2020-03-13 07:42:25 +00:00
|
|
|
/*
|
|
|
|
|
* lws-minimal-secure-streams-metadata
|
|
|
|
|
*
|
|
|
|
|
* Written in 2010-2020 by Andy Green <andy@warmcat.com>
|
|
|
|
|
*
|
|
|
|
|
* This file is made available under the Creative Commons CC0 1.0
|
|
|
|
|
* Universal Public Domain Dedication.
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* This demonstrates a minimal http client using secure streams api.
|
|
|
|
|
*
|
|
|
|
|
* It visits https://warmcat.com/ and receives the html page there.
|
|
|
|
|
*
|
|
|
|
|
* This example is built two different ways from the same source... one includes
|
|
|
|
|
* the policy everything needed to fulfil the stream directly. The other -client
|
|
|
|
|
* variant has no policy itself and some other minor init changes, and connects
|
|
|
|
|
* to the -proxy example to actually get the connection done.
|
|
|
|
|
*
|
|
|
|
|
* In the -client build case, the example does not even init the tls libraries
|
|
|
|
|
* since the proxy part will take care of all that.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <libwebsockets.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* uncomment to force network traffic through 127.0.0.1:1080
|
|
|
|
|
*
|
|
|
|
|
* On your local machine, you can run a SOCKS5 proxy like this
|
|
|
|
|
*
|
|
|
|
|
* $ ssh -N -D 0.0.0.0:1080 localhost -v
|
|
|
|
|
*
|
|
|
|
|
* If enabled, this also fetches a remote policy that also
|
|
|
|
|
* specifies that all traffic should go through the remote
|
|
|
|
|
* proxy.
|
|
|
|
|
*/
|
|
|
|
|
// #define VIA_LOCALHOST_SOCKS
|
|
|
|
|
|
|
|
|
|
static int interrupted, bad = 1, force_cpd_fail_portal,
|
|
|
|
|
force_cpd_fail_no_internet;
|
|
|
|
|
static lws_state_notify_link_t nl;
|
2020-03-14 06:56:41 +00:00
|
|
|
static const char *server_name_or_url = "warmcat.com";
|
2020-03-13 07:42:25 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If the -proxy app is fulfilling our connection, then we don't need to have
|
|
|
|
|
* the policy in the client.
|
|
|
|
|
*
|
|
|
|
|
* When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
|
|
|
|
|
* a Unix Domain Socket. To test that, you need to separately run the
|
|
|
|
|
* ./lws-minimal-secure-streams-proxy test app on the same machine.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if !defined(LWS_SS_USE_SSPC)
|
|
|
|
|
static const char * const default_ss_policy =
|
|
|
|
|
"{"
|
|
|
|
|
"\"release\":" "\"01234567\","
|
|
|
|
|
"\"product\":" "\"myproduct\","
|
|
|
|
|
"\"schema-version\":" "1,"
|
|
|
|
|
#if defined(VIA_LOCALHOST_SOCKS)
|
|
|
|
|
"\"via-socks5\":" "\"127.0.0.1:1080\","
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
"\"retry\": [" /* named backoff / retry strategies */
|
|
|
|
|
"{\"default\": {"
|
|
|
|
|
"\"backoff\": [" "1000,"
|
|
|
|
|
"2000,"
|
|
|
|
|
"3000,"
|
|
|
|
|
"5000,"
|
|
|
|
|
"10000"
|
|
|
|
|
"],"
|
|
|
|
|
"\"conceal\":" "5,"
|
|
|
|
|
"\"jitterpc\":" "20,"
|
|
|
|
|
"\"svalidping\":" "30,"
|
|
|
|
|
"\"svalidhup\":" "35"
|
|
|
|
|
"}}"
|
|
|
|
|
"],"
|
|
|
|
|
"\"certs\": [" /* named individual certificates in BASE64 DER */
|
|
|
|
|
/*
|
|
|
|
|
* Let's Encrypt certs for warmcat.com / libwebsockets.org
|
|
|
|
|
*
|
|
|
|
|
* We fetch the real policy from there using SS and switch to
|
|
|
|
|
* using that.
