sspc: add request_tx length variant

Add in the missing request_tx length variant, serialization and proxy
handling for it

include/libwebsockets/lws-secure-streams-client.h

@@ -45,6 +45,7 @@
 #define lws_ss_create			lws_sspc_create
 #define lws_ss_destroy			lws_sspc_destroy
 #define lws_ss_request_tx		lws_sspc_request_tx
+#define lws_ss_request_tx_len		lws_sspc_request_tx_len
 #define lws_ss_client_connect		lws_sspc_client_connect
 #define lws_ss_get_sequencer		lws_sspc_get_sequencer
 #define lws_ss_proxy_create		lws_sspc_proxy_create
@@ -64,8 +65,8 @@ struct lws_sspc_handle;
 
 LWS_VISIBLE LWS_EXTERN int
 lws_sspc_create(struct lws_context *context, int tsi, const lws_ss_info_t *ssi,
-	      void *opaque_user_data, struct lws_sspc_handle **ppss,
-	      struct lws_sequencer *seq_owner, const char **ppayload_fmt);
+		void *opaque_user_data, struct lws_sspc_handle **ppss,
+		struct lws_sequencer *seq_owner, const char **ppayload_fmt);
 
 /**
  * lws_sspc_destroy() - Destroy secure stream
@@ -89,6 +90,26 @@ lws_sspc_destroy(struct lws_sspc_handle **ppss);
 LWS_VISIBLE LWS_EXTERN void
 lws_sspc_request_tx(struct lws_sspc_handle *pss);
 
+/**
+ * lws_sspc_request_tx_len() - Schedule stream for tx with length hint
+ *
+ * \param h: pointer to handle representing stream that wants to transmit
+ * \param len: the length of the write in bytes
+ *
+ * Schedules a write on the stream represented by \p pss.  When it's possible to
+ * write on this stream, the *tx callback will occur with an empty buffer for
+ * the stream owner to fill in.
+ *
+ * This api variant should be used when it's possible the payload will go out
+ * over h1 with x-web-form-urlencoded or similar Content-Type.
+ *
+ * The serialized, sspc type api actually serializes and forwards the length
+ * hint to its upstream proxy, where it's available for use to produce the
+ * internet-capable protocol framing.
+ */
+LWS_VISIBLE LWS_EXTERN void
+lws_sspc_request_tx_len(struct lws_sspc_handle *h, unsigned long len);
+
 /**
  * lws_sspc_client_connect() - Attempt the client connect
  *

include/libwebsockets/lws-secure-streams.h

@@ -100,6 +100,11 @@
  *   -  1: 2-byte MSB-first rest-of-frame length 00, 04
  *   -  3: 4-byte MSB-first unsigned 32-bit timeout, 0 = use policy, -1 = cancel
  *
+ * - Passing up payload length hint
+ *
+ *   -  0: LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT
+ *   -  1: 2-byte MSB-first rest-of-frame length 00, 04
+ *   -  3: 4-byte MSB-first unsigned 32-bit payload length hint
  *
  * Proxy to client
  *
@@ -233,6 +238,7 @@ enum {
 	LWSSS_SER_TXPRE_METADATA,
 	LWSSS_SER_TXPRE_TXCR_UPDATE,
 	LWSSS_SER_TXPRE_TIMEOUT_UPDATE,
+	LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT,
 	LWSSS_SER_TXPRE_TLSNEG_ENCLAVE_SIGNED,
 };
 

lib/secure-streams/private-lib-secure-streams.h

@@ -269,6 +269,8 @@ typedef struct lws_sspc_handle {
 
 	lws_usec_t		us_earliest_write_req;
 
+	unsigned long		writeable_len;
+
 	lws_ss_conn_states_t	state;
 
 	uint32_t		timeout_ms;

lib/secure-streams/secure-streams-client.c

@@ -248,30 +248,49 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason,
 				cp = p;
 				n = lws_sspc_serialize_metadata(md, p);
 
-				/* in case anything else to write */
-				lws_callback_on_writable(h->cwsi);
+				lwsl_debug("%s: (local_conn) metadata\n", __func__);
 
+				goto req_write_and_issue;
+			}
+
+			if (h->pending_writeable_len) {
+				lwsl_debug("%s: (local_conn) PAYLOAD_LENGTH_HINT %u\n",
+					   __func__, (unsigned int)h->writeable_len);
+				s[0] = LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT;
+				lws_ser_wu16be(&s[1], 4);
+				lws_ser_wu32be(&s[3], h->writeable_len);
+				h->pending_writeable_len = 0;
+				n = 7;
+				goto req_write_and_issue;
+			}
+
+			if (h->conn_req_state >= LWSSSPC_ONW_ONGOING) {
+				lwsl_info("%s: conn_req_state %d\n", __func__,
+						h->conn_req_state);
 				break;
 			}
 
