssl handshake with the connecting client.

 *

 * @param   server      [wss_server_t *]    "The server implementation"

 * @param   session     [wss_session_t *]   "The connecting client session"

 * @return              [void]

 */

#if defined(USE_OPENSSL) | defined(USE_WOLFSSL)

#if defined(USE_OPENSSL)

#elif defined(USE_WOLFSSL)

    ret = wolfSSL_SSL_do_handshake(session->ssl);

    err = wolfSSL_get_error(session->ssl, ret);

#endif

    // If something more needs to be read in order for the handshake to finish

    }

    // If something more needs to be written in order for the handshake to finish

    }

        char message[1024];

#if defined(USE_OPENSSL)

        }

#elif defined(USE_WOLFSSL)

        while ( (err = wolfSSL_ERR_get_error()) != 0 ) {

            memset(message, '\0', 1024);

            wolfSSL_ERR_error_string_n(err, message, 1024);

            WSS_log_error("Handshake error: %s", message);

        }

#endif

    }

#endif

}

/**

 * Function initializes SSL context that can be used to serve over https.

 *

 * @param   server	[wss_server_t *] 	"The server instance"

 * @param   session	[wss_session_t *] 	"The session instance"

 * @return 			[bool]              "Whether function was successful"

 */

#if defined(USE_OPENSSL)

    }

    }

#elif defined(USE_WOLFSSL)

    char ssl_msg[1024];

    WSS_log_trace("Creating ssl client structure");

    if ( unlikely(NULL == (session->ssl = wolfSSL_new(server->ssl_ctx))) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), ssl_msg, 1024);

        WSS_log_error("Unable to create SSL structure: %s", ssl_msg);

        WSS_disconnect(server, session);

        return false;

    }

    WSS_log_trace("Associating structure with client filedescriptor");

    if ( unlikely(wolfSSL_set_fd(session->ssl, session->fd) != 1) ) {

        wolfSSL_ERR_error_string_n(wolfSSL_ERR_get_error(), ssl_msg, 1024);

        WSS_log_error("Unable to bind filedescriptor to SSL structure: %s", ssl_msg);

        WSS_disconnect(server, session);

        return false;

    }

    WSS_log_trace("Setting accept state");

    wolfSSL_set_accept_state(session->ssl);

    return true;

#else

    return false;

#endif

}

/**

 * Function frees SSL session instance that was used to serve over https.

 *

 * @param   session	[wss_session_t *] 	    "The session instance"

 * @param   lock	[pthread_rwlock_t *] 	"The read/write session lock"

 * @return 			[wss_error_t]           "An error or success"

 */

#if defined(USE_OPENSSL)

        }

        char message[1024];

        }

    }

#elif defined(USE_WOLFSSL)

    if ( unlikely((err = wolfSSL_shutdown(session->ssl)) < 0) ) {

        err = SSL_get_error(session->ssl, err);

        switch (err) {

            case SSL_ERROR_WANT_READ:

                pthread_rwlock_unlock(lock);

                return WSS_SSL_SHUTDOWN_READ_ERROR;

            case SSL_ERROR_WANT_WRITE:

                pthread_rwlock_unlock(lock);

                return WSS_SSL_SHUTDOWN_WRITE_ERROR;

            case SSL_ERROR_SYSCALL:

                WSS_log_error("SSL_shutdown failed: %s", strerror(errno));

                break;

            default:

                WSS_log_error("SSL_shutdown error code: %d", err);

                break;

        }

        char message[1024];

        while ( (err = wolfSSL_ERR_get_error()) != 0 ) {

            memset(message, '\0', 1024);

            wolfSSL_ERR_error_string_n(err, message, 1024);

            WSS_log_error("SSL_shutdown error: %s", message);

        }

        err = WSS_SSL_SHUTDOWN_ERROR;

    }

    wolfSSL_free(session->ssl);

    session->ssl = NULL;

#endif

}

/**

 * Function creates a sha1 hash of the key.

 *

 * @param   key	        [char *] 	            "The key to be hashed"

 * @param   key_length	[pthread_rwlock_t *] 	"The length of the key"

 * @param   hash	    [hash **] 	            "A pointer to where the hash should be stored"

 * @return 	[size_t]                            "The length of the hash"

 */

#if defined(USE_OPENSSL)

#elif defined(USE_WOLFSSL)

    Sha sha;

    wc_InitSha(&sha);

    wc_ShaUpdate(&sha, (const unsigned char *) key, key_length);

    wc_ShaFinal(&sha, (unsigned char *)*hash);

#else

    SHA1Context sha;

    int i, b;

    memset(*hash, '\0', SHA_DIGEST_LENGTH);

    SHA1Reset(&sha);

    SHA1Input(&sha, (const unsigned char*) key, key_length);

    if ( likely(SHA1Result(&sha)) ) {

        for (i = 0; likely(i < 5); i++) {

            b = htonl(sha.Message_Digest[i]);

            memcpy(*hash+(4*i), (unsigned char *) &b, 4);

        }

    }

#endif

}

/**

 * Function creates a sha1 hash of the key and base64 encodes it.

 *

 * @param   key	        [char *] 	            "The key to be hashed"

 * @param   key_length	[pthread_rwlock_t *] 	"The length of the key"

 * @param   accept_key  [char **] 	            "A pointer to where the hash should be stored"

 * @return 			    [size_t]                "Length of accept_key"

 */

#if defined(USE_OPENSSL) && ! defined(OPENSSL_IS_BORINGSSL)

#pragma GCC diagnostic push

#pragma GCC diagnostic ignored "-Wunused-value"

#pragma GCC diagnostic pop

        return 0;

    }

#elif defined(OPENSSL_IS_BORINGSSL)

    SHA1((const unsigned char *)key, key_length, (unsigned char*) sha1Key);

    *accept_key = b64_encode((const unsigned char *) sha1Key, SHA_DIGEST_LENGTH);

    acceptKeyLength = strlen(*accept_key);

#elif defined(USE_WOLFSSL)

    Sha sha;

    wc_InitSha(&sha);

    wc_ShaUpdate(&sha, (const unsigned char *) key, key_length);

    wc_ShaFinal(&sha, (unsigned char *)sha1Key);

    if ( unlikely(NULL == (*accept_key = WSS_malloc((SHA_DIGEST_LENGTH*4)/3+1))) ) {

        return 0;

    }

    *accept_key = b64_encode((const unsigned char *) sha1Key, SHA_DIGEST_LENGTH);

    acceptKeyLength = strlen(*accept_key);

#else

    SHA1Context sha;

    int i, b;

    SHA1Reset(&sha);

    SHA1Input(&sha, (const unsigned char*) key, key_length);

    if ( likely(SHA1Result(&sha)) ) {

        for (i = 0; likely(i < 5); i++) {

            b = htonl(sha.Message_Digest[i]);

            memcpy(sha1Key+(4*i), (unsigned char *) &b, 4);

        }

    } else {

        return 0;

    }

    *accept_key = b64_encode((const unsigned char *) sha1Key, SHA_DIGEST_LENGTH);

    acceptKeyLength = strlen(*accept_key);

#endif

}