|
|
|
|
|
*/
|
2021-01-12 16:46:43 +00:00
|
|
|
"{\"dst_root_x3\": \""
|
|
|
|
|
"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/"
|
|
|
|
|
"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT"
|
|
|
|
|
"DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow"
|
|
|
|
|
"PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD"
|
|
|
|
|
"Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
|
|
|
|
|
"AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O"
|
|
|
|
|
"rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq"
|
|
|
|
|
"OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b"
|
|
|
|
|
"xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw"
|
|
|
|
|
"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD"
|
|
|
|
|
"aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV"
|
|
|
|
|
"HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG"
|
|
|
|
|
"SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69"
|
|
|
|
|
"ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr"
|
|
|
|
|
"AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz"
|
|
|
|
|
"R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5"
|
|
|
|
|
"JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo"
|
|
|
|
|
"Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ"
|
2020-03-13 07:42:25 +00:00
|
|
|
"\"}"
|
|
|
|
|
"],"
|
|
|
|
|
"\"trust_stores\": [" /* named cert chains */
|
|
|
|
|
"{"
|
2021-01-12 16:46:43 +00:00
|
|
|
"\"name\": \"le_via_dst\","
|
2020-03-13 07:42:25 +00:00
|
|
|
"\"stack\": ["
|
2021-01-12 16:46:43 +00:00
|
|
|
"\"dst_root_x3\""
|
2020-03-13 07:42:25 +00:00
|
|
|
"]"
|
|
|
|
|
"}"
|
|
|
|
|
"],"
|
|
|
|
|
"\"s\": ["
|
|
|
|
|
"{\"mintest\": {"
|
|
|
|
|
"\"endpoint\":" "\"${servername}\","
|
|
|
|
|
"\"port\":" "443,"
|
|
|
|
|
"\"protocol\":" "\"h1\","
|
|
|
|
|
"\"http_method\":" "\"GET\","
|
|
|
|
|
"\"http_url\":" "\"\","
|
|
|
|
|
"\"tls\":" "true,"
|
|
|
|
|
"\"opportunistic\":" "true,"
|
|
|
|
|
"\"retry\":" "\"default\","
|
2021-01-12 16:46:43 +00:00
|
|
|
"\"tls_trust_store\":" "\"le_via_dst\","
|
2020-03-13 07:42:25 +00:00
|
|
|
"\"metadata\": ["
|
|
|
|
|
"{\"servername\": \"\"}"
|
|
|
|
|
"]"
|
|
|
|
|
"}}"
|
|
|
|
|
"]}"
|
|
|
|
|
;
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
typedef struct myss {
|
|
|
|
|
struct lws_ss_handle *ss;
|
|
|
|
|
void *opaque_data;
|
|
|
|
|
/* ... application specific state ... */
|
|
|
|
|
lws_sorted_usec_list_t sul;
|
|
|
|
|
} myss_t;
|
|
|
|
|
|
|
|
|
|
/* secure streams payload interface */
|
|
|
|
|
|
2020-09-30 06:33:37 +01:00
|
|
|
static lws_ss_state_return_t
|
2020-03-13 07:42:25 +00:00
|
|
|
myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
|
|
|
|
|
{
|
|
|
|
|
// myss_t *m = (myss_t *)userobj;
|
|
|
|
|
|
|
|
|
|
lwsl_user("%s: len %d, flags: %d\n", __func__, (int)len, flags);
|
|
|
|
|
lwsl_hexdump_info(buf, len);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we received the whole message, for our example it means
|
|
|
|
|
* we are done.