+			lwsl_info("%s: (local_conn) onward connect\n", __func__);
+
+			h->conn_req_state = LWSSSPC_ONW_ONGOING;
 
-			h->conn_req = 0;
 			s[0] = LWSSS_SER_TXPRE_ONWARD_CONNECT;
 			s[1] = 0;
 			s[2] = 0;
 			n = 3;
 			break;
 
-		case LPCS_OPERATIONAL:
+		case LPCSCLI_OPERATIONAL:
+
+			lwsl_notice("%s: LPCSCLI_OPERATIONAL\n", __func__);
 
 			/*
-			 * Do we want to adjust the peer's ability to write
-			 * to us?
-			 */
-
-			/*
-			 * Do we need to prioritize sending any metadata
-			 * changes?
+			 *
+			 * - Do we need to prioritize sending any metadata
+			 *   changes?  (includes txcr updates)
+			 *
+			 * - Do we need to forward a hint about the payload
+			 *   length?
 			 */
 
 			if (h->metadata_owner.count) {
@@ -282,12 +301,19 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason,
 				cp = p;
 				n = lws_sspc_serialize_metadata(md, p);
 
-				/* in case anything else to write */
-				lws_callback_on_writable(h->cwsi);
-
-				break;
+				goto req_write_and_issue;
 			}
 
+			if (h->pending_writeable_len) {
+				lwsl_info("%s: PAYLOAD_LENGTH_HINT %u\n",
+					   __func__, (unsigned int)h->writeable_len);
+				s[0] = LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT;
+				lws_ser_wu16be(&s[1], 4);
+				lws_ser_wu32be(&s[3], h->writeable_len);
+				h->pending_writeable_len = 0;
+				n = 7;
+				goto req_write_and_issue;
+			}
 
 			/* we can't write anything if we don't have credit */
 			if (!h->ignore_txc && h->txc.tx_cr <= 0) {
@@ -328,6 +354,8 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason,
 			break;
 		}
 
+do_write_nz:
+
 		if (!n)
 			break;
 
@@ -350,6 +378,11 @@ hangup:
 	lwsl_warn("hangup\n");
 	/* hang up on him */
 	return -1;
+
+req_write_and_issue:
+	/* in case anything else to write */
+	lws_callback_on_writable(h->cwsi);
+	goto do_write_nz;
 }
 
 const struct lws_protocols lws_sspc_protocols[] = {
@@ -484,17 +517,72 @@ lws_sspc_request_tx(lws_sspc_handle_t *h)
 	if (!h->us_earliest_write_req)
 		h->us_earliest_write_req = lws_now_usecs();
 
+	if (h->state == LPCSCLI_LOCAL_CONNECTED &&
+	    h->conn_req_state == LWSSSPC_ONW_NONE)
+		h->conn_req_state = LWSSSPC_ONW_REQ;
+
+	lws_callback_on_writable(h->cwsi);
+}
+
+/*
+ * Currently we fulfil the writeable part locally by just enabling POLLOUT on
+ * the UDS link, without serialization footprint, which is reasonable as far as
+ * it goes.
+ *
+ * But for the ..._len() variant, the expected payload length hint we are being
+ * told is something that must be serialized to the onward peer, since either
+ * that guy or someone upstream of him is the guy who will compose the framing
+ * with it that actually goes out.
+ *
+ * This information is needed at the upstream guy before we have sent any
+ * payload, eg, for http POST, he has to prepare the content-length in the
+ * headers, before any payload.  So we have to issue a serialization of the
+ * length at this point.
+ */
+
+void
+lws_sspc_request_tx_len(lws_sspc_handle_t *h, unsigned long len)
+{
+	/*
+	 * for client conns, they cannot even complete creation of the handle
+	 * without the onwared connection to the proxy, it's not legal to start
+	 * using it until it's operation and has the onward connection (and has
+	 * called CREATED state)
+	 */
+
+	if (!h)
+		return;
+
+	lwsl_notice("%s: setting h %p writeable_len %u\n", __func__, h,
+			(unsigned int)len);
+	h->writeable_len = len;
+	h->pending_writeable_len = 1;
+
+	if (!h->us_earliest_write_req)
+		h->us_earliest_write_req = lws_now_usecs();
+
+	if (h->state == LPCSCLI_LOCAL_CONNECTED &&
+	    h->conn_req_state == LWSSSPC_ONW_NONE)
+		h->conn_req_state = LWSSSPC_ONW_REQ;
+
+	/*
+	 * We're going to use this up with serializing h->writeable_len... that
+	 * will request again.
+	 */
+
 	lws_callback_on_writable(h->cwsi);
 }
 
