diff --git a/include/libwebsockets/lws-secure-streams-client.h b/include/libwebsockets/lws-secure-streams-client.h index 64fb8cd42..47e686a54 100644 --- a/include/libwebsockets/lws-secure-streams-client.h +++ b/include/libwebsockets/lws-secure-streams-client.h @@ -45,6 +45,7 @@ #define lws_ss_create lws_sspc_create #define lws_ss_destroy lws_sspc_destroy #define lws_ss_request_tx lws_sspc_request_tx +#define lws_ss_request_tx_len lws_sspc_request_tx_len #define lws_ss_client_connect lws_sspc_client_connect #define lws_ss_get_sequencer lws_sspc_get_sequencer #define lws_ss_proxy_create lws_sspc_proxy_create @@ -64,8 +65,8 @@ struct lws_sspc_handle; LWS_VISIBLE LWS_EXTERN int lws_sspc_create(struct lws_context *context, int tsi, const lws_ss_info_t *ssi, - void *opaque_user_data, struct lws_sspc_handle **ppss, - struct lws_sequencer *seq_owner, const char **ppayload_fmt); + void *opaque_user_data, struct lws_sspc_handle **ppss, + struct lws_sequencer *seq_owner, const char **ppayload_fmt); /** * lws_sspc_destroy() - Destroy secure stream @@ -89,6 +90,26 @@ lws_sspc_destroy(struct lws_sspc_handle **ppss); LWS_VISIBLE LWS_EXTERN void lws_sspc_request_tx(struct lws_sspc_handle *pss); +/** + * lws_sspc_request_tx_len() - Schedule stream for tx with length hint + * + * \param h: pointer to handle representing stream that wants to transmit + * \param len: the length of the write in bytes + * + * Schedules a write on the stream represented by \p pss. When it's possible to + * write on this stream, the *tx callback will occur with an empty buffer for + * the stream owner to fill in. + * + * This api variant should be used when it's possible the payload will go out + * over h1 with x-web-form-urlencoded or similar Content-Type. + * + * The serialized, sspc type api actually serializes and forwards the length + * hint to its upstream proxy, where it's available for use to produce the + * internet-capable protocol framing. + */ +LWS_VISIBLE LWS_EXTERN void +lws_sspc_request_tx_len(struct lws_sspc_handle *h, unsigned long len); + /** * lws_sspc_client_connect() - Attempt the client connect * diff --git a/include/libwebsockets/lws-secure-streams.h b/include/libwebsockets/lws-secure-streams.h index 2972c0080..05b9043d5 100644 --- a/include/libwebsockets/lws-secure-streams.h +++ b/include/libwebsockets/lws-secure-streams.h @@ -100,6 +100,11 @@ * - 1: 2-byte MSB-first rest-of-frame length 00, 04 * - 3: 4-byte MSB-first unsigned 32-bit timeout, 0 = use policy, -1 = cancel * + * - Passing up payload length hint + * + * - 0: LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT + * - 1: 2-byte MSB-first rest-of-frame length 00, 04 + * - 3: 4-byte MSB-first unsigned 32-bit payload length hint * * Proxy to client * @@ -233,6 +238,7 @@ enum { LWSSS_SER_TXPRE_METADATA, LWSSS_SER_TXPRE_TXCR_UPDATE, LWSSS_SER_TXPRE_TIMEOUT_UPDATE, + LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT, LWSSS_SER_TXPRE_TLSNEG_ENCLAVE_SIGNED, }; diff --git a/lib/secure-streams/private-lib-secure-streams.h b/lib/secure-streams/private-lib-secure-streams.h index a6af660c3..eeef89731 100644 --- a/lib/secure-streams/private-lib-secure-streams.h +++ b/lib/secure-streams/private-lib-secure-streams.h @@ -269,6 +269,8 @@ typedef struct lws_sspc_handle { lws_usec_t us_earliest_write_req; + unsigned long writeable_len; + lws_ss_conn_states_t state; uint32_t timeout_ms; diff --git a/lib/secure-streams/secure-streams-client.c b/lib/secure-streams/secure-streams-client.c index 45f154fae..f0a54e1e4 100644 --- a/lib/secure-streams/secure-streams-client.c +++ b/lib/secure-streams/secure-streams-client.c @@ -248,30 +248,49 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason, cp = p; n = lws_sspc_serialize_metadata(md, p); - /* in case anything else to write */ - lws_callback_on_writable(h->cwsi); + lwsl_debug("%s: (local_conn) metadata\n", __func__); + goto req_write_and_issue; + } + + if (h->pending_writeable_len) { + lwsl_debug("%s: (local_conn) PAYLOAD_LENGTH_HINT %u\n", + __func__, (unsigned