|
|
|
|
|
*/
|
|
|
|
|
if (flags & LWSSS_FLAG_EOM) {
|
|
|
|
|
bad = 0;
|
|
|
|
|
interrupted = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-30 06:33:37 +01:00
|
|
|
static lws_ss_state_return_t
|
2020-03-13 07:42:25 +00:00
|
|
|
myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
|
|
|
|
|
int *flags)
|
|
|
|
|
{
|
|
|
|
|
//myss_t *m = (myss_t *)userobj;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-30 06:33:37 +01:00
|
|
|
static lws_ss_state_return_t
|
2020-03-13 07:42:25 +00:00
|
|
|
myss_state(void *userobj, void *sh, lws_ss_constate_t state,
|
|
|
|
|
lws_ss_tx_ordinal_t ack)
|
|
|
|
|
{
|
|
|
|
|
myss_t *m = (myss_t *)userobj;
|
|
|
|
|
|
2020-12-12 06:21:40 +00:00
|
|
|
lwsl_user("%s: %s, ord 0x%x\n", __func__, lws_ss_state_name((int)state),
|
2020-03-13 07:42:25 +00:00
|
|
|
(unsigned int)ack);
|
|
|
|
|
|
|
|
|
|
switch (state) {
|
|
|
|
|
case LWSSSCS_CREATING:
|
2020-03-14 06:56:41 +00:00
|
|
|
lwsl_notice("%s: CREATING: setting servername metadata to %s\n",
|
|
|
|
|
__func__, server_name_or_url);
|
2021-03-14 08:27:06 +00:00
|
|
|
if (lws_ss_set_metadata(m->ss, "servername", server_name_or_url,
|
|
|
|
|
strlen(server_name_or_url)))
|
|
|
|
|
return LWSSSSRET_DISCONNECT_ME;
|
2020-12-22 15:56:41 +00:00
|
|
|
return lws_ss_client_connect(m->ss);
|
|
|
|
|
|
2020-03-13 07:42:25 +00:00
|
|
|
case LWSSSCS_ALL_RETRIES_FAILED:
|
|
|
|
|
/* if we're out of retries, we want to close the app and FAIL */
|
|
|
|
|
interrupted = 1;
|
|
|
|
|
break;
|
|
|
|
|
case LWSSSCS_QOS_ACK_REMOTE:
|
|
|
|
|
lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
|
|
|
|
|
int current, int target)
|
|
|
|
|
{
|
|
|
|
|
struct lws_context *context = lws_system_context_from_system_mgr(mgr);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* For the things we care about, let's notice if we are trying to get
|
|
|
|
|
* past them when we haven't solved them yet, and make the system
|
|
|
|
|
* state wait while we trigger the dependent action.
|
|
|
|
|
*/
|
|
|
|
|
switch (target) {
|
|
|
|
|
|
|
|
|
|
case LWS_SYSTATE_OPERATIONAL:
|
|
|
|
|
if (current == LWS_SYSTATE_OPERATIONAL) {
|
|
|
|
|
lws_ss_info_t ssi;
|
|
|
|
|
|
|
|
|
|
/* We're making an outgoing secure stream ourselves */
|
|
|
|
|
|
|
|
|
|
memset(&ssi, 0, sizeof(ssi));
|
|
|
|
|
ssi.handle_offset = offsetof(myss_t, ss);
|
|
|
|
|
ssi.opaque_user_data_offset = offsetof(myss_t,
|
|
|
|
|
opaque_data);
|
|
|
|
|
ssi.rx = myss_rx;
|
|
|
|
|
ssi.tx = myss_tx;
|
|
|
|
|
ssi.state = myss_state;
|
|
|
|
|
ssi.user_alloc = sizeof(myss_t);
|
|
|
|
|
ssi.streamtype = "mintest";
|
|
|
|
|
|
|
|
|
|
if (lws_ss_create(context, 0, &ssi, NULL, NULL,
|
|
|
|
|
NULL, NULL)) {
|
|
|
|
|
lwsl_err("%s: failed to create secure stream\n",
|
|
|
|
|
__func__);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static lws_state_notify_link_t * const app_notifier_list[] = {
|
|
|
|
|
&nl, NULL
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