 int
 lws_sspc_client_connect(lws_sspc_handle_t *h)
 {
-	if (!h || h->state == LPCS_OPERATIONAL)
+	if (!h || h->state == LPCSCLI_OPERATIONAL)
 		return 0;
 
-	assert(h->state == LPCS_LOCAL_CONNECTED);
-	h->conn_req = 1;
+	assert(h->state == LPCSCLI_LOCAL_CONNECTED);
+	if (h->state == LPCSCLI_LOCAL_CONNECTED &&
+	    h->conn_req_state == LWSSSPC_ONW_NONE)
+		h->conn_req_state = LWSSSPC_ONW_REQ;
 	if (h->cwsi)
 		lws_callback_on_writable(h->cwsi);
 

lib/secure-streams/secure-streams-serialize.c

@@ -74,6 +74,8 @@ typedef enum {
 
 	RPAR_TIMEOUT0,
 
+	RPAR_PAYLEN0,
+
 	RPAR_RESULT_CREATION,
 
 	RPAR_STATEINDEX,
@@ -392,6 +394,15 @@ lws_ss_deserialize_parse(struct lws_ss_serialization_parser *par,
 				par->ctr = 0;
 				break;
 
+			case LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT:
+				if (client)
+					goto hangup;
+				if (par->rem != 4)
+					goto hangup;
+				par->ps = RPAR_PAYLEN0;
+				par->ctr = 0;
+				break;
+
 			/* client side */
 
 			case LWSSS_SER_RXPRE_RX_PAYLOAD:
@@ -727,6 +738,29 @@ payload_ff:
 			par->ps = RPAR_TYPE;
 			break;
 
+		case RPAR_PAYLEN0:
+			/*
+			 * It's the length from lws_ss_request_tx_len() being
+			 * passed up to us
+			 */
+			par->temp32 = (par->temp32 << 8) | *cp++;
+			if (++par->ctr < 4) {
+				if (!--par->rem)
+					goto hangup;
+				break;
+			}
+
+			if (--par->rem)
+				goto hangup;
+
+			lwsl_notice("%s: set payload len %u\n", __func__,
+				    par->temp32);
+
+			lws_ss_request_tx_len(*pss, par->temp32);
+
+			par->ps = RPAR_TYPE;
+			break;
+
 		case RPAR_METADATA_NAMELEN:
 			if (!--par->rem)
 				goto hangup;

lib/secure-streams/secure-streams.c

@@ -947,10 +947,14 @@ lws_ss_request_tx(lws_ss_handle_t *h)
 void
 lws_ss_request_tx_len(lws_ss_handle_t *h, unsigned long len)
 {
-	if (h->wsi)
+	if (h->wsi &&
+	    (h->policy->protocol == LWSSSP_H1 ||
+	     h->policy->protocol == LWSSSP_H2 ||
+	     h->policy->protocol == LWSSSP_WS))
 		h->wsi->http.writeable_len = len;
 	else
 		h->writeable_len = len;
+
 	lws_ss_request_tx(h);
 }
 

