diff --git a/lib/core-net/connect.c b/lib/core-net/connect.c index 384e90ca9..6d951ae3d 100644 --- a/lib/core-net/connect.c +++ b/lib/core-net/connect.c @@ -328,30 +328,26 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i) wsi->tls.ssl = NULL; if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { + const char *cce = NULL; - /* we can retry this... just cook the SSL BIO the first time */ - - if (lws_ssl_client_bio_create(wsi) < 0) { - lwsl_err("%s: bio_create failed\n", __func__); + switch ( +#if !defined(LWS_WITH_SYS_ASYNC_DNS) + lws_client_create_tls(wsi, &cce, 1) +#else + lws_client_create_tls(wsi, &cce, 0) +#endif + ) { + case 1: + return wsi; + case 0: + break; + default: goto bail3; } - -#if !defined(LWS_WITH_SYS_ASYNC_DNS) - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - n = lws_ssl_client_connect1(wsi); - if (!n) - return wsi; - if (n < 0) { - lwsl_err("%s: lws_ssl_client_connect1 failed\n", __func__); - goto bail3; - } - } -#endif } - +#endif /* fallthru */ -#endif lws_http_client_connect_via_info2(wsi); } diff --git a/lib/roles/http/client/client-handshake.c b/lib/roles/http/client/client-handshake.c index 7cefff282..780c97bce 100644 --- a/lib/roles/http/client/client-handshake.c +++ b/lib/roles/http/client/client-handshake.c @@ -190,9 +190,9 @@ send_hs: lwsl_info("%s: wsi %p: waiting to send hdrs (par state 0x%x)\n", __func__, wsi, lwsi_state(wsi_piggyback)); } else { - lwsl_info("%s: wsi %p: %s %s client created own conn (raw %d) vh %s\n", + lwsl_info("%s: wsi %p: %s %s client created own conn (raw %d) vh %sm st 0x%x\n", __func__, wsi, wsi->role_ops->name, - wsi->protocol->name, rawish, wsi->vhost->name); + wsi->protocol->name, rawish, wsi->vhost->name, lwsi_state(wsi)); /* we are making our own connection */ @@ -203,32 +203,30 @@ send_hs: if (lwsi_state(wsi) == LRS_WAITING_CONNECT && (wsi->tls.use_ssl & LCCSCF_USE_SSL)) { - if (!wsi->transaction_from_pipeline_queue && - lws_tls_restrict_borrow(wsi->context)) { - cce = "tls restriction limit"; - goto failed; - } + /* we can retry this... just cook the SSL BIO the first time */ - if (lws_ssl_client_bio_create(wsi) < 0) { - lwsl_err("%s: bio_create failed\n", __func__); + switch (lws_client_create_tls(wsi, &cce, 1)) { + case 0: + break; + case 1: + return wsi; + default: goto failed; } -//#if !defined(LWS_WITH_SYS_ASYNC_DNS) - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - n = lws_ssl_client_connect1(wsi); - if (!n) - return wsi; - if (n < 0) { - lwsl_err("%s: lws_ssl_client_connect1 failed\n", __func__); - goto failed; - } - } -//#endif - lwsi_set_state(wsi, LRS_WAITING_SSL); + + lwsl_notice("%s: wsi %p: st 0x%x\n", + __func__, wsi, lwsi_state(wsi)); + + if (lwsi_state(wsi) == LRS_WAITING_CONNECT) + lwsi_set_state(wsi, LRS_H1C_ISSUE_HANDSHAKE2); + lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_CLIENT_HS_SEND, + wsi->context->timeout_secs); + + //if () return wsi; } #endif @@ -239,17 +237,6 @@ send_hs: /* for a method = "RAW" connection, this makes us * established */ -#if 0 -#if defined(LWS_WITH_SYS_ASYNC_DNS) - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - n = lws_ssl_client_connect1(wsi); - if (n < 0) { - lwsl_err("%s: lws_ssl_client_connect1 