sigint_handler(int sig)
|
|
|
|
|
{
|
|
|
|
|
interrupted = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int main(int argc, const char **argv)
|
|
|
|
|
{
|
|
|
|
|
struct lws_context_creation_info info;
|
|
|
|
|
struct lws_context *context;
|
2020-03-14 06:56:41 +00:00
|
|
|
const char *p;
|
2020-03-13 07:42:25 +00:00
|
|
|
int n = 0;
|
|
|
|
|
|
|
|
|
|
signal(SIGINT, sigint_handler);
|
|
|
|
|
|
|
|
|
|
memset(&info, 0, sizeof info);
|
|
|
|
|
lws_cmdline_option_handle_builtin(argc, argv, &info);
|
|
|
|
|
|
|
|
|
|
lwsl_user("LWS secure streams test client [-d<verb>]\n");
|
|
|
|
|
|
|
|
|
|
/* these options are mutually exclusive if given */
|
|
|
|
|
|
|
|
|
|
if (lws_cmdline_option(argc, argv, "--force-portal"))
|
|
|
|
|
force_cpd_fail_portal = 1;
|
|
|
|
|
|
|
|
|
|
if (lws_cmdline_option(argc, argv, "--force-no-internet"))
|
|
|
|
|
force_cpd_fail_no_internet = 1;
|
|
|
|
|
|
|
|
|
|
info.fd_limit_per_thread = 1 + 6 + 1;
|
|
|
|
|
info.port = CONTEXT_PORT_NO_LISTEN;
|
|
|
|
|
|
|
|
|
|
#if defined(LWS_SS_USE_SSPC)
|
|
|
|
|
info.protocols = lws_sspc_protocols;
|
2020-03-14 06:56:41 +00:00
|
|
|
|
|
|
|
|
/* connect to ssproxy via UDS by default, else via
|
|
|
|
|
* tcp connection to this port */
|
|
|
|
|
if ((p = lws_cmdline_option(argc, argv, "-p")))
|
2020-12-12 06:21:40 +00:00
|
|
|
info.ss_proxy_port = (uint16_t)atoi(p);
|
2020-03-14 06:56:41 +00:00
|
|
|
|
|
|
|
|
/* UDS "proxy.ss.lws" in abstract namespace, else this socket
|
|
|
|
|
* path; when -p given this can specify the network interface
|
|
|
|
|
* to bind to */
|
|
|
|
|
if ((p = lws_cmdline_option(argc, argv, "-i")))
|
|
|
|
|
info.ss_proxy_bind = p;
|
|
|
|
|
|
|
|
|
|
/* if -p given, -a specifies the proxy address to connect to */
|
|
|
|
|
if ((p = lws_cmdline_option(argc, argv, "-a")))
|
|
|
|
|
info.ss_proxy_address = p;
|
2020-03-13 07:42:25 +00:00
|
|
|
#else
|
|
|
|
|
info.pss_policies_json = default_ss_policy;
|
|
|
|
|
info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
|
|
|
|
|
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-03-14 06:56:41 +00:00
|
|
|
if ((p = lws_cmdline_option(argc, argv, "-u")))
|
|
|
|
|
server_name_or_url = p;
|
|
|
|
|
|
2020-03-13 07:42:25 +00:00
|
|
|
/* integrate us with lws system state management when context created */
|
|
|
|
|
|
|
|
|
|
nl.name = "app";
|
|
|
|
|
nl.notify_cb = app_system_state_nf;
|
|
|
|
|
info.register_notifier_list = app_notifier_list;
|
|
|
|
|
|
|
|
|
|
/* create the context */
|
|
|
|
|
|
|
|
|
|
context = lws_create_context(&info);
|
|
|
|
|
if (!context) {
|
|
|
|
|
lwsl_err("lws init failed\n");
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* the event loop */
|
|
|
|
|
|
|
|
|
|
while (n >= 0 && !interrupted)
|
|
|
|
|
n = lws_service(context, 0);
|
|
|
|
|
|
|
|
|
|
lws_context_destroy(context);
|
|
|
|
|
|
|
|
|
|
lwsl_user("Completed: %s\n", bad ? "failed" : "OK");
|
|
|
|
|
|
|
|
|
|
return bad;
|
|
|
|
|
}
|