minimal-examples/secure-streams/minimal-secure-streams-post/CMakeLists.txt

@@ -0,0 +1,47 @@
+project(lws-minimal-secure-streams-post C)
+cmake_minimum_required(VERSION 2.8)
+find_package(libwebsockets CONFIG REQUIRED)
+list(APPEND CMAKE_MODULE_PATH ${LWS_CMAKE_DIR})
+include(CheckCSourceCompiles)
+include(LwsCheckRequirements)
+
+set(SAMP lws-minimal-secure-streams-post)
+
+set(requirements 1)
+require_lws_config(LWS_ROLE_H1 1 requirements)
+require_lws_config(LWS_WITHOUT_CLIENT 0 requirements)
+require_lws_config(LWS_WITH_SECURE_STREAMS 1 requirements)
+require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements)
+require_lws_config(LWS_WITH_SYS_STATE 1 requirements)
+
+if (requirements)
+	add_executable(${SAMP} minimal-secure-streams-post.c)
+
+	if (LWS_CTEST_INTERNET_AVAILABLE)
+		add_test(NAME sspost-warmcat COMMAND lws-minimal-secure-streams-post)
+		set_tests_properties(sspost-warmcat
+				     PROPERTIES
+				     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/secure-streams/minimal-secure-streams-post
+				     TIMEOUT 20)
+	endif()
+
+	if (websockets_shared)
+		target_link_libraries(${SAMP} websockets_shared ${LIBWEBSOCKETS_DEP_LIBS})
+		add_dependencies(${SAMP} websockets_shared)
+	else()
+		target_link_libraries(${SAMP} websockets ${LIBWEBSOCKETS_DEP_LIBS})
+	endif()
+
+	if (LWS_WITH_SECURE_STREAMS_PROXY_API)
+		add_compile_options(-DLWS_SS_USE_SSPC)
+
+		add_executable(${SAMP}-client minimal-secure-streams-post.c)
+		if (websockets_shared)
+			target_link_libraries(${SAMP}-client websockets_shared ${LIBWEBSOCKETS_DEP_LIBS})
+			add_dependencies(${SAMP}-client websockets_shared)
+		else()
+			target_link_libraries(${SAMP}-client websockets ${LIBWEBSOCKETS_DEP_LIBS})
+		endif()
+	endif()
+
+endif()

minimal-examples/secure-streams/minimal-secure-streams-post/README.md

@@ -0,0 +1,66 @@
+# lws minimal secure streams
+
+The application goes to https://warmcat.com and reads index.html there.
+
+It does it using Secure Streams... the main code in minimal-secure-streams.c
+just sets up the context and opens a secure stream of type "mintest".
+
+The handler for state changes and payloads for "mintest" is in ss-myss.c
+
+The information about how a "mintest" stream should connect and the
+protocol it uses is kept separated in policy-database.c
+
+## build
+
+```
+ $ cmake . && make
+```
+
+## usage
+
+Commandline option|Meaning
+---|---
+-d <loglevel>|Debug verbosity in decimal, eg, -d15
+-f| Force connecting to the wrong endpoint to check backoff retry flow
+-p| Run as proxy server for clients to connect to over unix domain socket
+--force-portal|Force the SS Captive Portal Detection to feel it's behind a portal
+--force-no-internet|Force the SS Captive Portal Detection to feel it can't reach the internet
+
+```
+[2019/08/12 07:16:11:0045] USR: LWS minimal secure streams [-d<verbosity>] [-f]
+[2019/08/12 07:16:12:6102] USR: myss_state: LWSSSCS_CREATING, ord 0x0
+[2019/08/12 07:16:12:6107] USR: myss_state: LWSSSCS_POLL, ord 0x0
+[2019/08/12 07:16:12:6117] N: lws_ss_client_connect: connecting h1get warmcat.com /
+[2019/08/12 07:16:12:6118] USR: myss_state: LWSSSCS_CONNECTING, ord 0x0
+[2019/08/12 07:16:13:4171] USR: myss_state: LWSSSCS_CONNECTED, ord 0x0
+[2019/08/12 07:16:13:4222] USR: myss_rx: len 1024, flags: 1
+[2019/08/12 07:16:13:4243] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4244] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4244] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4245] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4246] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4247] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4252] USR: myss_rx: len 1015, flags: 0
+[2019/08/12 07:16:13:4264] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4265] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4266] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4267] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4268] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4268] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4269] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4270] USR: myss_rx: len 1015, flags: 0
+[2019/08/12 07:16:13:4278] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4279] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4280] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4281] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4282] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4283] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4283] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4284] USR: myss_rx: len 1015, flags: 0
+[2019/08/12 07:16:13:4287] USR: myss_rx: len 1024, flags: 0
+[2019/08/12 07:16:13:4288] USR: myss_rx: len 947, flags: 0
+[2019/08/12 07:16:13:4293] USR: myss_rx: len 0, flags: 2
+[2019/08/12 07:16:13:4399] USR: myss_state: LWSSSCS_DISCONNECTED, ord 0x0
+[2019/08/12 07:16:13:4761] USR: myss_state: LWSSSCS_DESTROYING, ord 0x0
+[2019/08/12 07:16:13:4781] USR: Completed: OK
+```

minimal-examples/secure-streams/minimal-secure-streams-post/minimal-secure-streams-post.c