failed\n", __func__); - goto failed; - } - } -#endif -#endif /* clear his established timeout */ lws_set_timeout(wsi, NO_PENDING_TIMEOUT, 0); diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index cba95eeed..b5c9d9350 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -24,6 +24,68 @@ #include "private-lib-core.h" +#if defined(LWS_WITH_TLS) +int +lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1) +{ + int n; + + /* we can retry this... just cook the SSL BIO the first time */ + + if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { + + if (!wsi->tls.ssl) { + if (lws_ssl_client_bio_create(wsi) < 0) { + *pcce = "bio_create failed"; + return -1; + } + + if (!wsi->transaction_from_pipeline_queue && + lws_tls_restrict_borrow(wsi->context)) { + *pcce = "tls restriction limit"; + return -1; + } + } + + if (!do_c1) + return 0; + + n = lws_ssl_client_connect1(wsi); + if (!n) + return 1; /* caller should return 0 */ + if (n < 0) { + *pcce = "lws_ssl_client_connect1 failed"; + return -1; + } + } else + wsi->tls.ssl = NULL; + +#if defined (LWS_WITH_HTTP2) + if (wsi->client_h2_alpn) { + /* + * We connected to the server and set up tls, and + * negotiated "h2". + * + * So this is it, we are an h2 master client connection + * now, not an h1 client connection. + */ +#if defined(LWS_WITH_TLS) + lws_tls_server_conn_alpn(wsi); +#endif + + /* send the H2 preface to legitimize the connection */ + if (lws_h2_issue_preface(wsi)) { + *pcce = "error sending h2 preface"; + return -1; + } + } +#endif + + return 0; /* OK */ +} + +#endif + void lws_client_http_body_pending(struct lws *wsi, int something_left_to_send) { @@ -151,30 +213,11 @@ start_ws_handshake: return -1; #if defined(LWS_WITH_TLS) - /* we can retry this... just cook the SSL BIO the first time */ - - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - - if (!wsi->transaction_from_pipeline_queue && - lws_tls_restrict_borrow(wsi->context)) { - cce = "tls restriction limit"; - goto bail3; - } - - if (!wsi->tls.ssl && lws_ssl_client_bio_create(wsi) < 0) { - cce = "bio_create failed"; - goto bail3; - } - - n = lws_ssl_client_connect1(wsi); - if (!n) - return 0; - if (n < 0) { - cce = "lws_ssl_client_connect1 failed"; - goto bail3; - } - } else - wsi->tls.ssl = NULL; + n = lws_client_create_tls(wsi, &cce, 1); + if (n < 0) + goto bail3; + if (n == 1) + return 0; /* fallthru */ @@ -220,12 +263,13 @@ start_ws_handshake: goto bail3; } + // lwsi_set_state(wsi, LRS_H1C_ISSUE_HANDSHAKE2); + lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_CLIENT_HS_SEND, + context->timeout_secs); + break; } #endif - lwsi_set_state(wsi, LRS_H1C_ISSUE_HANDSHAKE2); - lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_CLIENT_HS_SEND, - context->timeout_secs); /* fallthru */ diff --git a/lib/roles/http/private-lib-roles-http.h b/lib/roles/http/private-lib-roles-http.h index 1284020ab..2bf43fe06 100644 --- a/lib/roles/http/private-lib-roles-http.h +++ b/lib/roles/http/private-lib-roles-http.h @@ -326,3 +326,6 @@ lws_sul_http_ah_lifecheck(lws_sorted_usec_list_t *sul); uint8_t * lws_http_multipart_headers(struct lws *wsi, uint8_t *p); + +int +lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1); diff --git a/lib/roles/mqtt/client/client-mqtt.c b/lib/roles/mqtt/client/client-mqtt.c index 191301236..3f6fcecdf 100644 --- a/lib/roles/mqtt/client/client-mqtt.c +++ b/lib/roles/mqtt/client/client-mqtt.c @@ -204,23 +204,17 @@ lws_mqtt_client_socket_service(struct lws *wsi, struct lws_pollfd *pollfd, if (!