int)h->writeable_len); + s[0] = LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT; + lws_ser_wu16be(&s[1], 4); + lws_ser_wu32be(&s[3], h->writeable_len); + h->pending_writeable_len = 0; + n = 7; + goto req_write_and_issue; + } + + if (h->conn_req_state >= LWSSSPC_ONW_ONGOING) { + lwsl_info("%s: conn_req_state %d\n", __func__, + h->conn_req_state); break; } + lwsl_info("%s: (local_conn) onward connect\n", __func__); + + h->conn_req_state = LWSSSPC_ONW_ONGOING; - h->conn_req = 0; s[0] = LWSSS_SER_TXPRE_ONWARD_CONNECT; s[1] = 0; s[2] = 0; n = 3; break; - case LPCS_OPERATIONAL: + case LPCSCLI_OPERATIONAL: + + lwsl_notice("%s: LPCSCLI_OPERATIONAL\n", __func__); /* - * Do we want to adjust the peer's ability to write - * to us? - */ - - /* - * Do we need to prioritize sending any metadata - * changes? + * + * - Do we need to prioritize sending any metadata + * changes? (includes txcr updates) + * + * - Do we need to forward a hint about the payload + * length? */ if (h->metadata_owner.count) { @@ -282,12 +301,19 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason, cp = p; n = lws_sspc_serialize_metadata(md, p); - /* in case anything else to write */ - lws_callback_on_writable(h->cwsi); - - break; + goto req_write_and_issue; } + if (h->pending_writeable_len) { + lwsl_info("%s: PAYLOAD_LENGTH_HINT %u\n", + __func__, (unsigned int)h->writeable_len); + s[0] = LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT; + lws_ser_wu16be(&s[1], 4); + lws_ser_wu32be(&s[3], h->writeable_len); + h->pending_writeable_len = 0; + n = 7; + goto req_write_and_issue; + } /* we can't write anything if we don't have credit */ if (!h->ignore_txc && h->txc.tx_cr <= 0) { @@ -328,6 +354,8 @@ callback_sspc_client(struct lws *wsi, enum lws_callback_reasons reason, break; } +do_write_nz: + if (!n) break; @@ -350,6 +378,11 @@ hangup: lwsl_warn("hangup\n"); /* hang up on him */ return -1; + +req_write_and_issue: + /* in case anything else to write */ + lws_callback_on_writable(h->cwsi); + goto do_write_nz; } const struct lws_protocols lws_sspc_protocols[] = { @@ -484,17 +517,72 @@ lws_sspc_request_tx(lws_sspc_handle_t *h) if (!h->us_earliest_write_req) h->us_earliest_write_req = lws_now_usecs(); + if (h->state == LPCSCLI_LOCAL_CONNECTED && + h->conn_req_state == LWSSSPC_ONW_NONE) + h->conn_req_state = LWSSSPC_ONW_REQ; + + lws_callback_on_writable(h->cwsi); +} + +/* + * Currently we fulfil the writeable part locally by just enabling POLLOUT on + * the UDS link, without serialization footprint, which is reasonable as far as + * it goes. + * + * But for the ..._len() variant, the expected payload length hint we are being + * told is something that must be serialized to the onward peer, since either + * that guy or someone upstream of him is the guy who will compose the framing + * with it that actually goes out. + * + * This information is needed at the upstream guy before we have sent any + * payload, eg, for http POST, he has to prepare the content-length in the + * headers, before any payload. So we have to issue a serialization of the + * length at this point. + */ + +void +lws_sspc_request_tx_len(lws_sspc_handle_t *h, unsigned long len) +{ + /* + * for client conns, they cannot even complete creation of the handle + * without the onwared connection to the proxy, it's not legal to start + * using it until it's operation and has the onward connection (and has + * called CREATED state) + */ + + if (!h) + return; + + lwsl_notice("%s: setting h %p writeable_len %u\n", __func__, h, + (unsigned int)len); + h->writeable_len = len; + h->pending_writeable_len = 1; + + if (!h->us_earliest_write_req) + h->us_earliest_write_req = lws_now_usecs(); + + if (h->state == LPCSCLI_LOCAL_CONNECTED && + h->conn_req_state == LWSSSPC_ONW_NONE) + h->conn_req_state = LWSSSPC_ONW_REQ; + + /* + * We're going to use this up with serializing h->writeable_len... that + * will request again. + */ + lws_callback_on_writable(h->cwsi); } int lws_sspc_client_connect(lws_sspc_handle_t *h) { - if (!h || h->state == LPCS_OPERATIONAL) + if (!h || h->state == LPCSCLI_OPERATIONAL) return 0; - assert(h->state == LPCS_LOCAL_CONNECTED); - h->conn_req = 1; + assert(h->state == LPCSCLI_LOCAL_CONNECTED); + if (h->state == LPCSCLI_LOCAL_CONNECTED && + h->conn_req_state == LWSSSPC_ONW_NONE) + h->conn_req_state = LWSSSPC_ONW_REQ; if (h->cwsi) lws_callback_on_writable(h->cwsi); diff --git a/lib/secure-streams/secure-streams-serialize.c b/lib/secure-streams/secure-streams-serialize.c index 24bb91180..9a1d61d75 100644 --- a/lib/secure-streams/secure-streams-serialize.c +++ b/lib/secure-streams/secure-streams-serialize.c @@ -74,6 +74,8 @@ typedef enum { RPAR_TIMEOUT0, + RPAR_PAYLEN0, + RPAR_RESULT_CREATION, RPAR_STATEINDEX, @@ -392,6 +394,15 @@ lws_ss_deserialize_parse(struct lws_ss_serialization_parser *par, par->ctr = 0; break; + case LWSSS_SER_TXPRE_PAYLOAD_LENGTH_HINT: + if (client) + goto hangup; + if (par->rem != 4) + goto hangup; + par->ps = RPAR_PAYLEN0; + par->ctr = 0; + break; + /* client side */ case LWSSS_SER_RXPRE_RX_PAYLOAD: @@ -727,6 +738,29 @@ payload_ff: par->ps = RPAR_TYPE; break; + case RPAR_PAYLEN0: + /* + * It's the length from lws_ss_request_tx_len() being + * passed up to us + */ + par->temp32 = (par->temp32 << 8) | *cp++; + if (++par->ctr < 4) { + if (!--par->rem) + goto hangup; + break; + } + + if (--par->rem) + goto hangup; + + lwsl_notice("%s: set payload len %u\n", __func__, + par->temp32); + + lws_ss_request_tx_len(*pss, par->temp32); + + par->ps = RPAR_TYPE; + break; + case RPAR_METADATA_NAMELEN: if (!--par->rem) goto hangup; diff --git a/lib/secure-streams/secure-streams.c b/lib/secure-streams/secure-streams.c index 24fe673ea..597730f0e 100644 --- a/lib/secure-streams/secure-streams.c +++ b/lib/secure-streams/secure-streams.c @@ -947,10 +947,14 @@ lws_ss_request_tx(lws_ss_handle_t *h) void lws_ss_request_tx_len(lws_ss_handle_t *h, unsigned long len) { - if (h->wsi) + if (h->wsi && + (h->policy->protocol == LWSSSP_H1 || + h->policy->protocol == LWSSSP_H2 || + h->policy->protocol == LWSSSP_WS)) h->wsi->http.writeable_len = len; else h->writeable_len = len; + lws_ss_request_tx(h); } diff --git a/minimal-examples/secure-streams/minimal-secure-streams-post/CMakeLists.txt b/minimal-examples/secure-streams/minimal-secure-streams-post/CMakeLists.txt new file mode 100644 index 000000000..c0bd62c7d --- /dev/null +++ b/minimal-examples/secure-streams/minimal-secure-streams-post/CMakeLists.txt @@ -0,0 +1,47 @@ +project(lws-minimal-secure-streams-post C) +cmake_minimum_required(VERSION 2.8) +find_package(libwebsockets CONFIG REQUIRED) +list(APPEND CMAKE_MODULE_PATH ${LWS_CMAKE_DIR}) +include(CheckCSourceCompiles) +include(LwsCheckRequirements) + +set(SAMP lws-minimal-secure-streams-post) + +set(requirements 1) +require_lws_config(LWS_ROLE_H1 1 requirements) +require_lws_config(LWS_WITHOUT_CLIENT 0 requirements) +require_lws_config(LWS_WITH_SECURE_STREAMS 1 requirements) +require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements) +require_lws_config(LWS_WITH_SYS_STATE 1 requirements) + +if (requirements) + add_executable(${SAMP} minimal-secure-streams-post.c) + + if (LWS_CTEST_INTERNET_AVAILABLE) + add_test(NAME sspost-warmcat COMMAND lws-minimal-secure-streams-post) + set_tests_properties(sspost-warmcat + PROPERTIES + WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/secure-streams/minimal-secure-streams-post + TIMEOUT 20) + endif() + + if (websockets_shared) + target_link_libraries(${SAMP} websockets_shared ${LIBWEBSOCKETS_DEP_LIBS}) + add_dependencies(${SAMP} websockets_shared) + else() + target_link_libraries(${SAMP} websockets ${LIBWEBSOCKETS_DEP_LIBS}) + endif() + + if (LWS_WITH_SECURE_STREAMS_PROXY_API) + add_compile_options(-DLWS_SS_USE_SSPC) + + add_executable(${SAMP}-client minimal-secure-streams-post.c) + if (websockets_shared) + target_link_libraries(${SAMP}-client websockets_shared ${LIBWEBSOCKETS_DEP_LIBS}) + add_dependencies(${SAMP}-client websockets_shared) + else() + target_link_libraries(${SAMP}-client websockets ${LIBWEBSOCKETS_DEP_LIBS}) + endif() + endif() + +endif() diff --git a/minimal-examples/secure-streams/minimal-secure-streams-post/README.md b/minimal-examples/secure-streams/minimal-secure-streams-post/README.md new file mode 100644 index 000000000..cb9b3b360 --- /dev/null +++ b/minimal-examples/secure-streams/minimal-secure-streams-post/README.md @@ -0,0 +1,66 @@ +# lws minimal secure streams + +The application goes to https://warmcat.com and reads index.html there. + +It does it using Secure Streams... the main code in minimal-secure-streams.c +just sets up the context and opens a secure stream of type "mintest". + +The handler for state changes and payloads for "mintest" is in ss-myss.c + +The information about how a "mintest" stream should connect and the +protocol it uses is kept separated in policy-database.c + +## build + +``` + $ cmake . && make +``` + +## usage + +Commandline option|Meaning +---|--- +-d |Debug verbosity in decimal, eg, -d15 +-f| Force connecting to the wrong endpoint to check backoff retry flow +-p| Run as proxy server for clients to connect to over unix domain socket +--force-portal|Force the SS Captive Portal Detection to feel it's behind a portal +--force-no-internet|Force the SS Captive Portal Detection to feel it can't reach the internet + +``` +[2019/08/12 07:16:11:0045] USR: LWS minimal secure streams [-d] [-f] +[2019/08/12 07:16:12:6102] USR: myss_state: LWSSSCS_CREATING, ord 0x0 +[2019/08/12 07:16:12:6107] USR: myss_state: LWSSSCS_POLL, ord 0x0 +[2019/08/12 07:16:12:6117] N: lws_ss_client_connect: connecting h1get warmcat.com / +[2019/08/12 07:16:12:6118] USR: myss_state: LWSSSCS_CONNECTING, ord 0x0 +[2019/08/12 07:16:13:4171] USR: myss_state: LWSSSCS_CONNECTED, ord 0x0 +[2019/08/12 07:16:13:4222] USR: myss_rx: len 1024, flags: 1 +[2019/08/12 07:16:13:4243] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4244] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4244] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4245] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4246] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4247] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4252] USR: myss_rx: len 1015, flags: 0 +[2019/08/12 07:16:13:4264] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4265] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4266] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4267] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4268] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4268] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4269] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4270] USR: myss_rx: len 1015, flags: 0 +[2019/08/12 07:16:13:4278] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4279] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4280] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4281] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4282] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4283] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4283] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4284] USR: myss_rx: len 1015, flags: 0 +[2019/08/12 07:16:13:4287] USR: myss_rx: len 1024, flags: 0 +[2019/08/12 07:16:13:4288] USR: myss_rx: len 947, flags: 0 +[2019/08/12 07:16:13:4293] USR: myss_rx: len 0, flags: 2 +[2019/08/12 07:16:13:4399] USR: myss_state: LWSSSCS_DISCONNECTED, ord 0x0 +[2019/08/12 07:16:13:4761] USR: myss_state: LWSSSCS_DESTROYING, ord 0x0 +[2019/08/12 07:16:13:4781] USR: Completed: OK +``` diff --git a/minimal-examples/secure-streams/minimal-secure-streams-post/minimal-secure-streams-post.c b/minimal-examples/secure-streams/minimal-secure-streams-post/minimal-secure-streams-post.c new file mode 100644 index 000000000..d112ee24b --- /dev/null +++ b/minimal-examples/secure-streams/minimal-secure-streams-post/minimal-secure-streams-post.c @@ -0,0 +1,520 @@ +/* + * lws-minimal-secure-streams-post + * + * Written in 2010-2020 by Andy Green + * + * This file is made available under the Creative Commons CC0 1.0 + * Universal Public Domain Dedication. + * + * + * This demonstrates a minimal http client using secure streams api. + * + * It visits https://warmcat.com/ and receives the html page there. + * + * This example is built two different ways from the same source... one includes + * the policy everything needed to fulfil the stream directly. The other -client + * variant has no policy itself and some other minor init changes, and connects + * to the -proxy example to actually get the connection done. + * + * In the -client build case, the example does not even init the tls libraries + * since the proxy part will take care of all that. + */ + +#include +#include +#include + +/* + * uncomment to force network traffic through 127.0.0.1:1080 + * + * On your local machine, you can run a SOCKS5 proxy like this + * + * $ ssh -N -D 0.0.0.0:1080 localhost -v + * + * If enabled, this also fetches a remote policy that also + * specifies that all traffic should go through the remote + * proxy. + */ +// #define VIA_LOCALHOST_SOCKS + +static int interrupted, bad = 1, force_cpd_fail_portal, + force_cpd_fail_no_internet; +static unsigned int timeout_ms = 3000; +static lws_state_notify_link_t nl; + +static const char * const postbody = + "--boundary\r\n" + "Content-Disposition: form-data; name=\"text\"\r\n" + "\r\n" + "value1\r\n" + "--boundary\r\n" + "Content-Disposition: form-data; " + "name=\"field2\"; filename=\"example.txt\"\r\n" + "\r\n" + "value2\r\n" + "--boundary--\r\n"; + +#define POSTBODY_SIZE strlen(postbody) + +/* + * If the -proxy app is fulfilling our connection, then we don't need to have + * the policy in the client. + * + * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over + * a Unix Domain Socket. To test that, you need to separately run the + * ./lws-minimal-secure-streams-proxy test app on the same machine. + */ + +#if !defined(LWS_SS_USE_SSPC) +static const char * const default_ss_policy = + "{" + "\"release\":" "\"01234567\"," + "\"product\":" "\"myproduct\"," + "\"schema-version\":" "1," +#if defined(VIA_LOCALHOST_SOCKS) + "\"via-socks5\":" "\"127.0.0.1:1080\"," +#endif + + "\"retry\": [" /* named backoff / retry strategies */ + "{\"default\": {" + "\"backoff\": [" "1000," + "2000," + "3000," + "5000," + "10000" + "]," + "\"conceal\":" "5," + "\"jitterpc\":" "20," + "\"svalidping\":" "30," + "\"svalidhup\":" "35" + "}}" + "]," + "\"certs\": [" /* named individual certificates in BASE64 DER */ + /* + * Let's Encrypt certs for warmcat.com / libwebsockets.org + * + * We fetch the real policy from there using SS and switch to + * using that. + */ + "{\"isrg_root_x1\": \"" /* ISRG ROOT X1 */ + "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw" + "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh" + "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4" + "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu" + "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY" + "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc" + "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+" + "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U" + "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW" + "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH" + "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC" + "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv" + "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn" + "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn" + "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw" + "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI" + "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV" + "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq" + "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL" + "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ" + "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK" + "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5" + "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur" + "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC" + "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc" + "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq" + "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA" + "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d" + "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" + "\"}," + "{\"LEX3_isrg_root_x1\": \"" /* LE