@@ -0,0 +1,520 @@
+/*
+ * lws-minimal-secure-streams-post
+ *
+ * Written in 2010-2020 by Andy Green <andy@warmcat.com>
+ *
+ * This file is made available under the Creative Commons CC0 1.0
+ * Universal Public Domain Dedication.
+ *
+ *
+ * This demonstrates a minimal http client using secure streams api.
+ *
+ * It visits https://warmcat.com/ and receives the html page there.
+ *
+ * This example is built two different ways from the same source... one includes
+ * the policy everything needed to fulfil the stream directly.  The other -client
+ * variant has no policy itself and some other minor init changes, and connects
+ * to the -proxy example to actually get the connection done.
+ *
+ * In the -client build case, the example does not even init the tls libraries
+ * since the proxy part will take care of all that.
+ */
+
+#include <libwebsockets.h>
+#include <string.h>
+#include <signal.h>
+
+/*
+ * uncomment to force network traffic through 127.0.0.1:1080
+ *
+ * On your local machine, you can run a SOCKS5 proxy like this
+ *
+ * $ ssh -N -D 0.0.0.0:1080 localhost -v
+ *
+ * If enabled, this also fetches a remote policy that also
+ * specifies that all traffic should go through the remote
+ * proxy.
+ */
+// #define VIA_LOCALHOST_SOCKS
+
+static int interrupted, bad = 1, force_cpd_fail_portal,
+	   force_cpd_fail_no_internet;
+static unsigned int timeout_ms = 3000;
+static lws_state_notify_link_t nl;
+
+static const char * const postbody =
+	"--boundary\r\n"
+	"Content-Disposition: form-data; name=\"text\"\r\n"
+	"\r\n"
+	"value1\r\n"
+	"--boundary\r\n"
+	"Content-Disposition: form-data; "
+		"name=\"field2\"; filename=\"example.txt\"\r\n"
+	"\r\n"
+	"value2\r\n"
+	"--boundary--\r\n";
+
+#define POSTBODY_SIZE strlen(postbody)
+
+/*
+ * If the -proxy app is fulfilling our connection, then we don't need to have
+ * the policy in the client.
+ *
+ * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
+ * a Unix Domain Socket.  To test that, you need to separately run the
+ * ./lws-minimal-secure-streams-proxy test app on the same machine.
+ */
+
+#if !defined(LWS_SS_USE_SSPC)
+static const char * const default_ss_policy =
+	"{"
+	  "\"release\":"			"\"01234567\","
+	  "\"product\":"			"\"myproduct\","
+	  "\"schema-version\":"			"1,"
+#if defined(VIA_LOCALHOST_SOCKS)
+	  "\"via-socks5\":"                     "\"127.0.0.1:1080\","
+#endif
+
+	  "\"retry\": ["	/* named backoff / retry strategies */
+		"{\"default\": {"
+			"\"backoff\": ["	 "1000,"
+						 "2000,"
+						 "3000,"
+						 "5000,"
+						"10000"
+				"],"
+			"\"conceal\":"		"5,"
+			"\"jitterpc\":"		"20,"
+			"\"svalidping\":"	"30,"
+			"\"svalidhup\":"	"35"
+		"}}"
+	  "],"
+	  "\"certs\": [" /* named individual certificates in BASE64 DER */
+		/*
+		 * Let's Encrypt certs for warmcat.com / libwebsockets.org
+		 *
+		 * We fetch the real policy from there using SS and switch to
+		 * using that.
+		 */
+		"{\"isrg_root_x1\": \"" /* ISRG ROOT X1 */
+	"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw"
+	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
+	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4"
+	"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu"
+	"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY"
+	"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc"
+	"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+"
+	"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U"
+	"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW"
+	"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH"
+	"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC"
+	"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv"
+	"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn"
+	"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn"
+	"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw"
+	"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI"
+	"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV"
+	"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq"
+	"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL"
+	"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ"