(wsi->tls.use_ssl & LCCSCF_USE_SSL)) goto start_ws_handshake; - /* we can retry this... just cook the SSL BIO the first time */ - - if (lws_ssl_client_bio_create(wsi) < 0) { - lwsl_err("%s: bio_create failed\n", __func__); + switch (lws_client_create_tls(wsi, &cce, 0)) { + case 0: + break; + case 1: + return 0; + default: goto bail3; } - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - n = lws_ssl_client_connect1(wsi); - if (!n) - return 0; - if (n < 0) { - lwsl_err("%s: lws_ssl_client_connect1 failed\n", - __func__); - goto bail3; - } - } + break; + default: break; } @@ -349,7 +343,7 @@ start_ws_handshake: goto fail; case LWS_SSL_CAPABLE_MORE_SERVICE: lwsl_info("SSL Capable more service\n"); - goto fail; + return 0; case LWS_SSL_CAPABLE_ERROR: lwsl_info("%s: LWS_SSL_CAPABLE_ERROR\n", __func__); diff --git a/lib/roles/raw-skt/ops-raw-skt.c b/lib/roles/raw-skt/ops-raw-skt.c index 30041026a..75d1776fb 100644 --- a/lib/roles/raw-skt/ops-raw-skt.c +++ b/lib/roles/raw-skt/ops-raw-skt.c @@ -105,32 +105,8 @@ rops_handle_POLLIN_raw_skt(struct lws_context_per_thread *pt, struct lws *wsi, * go down the tls path on it now if that's what * we want */ + goto post_rx; -// if (!(wsi->tls.use_ssl & LCCSCF_USE_SSL)) { -// lwsi_set_state(wsi, LRS_ESTABLISHED); - goto post_rx; -// } -#if 0 - /* we can retry this... just cook the SSL BIO - * the first time */ - - if (lws_ssl_client_bio_create(wsi) < 0) { - lwsl_err("%s: bio_create failed\n", - __func__); - goto fail; - } - - if (wsi->tls.use_ssl & LCCSCF_USE_SSL) { - n = lws_ssl_client_connect1(wsi); - if (!n) - return 0; - if (n < 0) { - lwsl_err("%s: connect1 failed\n", - __func__); - goto fail; - } - } -#endif default: break; } diff --git a/lib/secure-streams/README.md b/lib/secure-streams/README.md index b970d3aa0..8f815e054 100644 --- a/lib/secure-streams/README.md +++ b/lib/secure-streams/README.md @@ -393,7 +393,7 @@ directly parses the policy and makes the outgoing connections itself. However when configured at cmake with ``` --DLWS_WITH_SOCKS=1 -DLWS_WITH_SECURE_STREAMS=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 +-DLWS_WITH_SOCKS5=1 -DLWS_WITH_SECURE_STREAMS=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 ``` and define `LWS_SS_USE_SSPC` when building the application, applications forward diff --git a/minimal-examples/http-client/minimal-http-client-post/selftest.sh b/minimal-examples/http-client/minimal-http-client-post/selftest.sh index 2f887f2a0..8d3476f4e 100755 --- a/minimal-examples/http-client/minimal-http-client-post/selftest.sh +++ b/minimal-examples/http-client/minimal-http-client-post/selftest.sh @@ -26,7 +26,7 @@ dotest $1 $2 warmcat-m -m dotest $1 $2 warmcat-m-h1 -m --h1 spawn "" $5 $1/libwebsockets-test-server -s -dotest $1 $2 localhost -l +dotest $1 $2 localhost -l -d1151 spawn $SPID $5 $1/libwebsockets-test-server -s dotest $1 $2 localhost-h1 -l --h1 spawn $SPID $5 $1/libwebsockets-test-server -s