X3 signed by ISRG X1 root */ + "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw" + "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh" + "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1" + "WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg" + "RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi" + "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX" + "NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf" + "89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl" + "Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc" + "Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz" + "uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB" + "AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU" + "BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB" + "FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo" + "SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js" + "LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF" + "BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG" + "AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD" + "VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB" + "ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx" + "A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM" + "UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2" + "DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1" + "eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu" + "OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw" + "p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY" + "2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0" + "ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR" + "PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b" + "rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt" + "\"}" + "]," + "\"trust_stores\": [" /* named cert chains */ + "{" + "\"name\": \"le_via_isrg\"," + "\"stack\": [" + "\"isrg_root_x1\"," + "\"LEX3_isrg_root_x1\"" + "]" + "}" + "]," + "\"s\": [" + /* + * "fetch_policy" decides from where the real policy + * will be fetched, if present. Otherwise the initial + * policy is treated as the whole, hardcoded, policy. + */ + "{\"fetch_policy\": {" + "\"endpoint\":" "\"warmcat.com\"," + "\"port\":" "443," + "\"protocol\":" "\"h1\"," + "\"http_method\":" "\"GET\"," +#if defined(VIA_LOCALHOST_SOCKS) + "\"http_url\":" "\"policy/minimal-proxy-socks.json\"," +#else + "\"http_url\":" "\"policy/minimal-proxy.json\"," +#endif + "\"tls\":" "true," + "\"opportunistic\":" "true," + "\"retry\":" "\"default\"," + "\"tls_trust_store\":" "\"le_via_isrg\"" + "}},{" + /* + * "captive_portal_detect" describes + * what to do in order to check if the path to + * the Internet is being interrupted by a + * captive portal. If there's a larger policy + * fetched from elsewhere, it should also include + * this since it needs to be done at least after + * every DHCP acquisition + */ + "\"captive_portal_detect\": {" + "\"endpoint\": \"connectivitycheck.android.com\"," + "\"http_url\": \"generate_204\"," + "\"port\": 80," + "\"protocol\": \"h1\"," + "\"http_method\": \"GET\"," + "\"opportunistic\": true," + "\"http_expect\": 204," + "\"http_fail_redirect\": true" + "}}" + "]}" +; + +#endif + +typedef struct myss { + struct lws_ss_handle *ss; + void *opaque_data; + /* ... application specific state ... */ + lws_sorted_usec_list_t sul; +} myss_t; + +#if !defined(LWS_SS_USE_SSPC) + +static const char *canned_root_token_payload = + "grant_type=refresh_token" + "&refresh_token=Atzr|IwEBIJedGXjDqsU_vMxykqOMg" + "SHfYe3CPcedueWEMWSDMaDnEmiW8RlR1Kns7Cb4B-TOSnqp7ifVsY4BMY2B8tpHfO39XP" + "zfu9HapGjTR458IyHX44FE71pWJkGZ79uVBpljP4sazJuk8XS3Oe_yLnm_DIO6fU1nU3Y" + "0flYmsOiOAQE_gRk_pdlmEtHnpMA-9rLw3mkY5L89Ty9kUygBsiFaYatouROhbsTn8-jW" + "k1zZLUDpT6ICtBXSnrCIg0pUbZevPFhTwdXd6eX-u4rq0W-XaDvPWFO7au-iPb4Zk5eZE" + "iX6sissYrtNmuEXc2uHu7MnQO1hHCaTdIO2CANVumf-PHSD8xseamyh04sLV5JgFzY45S" + "KvKMajiUZuLkMokOx86rjC2Hdkx5DO7G-dbG1ufBDG-N79pFMSs7Ck5pc283IdLoJkCQc" + "AGvTX8o8I29QqkcGou-9TKhOJmpX8As94T61ok0UqqEKPJ7RhfQHHYdCtsdwxgvfVr9qI" + "xL_hDCcTho8opCVX-6QhJHl6SQFlTw13" + "&client_id=" + "amzn1.application-oa2-client.4823334c434b4190a2b5a42c07938a2d"; + +#endif + +/* secure streams payload interface */ + +static int +myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags) +{ +// myss_t *m = (myss_t *)userobj; + + lwsl_user("%s: len %d, flags: %d\n", __func__, (int)len, flags); + lwsl_hexdump_info(buf, len); + + /* + * If we received the whole message, for our example it means + * we are done. + */ + if (flags & LWSSS_FLAG_EOM) { + bad = 0; + interrupted = 1; + } + + return 0; +} + +static int +myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len, + int *flags) +{ + // myss_t *m = (myss_t *)userobj; + + /* + * A more flexible solution would send incrementally tracking the + * status in members in m above. + */ + + if (*len < POSTBODY_SIZE) + return LWSSSSRET_TX_DONT_SEND; + + *flags = LWSSS_FLAG_SOM | LWSSS_FLAG_EOM; + + memcpy(buf, postbody, strlen(postbody)); + *len = POSTBODY_SIZE; + + return 0; +} + +static int +myss_state(void *userobj, void *sh, lws_ss_constate_t state, + lws_ss_tx_ordinal_t ack) +{ + myss_t *m = (myss_t *)userobj; + + lwsl_user("%s: h %p, %s, ord 0x%x\n", __func__, m->ss, + lws_ss_state_name(state), (unsigned int)ack); + + switch (state) { + case LWSSSCS_CREATING: + + /* + * CREATING is only coming after we have asked the upstream + * proxy to create the stream and it has been allowed. + */ + + lws_ss_set_metadata(m->ss, "ctype", + "multipart/form-data;boundary=\"boundary\"", + 39); + + /* provide a hint about the payload size */ + lws_ss_request_tx_len(m->ss, strlen(postbody)); + break; + case LWSSSCS_CONNECTED: + lws_ss_request_tx(m->ss); + break; + case LWSSSCS_ALL_RETRIES_FAILED: + /* if we're out of retries, we want to close the app and FAIL */ + interrupted = 1; + break; + case LWSSSCS_QOS_ACK_REMOTE: + lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__); + break; + + case LWSSSCS_TIMEOUT: + lwsl_notice("%s: LWSSSCS_TIMEOUT\n", __func__); + break; + default: + break; + } + + return 0; +} + +static int +app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link, + int current, int target) +{ + struct lws_context *context = lws_system_context_from_system_mgr(mgr); +#if !defined(LWS_SS_USE_SSPC) + + lws_system_blob_t *ab = lws_system_get_blob(context, + LWS_SYSBLOB_TYPE_AUTH, 1 /* AUTH_IDX_ROOT */); + size_t size; +#endif + + /* + * For the things we care about, let's notice if we are trying to get + * past them when we haven't solved them yet, and make the system + * state wait while we trigger the dependent action. + */ + switch (target) { + +#if !defined(LWS_SS_USE_SSPC) + + case LWS_SYSTATE_REGISTERED: + size = lws_system_blob_get_size(ab); + if (size) + break; + + /* let's register our canned root token so auth can use it */ + lws_system_blob_direct_set(ab, + (const uint8_t *)canned_root_token_payload, + strlen(canned_root_token_payload)); + break; + +#endif + + case LWS_SYSTATE_OPERATIONAL: + if (current == LWS_SYSTATE_OPERATIONAL) { + lws_ss_info_t ssi; + + /* We're making an outgoing secure stream ourselves */ + + memset(&ssi, 0, sizeof(ssi)); + ssi.handle_offset = offsetof(myss_t, ss); + ssi.opaque_user_data_offset = offsetof(myss_t, + opaque_data); + ssi.rx = myss_rx; + ssi.tx = myss_tx; + ssi.state = myss_state; + ssi.user_alloc = sizeof(myss_t); + ssi.streamtype = "minpost"; + + if (lws_ss_create(context, 0, &ssi, NULL, NULL, + NULL, NULL)) { + lwsl_err("%s: failed to create secure stream\n", + __func__); + return -1; + } + } + break; + } + + return 0; +} + +static lws_state_notify_link_t * const app_notifier_list[] = { + &nl, NULL +}; + +static void +sigint_handler(int sig) +{ + interrupted = 1; +} + +int main(int argc, const char **argv) +{ + struct lws_context_creation_info info; + struct lws_context *context; + const char *p; + int n = 0; + + signal(SIGINT, sigint_handler); + + memset(&info, 0, sizeof info); + lws_cmdline_option_handle_builtin(argc, argv, &info); + + lwsl_user("LWS secure streams test client [-d]\n"); + + /* these options are mutually exclusive if given */ + + if (lws_cmdline_option(argc, argv, "--force-portal")) + force_cpd_fail_portal = 1; + + if (lws_cmdline_option(argc, argv, "--force-no-internet")) + force_cpd_fail_no_internet = 1; + + if ((p = lws_cmdline_option(argc, argv, "--timeout_ms"))) + timeout_ms = atoi(p); + + info.fd_limit_per_thread = 1 + 6 + 1; + info.port = CONTEXT_PORT_NO_LISTEN; +#if defined(LWS_SS_USE_SSPC) + info.protocols = lws_sspc_protocols; + { + const char *p; + + /* connect to ssproxy via UDS by default, else via + * tcp connection to this port */ + if ((p = lws_cmdline_option(argc, argv, "-p"))) + info.ss_proxy_port = atoi(p); + + /* UDS "proxy.ss.lws" in abstract namespace, else this socket + * path; when -p given this can specify the network interface + * to bind to */ + if ((p = lws_cmdline_option(argc, argv, "-i"))) + info.ss_proxy_bind = p; + + /* if -p given, -a specifies the proxy address to connect to */ + if ((p = lws_cmdline_option(argc, argv, "-a"))) + info.ss_proxy_address = p; + } +#else + info.pss_policies_json = default_ss_policy; + info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS | + LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT; +#endif +#if defined(LWS_WITH_DETAILED_LATENCY) + info.detailed_latency_cb = lws_det_lat_plot_cb; + info.detailed_latency_filepath = "/tmp/lws-latency-ssproxy"; +#endif + + /* integrate us with lws system state management when context created */ + + nl.name = "app"; + nl.notify_cb = app_system_state_nf; + info.register_notifier_list = app_notifier_list; + + /* create the context */ + + context = lws_create_context(&info); + if (!context) { + lwsl_err("lws init failed\n"); + return 1; + } + +#if !defined(LWS_SS_USE_SSPC) + /* + * If we're being a proxied client, the proxy does all this + */ + + /* + * Set the related lws_system blobs + * + * ...direct_set() sets a pointer, so the thing pointed to has to have + * a suitable lifetime, eg, something that already exists on the heap or + * a const string in .rodata like this + */ + + lws_system_blob_direct_set(lws_system_get_blob(context, + LWS_SYSBLOB_TYPE_DEVICE_SERIAL, 0), + (const uint8_t *)"SN12345678", 10); + lws_system_blob_direct_set(lws_system_get_blob(context, + LWS_SYSBLOB_TYPE_DEVICE_FW_VERSION, 0), + (const uint8_t *)"v0.01", 5); + + /* + * ..._heap_append() appends to a buflist kind of arrangement on heap, + * just one block is fine, otherwise it will concatenate the fragments + * in the order they were appended (and take care of freeing them at + * context destroy time). ..._heap_empty() is also available to remove + * everything that was already allocated. + * + * Here we use _heap_append() just so it's tested as well as direct set. + */ + + lws_system_blob_heap_append(lws_system_get_blob(context, + LWS_SYSBLOB_TYPE_DEVICE_TYPE, 0), + (const uint8_t *)"spacerocket", 11); +#endif + + /* the event loop */ + + while (n >= 0 && !interrupted) + n = lws_service(context, 0); + + lws_context_destroy(context); + + lwsl_user("Completed: %s\n", bad ? "failed" : "OK"); + + return bad; +} diff --git a/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c b/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c index 0e579a127..4a79881e1 100644 --- a/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c +++ b/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c @@ -253,7 +253,9 @@ myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len, { //myss_t *m = (myss_t *)userobj; - return 0; + /* in this example, we don't send stuff */ + + return LWSSSSRET_TX_DONT_SEND; } static int