+	"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK"
+	"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5"
+	"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur"
+	"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC"
+	"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc"
+	"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq"
+	"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA"
+	"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d"
+	"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc="
+		"\"},"
+		"{\"LEX3_isrg_root_x1\": \"" /* LE X3 signed by ISRG X1 root */
+	"MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw"
+	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
+	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1"
+	"WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg"
+	"RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi"
+	"MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX"
+	"NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf"
+	"89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl"
+	"Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc"
+	"Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz"
+	"uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB"
+	"AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU"
+	"BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB"
+	"FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo"
+	"SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js"
+	"LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF"
+	"BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG"
+	"AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD"
+	"VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB"
+	"ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx"
+	"A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM"
+	"UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2"
+	"DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1"
+	"eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu"
+	"OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw"
+	"p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY"
+	"2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0"
+	"ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR"
+	"PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b"
+	"rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt"
+		"\"}"
+	  "],"
+	  "\"trust_stores\": [" /* named cert chains */
+		"{"
+			"\"name\": \"le_via_isrg\","
+			"\"stack\": ["
+				"\"isrg_root_x1\","
+				"\"LEX3_isrg_root_x1\""
+			"]"
+		"}"
+	  "],"
+	  "\"s\": ["
+	  	/*
+		 * "fetch_policy" decides from where the real policy
+		 * will be fetched, if present.  Otherwise the initial
+		 * policy is treated as the whole, hardcoded, policy.
+		 */
+		"{\"fetch_policy\": {"
+			"\"endpoint\":"		"\"warmcat.com\","
+			"\"port\":"		"443,"
+			"\"protocol\":"		"\"h1\","
+			"\"http_method\":"	"\"GET\","
+#if defined(VIA_LOCALHOST_SOCKS)
+			"\"http_url\":"		"\"policy/minimal-proxy-socks.json\","
+#else
+			"\"http_url\":"		"\"policy/minimal-proxy.json\","
+#endif
+			"\"tls\":"		"true,"
+			"\"opportunistic\":"	"true,"
+			"\"retry\":"		"\"default\","
+			"\"tls_trust_store\":"	"\"le_via_isrg\""
+		"}},{"
+			/*
+			 * "captive_portal_detect" describes
+			 * what to do in order to check if the path to
+			 * the Internet is being interrupted by a
+			 * captive portal.  If there's a larger policy
+			 * fetched from elsewhere, it should also include
+			 * this since it needs to be done at least after
+			 * every DHCP acquisition
+			 */
+		    "\"captive_portal_detect\": {"
+                        "\"endpoint\": \"connectivitycheck.android.com\","
+			"\"http_url\": \"generate_204\","
+			"\"port\": 80,"
+                        "\"protocol\": \"h1\","
+                        "\"http_method\": \"GET\","
+                        "\"opportunistic\": true,"
+                        "\"http_expect\": 204,"
+			"\"http_fail_redirect\": true"
+                "}}"
+	"]}"
+;
+
+#endif
+
+typedef struct myss {
+	struct lws_ss_handle 		*ss;
+	void				*opaque_data;
+	/* ... application specific state ... */
+	lws_sorted_usec_list_t		sul;
+} myss_t;
+
+#if !defined(LWS_SS_USE_SSPC)
+
+static const char *canned_root_token_payload =
+	"grant_type=refresh_token"
+	"&refresh_token=Atzr|IwEBIJedGXjDqsU_vMxykqOMg"
+	"SHfYe3CPcedueWEMWSDMaDnEmiW8RlR1Kns7Cb4B-TOSnqp7ifVsY4BMY2B8tpHfO39XP"
+	"zfu9HapGjTR458IyHX44FE71pWJkGZ79uVBpljP4sazJuk8XS3Oe_yLnm_DIO6fU1nU3Y"
+	"0flYmsOiOAQE_gRk_pdlmEtHnpMA-9rLw3mkY5L89Ty9kUygBsiFaYatouROhbsTn8-jW"
+	"k1zZLUDpT6ICtBXSnrCIg0pUbZevPFhTwdXd6eX-u4rq0W-XaDvPWFO7au-iPb4Zk5eZE"
+	"iX6sissYrtNmuEXc2uHu7MnQO1hHCaTdIO2CANVumf-PHSD8xseamyh04sLV5JgFzY45S"
+	"KvKMajiUZuLkMokOx86rjC2Hdkx5DO7G-dbG1ufBDG-N79pFMSs7Ck5pc283IdLoJkCQc"
+	"AGvTX8o8I29QqkcGou-9TKhOJmpX8As94T61ok0UqqEKPJ7RhfQHHYdCtsdwxgvfVr9qI"
+	"xL_hDCcTho8opCVX-6QhJHl6SQFlTw13"
+	"&client_id="
+		"amzn1.application-oa2-client.4823334c434b4190a2b5a42c07938a2d";
+
+#endif
+
+/* secure streams payload interface */
+
+static int
+myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
+{
+//	myss_t *m = (myss_t *)userobj;
+
+	lwsl_user("%s: len %d, flags: %d\n", __func__, (int)len, flags);
+	lwsl_hexdump_info(buf, len);
+
+	/*
+	 * If we received the whole message, for our example it means
+	 * we are done.
+	 */
+	if (flags & LWSSS_FLAG_EOM) {
+		bad = 0;
+		interrupted = 1;
+	}
+
+	return 0;
+}
+
+static int
+myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
+	int *flags)
+{
+	// myss_t *m = (myss_t *)userobj;
+
+	/*
+	 * A more flexible solution would send incrementally tracking the
+	 * status in members in m above.
+	 */
+
+	if (*len < POSTBODY_SIZE)
+		return LWSSSSRET_TX_DONT_SEND;
+
+	*flags = LWSSS_FLAG_SOM | LWSSS_FLAG_EOM;
+
+	memcpy(buf, postbody, strlen(postbody));
+	*len = POSTBODY_SIZE;
+
+	return 0;
+}
+
+static int
+myss_state(void *userobj, void *sh, lws_ss_constate_t state,
+	   lws_ss_tx_ordinal_t ack)
+{
+	myss_t *m = (myss_t *)userobj;
+
+	lwsl_user("%s: h %p, %s, ord 0x%x\n", __func__, m->ss,
+			lws_ss_state_name(state), (unsigned int)ack);
+
+	switch (state) {
+	case LWSSSCS_CREATING:
+
+		/*
+		 * CREATING is only coming after we have asked the upstream
+		 * proxy to create the stream and it has been allowed.
+		 */
+
+		lws_ss_set_metadata(m->ss, "ctype",
+				    "multipart/form-data;boundary=\"boundary\"",
+				    39);
+
+		/* provide a hint about the payload size */
+		lws_ss_request_tx_len(m->ss, strlen(postbody));
+		break;
+	case LWSSSCS_CONNECTED:
+		lws_ss_request_tx(m->ss);
+		break;
+	case LWSSSCS_ALL_RETRIES_FAILED:
+		/* if we're out of retries, we want to close the app and FAIL */
+		interrupted = 1;
+		break;
+	case LWSSSCS_QOS_ACK_REMOTE:
+		lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
+		break;
+
+	case LWSSSCS_TIMEOUT:
+		lwsl_notice("%s: LWSSSCS_TIMEOUT\n", __func__);
+		break;
+	default:
+		break;
+	}
+
+	return 0;
+}
+
+static int
+app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
+		    int current, int target)
+{
+	struct lws_context *context = lws_system_context_from_system_mgr(mgr);
+#if !defined(LWS_SS_USE_SSPC)
+
+	lws_system_blob_t *ab = lws_system_get_blob(context,
+				LWS_SYSBLOB_TYPE_AUTH, 1 /* AUTH_IDX_ROOT */);
+	size_t size;
+#endif
+
+	/*
+	 * For the things we care about, let's notice if we are trying to get
+	 * past them when we haven't solved them yet, and make the system
+	 * state wait while we trigger the dependent action.
+	 */
+	switch (target) {
+
+#if !defined(LWS_SS_USE_SSPC)
+
+	case LWS_SYSTATE_REGISTERED:
+		size = lws_system_blob_get_size(ab);
+		if (size)
+			break;
+
+		/* let's register our canned root token so auth can use it */
+		lws_system_blob_direct_set(ab,
+				(const uint8_t *)canned_root_token_payload,
+				strlen(canned_root_token_payload));
+		break;
+
+#endif
+
+	case LWS_SYSTATE_OPERATIONAL:
+		if (current == LWS_SYSTATE_OPERATIONAL) {
+			lws_ss_info_t ssi;
+
+			/* We're making an outgoing secure stream ourselves */
+
+			memset(&ssi, 0, sizeof(ssi));
+			ssi.handle_offset = offsetof(myss_t, ss);
+			ssi.opaque_user_data_offset = offsetof(myss_t,
+							       opaque_data);
+			ssi.rx = myss_rx;
+			ssi.tx = myss_tx;
+			ssi.state = myss_state;
+			ssi.user_alloc = sizeof(myss_t);
+			ssi.streamtype = "minpost";
+
+			if (lws_ss_create(context, 0, &ssi, NULL, NULL,
+					  NULL, NULL)) {
+				lwsl_err("%s: failed to create secure stream\n",
+					 __func__);
+				return -1;
+			}
+		}
+		break;
+	}
+
+	return 0;
+}
+
+static lws_state_notify_link_t * const app_notifier_list[] = {
+	&nl, NULL
+};
+
+static void
+sigint_handler(int sig)
+{
+	interrupted = 1;
+}
+
+int main(int argc, const char **argv)
+{
+	struct lws_context_creation_info info;
+	struct lws_context *context;
+	const char *p;
+	int n = 0;
+
+	signal(SIGINT, sigint_handler);
+
+	memset(&info, 0, sizeof info);
+	lws_cmdline_option_handle_builtin(argc, argv, &info);
+
+	lwsl_user("LWS secure streams test client [-d<verb>]\n");
+
+	/* these options are mutually exclusive if given */
+
+	if (lws_cmdline_option(argc, argv, "--force-portal"))
+		force_cpd_fail_portal = 1;
+
+	if (lws_cmdline_option(argc, argv, "--force-no-internet"))
+		force_cpd_fail_no_internet = 1;
+
+	if ((p = lws_cmdline_option(argc, argv, "--timeout_ms")))
+		timeout_ms = atoi(p);
+
+	info.fd_limit_per_thread = 1 + 6 + 1;
+	info.port = CONTEXT_PORT_NO_LISTEN;
+#if defined(LWS_SS_USE_SSPC)
+	info.protocols = lws_sspc_protocols;
+	{
+		const char *p;
+
+		/* connect to ssproxy via UDS by default, else via
+		 * tcp connection to this port */
+		if ((p = lws_cmdline_option(argc, argv, "-p")))
+			info.ss_proxy_port = atoi(p);
+
+		/* UDS "proxy.ss.lws" in abstract namespace, else this socket
+		 * path; when -p given this can specify the network interface
+		 * to bind to */
+		if ((p = lws_cmdline_option(argc, argv, "-i")))
+			info.ss_proxy_bind = p;
+
+		/* if -p given, -a specifies the proxy address to connect to */
+		if ((p = lws_cmdline_option(argc, argv, "-a")))
+			info.ss_proxy_address = p;
+	}
+#else
+	info.pss_policies_json = default_ss_policy;
+	info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
+		       LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
+#endif
+#if defined(LWS_WITH_DETAILED_LATENCY)
+	info.detailed_latency_cb = lws_det_lat_plot_cb;
+	info.detailed_latency_filepath = "/tmp/lws-latency-ssproxy";
+#endif
+
+	/* integrate us with lws system state management when context created */
+
+	nl.name = "app";
+	nl.notify_cb = app_system_state_nf;
+	info.register_notifier_list = app_notifier_list;
+
+	/* create the context */
+
+	context = lws_create_context(&info);
+	if (!context) {
+		lwsl_err("lws init failed\n");
+		return 1;
+	}
+
+#if !defined(LWS_SS_USE_SSPC)
+	/*
+	 * If we're being a proxied client, the proxy does all this
+	 */
+
+	/*
+	 * Set the related lws_system blobs
+	 *
+	 * ...direct_set() sets a pointer, so the thing pointed to has to have
+	 * a suitable lifetime, eg, something that already exists on the heap or
+	 * a const string in .rodata like this
+	 */
+
+	lws_system_blob_direct_set(lws_system_get_blob(context,
+				   LWS_SYSBLOB_TYPE_DEVICE_SERIAL, 0),
+				   (const uint8_t *)"SN12345678", 10);
+	lws_system_blob_direct_set(lws_system_get_blob(context,
+				   LWS_SYSBLOB_TYPE_DEVICE_FW_VERSION, 0),
+				   (const uint8_t *)"v0.01", 5);
+
+	/*
+	 * ..._heap_append() appends to a buflist kind of arrangement on heap,
+	 * just one block is fine, otherwise it will concatenate the fragments
+	 * in the order they were appended (and take care of freeing them at
+	 * context destroy time). ..._heap_empty() is also available to remove
+	 * everything that was already allocated.
+	 *
+	 * Here we use _heap_append() just so it's tested as well as direct set.
+	 */
+
+	lws_system_blob_heap_append(lws_system_get_blob(context,
+				    LWS_SYSBLOB_TYPE_DEVICE_TYPE, 0),
+				   (const uint8_t *)"spacerocket", 11);
+#endif
+
+	/* the event loop */
+
+	while (n >= 0 && !interrupted)
+		n = lws_service(context, 0);
+
+	lws_context_destroy(context);
+
+	lwsl_user("Completed: %s\n", bad ? "failed" : "OK");
+
+	return bad;
+}

minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c

@@ -253,7 +253,9 @@ myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
 {
 	//myss_t *m = (myss_t *)userobj;
 
-	return 0;
+	/* in this example, we don't send stuff */
+
+	return LWSSSSRET_TX_DONT_SEND;
 }
 
 static int