openssl-v3: deal with deprecated SSL_CTX_load_verify_locations

Add Sai for openssl-v3 and for boringssl

.sai.json

@@ -41,7 +41,7 @@
 			"default": false
 		},
 		"windows-10": {
-			"build": "mkdir build && cd build && set SAI_CPACK=\"-G ZIP\" && cmake .. -DLWS_EXT_PTHREAD_INCLUDE_DIR=\"C:\\Program Files (x86)\\pthreads\\include\" -DLWS_EXT_PTHREAD_LIBRARIES=\"C:\\Program Files (x86)\\pthreads\\lib\\x64\\libpthreadGC2.a\" ${cmake} && cmake --build . --config DEBUG && set CTEST_OUTPUT_ON_FAILURE=1 && ctest . -C DEBUG -j4 --output-on-failure",
+			"build": "mkdir build && cd build && set SAI_CPACK=\"-G ZIP\" && cmake .. -DLWS_OPENSSL_LIBRARIES=\"C:\\Program Files\\OpenSSL\\lib\\libssl.lib;C:\\Program Files\\OpenSSL\\lib\\libcrypto.lib\" -DLWS_OPENSSL_INCLUDE_DIRS=\"C:\\Program Files\\OpenSSL\\include\" -DLWS_EXT_PTHREAD_INCLUDE_DIR=\"C:\\Program Files (x86)\\pthreads\\include\" -DLWS_EXT_PTHREAD_LIBRARIES=\"C:\\Program Files (x86)\\pthreads\\lib\\x64\\libpthreadGC2.a\" ${cmake} && cmake --build . --config DEBUG && set CTEST_OUTPUT_ON_FAILURE=1 && ctest . -C DEBUG -j4 --output-on-failure",
 			"default": false
 		},
 		"freertos-esp32": {
@@ -57,8 +57,12 @@
 			"cmake":	"",
 			"platforms":	"windows-10, linkit-cross, ubuntu-focal-aarch64, freertos-esp32"
 		},
-		"openssl-v3": {
-			"cmake":	"-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\"",
+		"default-examples-openssl-v3": {
+			"cmake":	"-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
+			"platforms":	"none,linux-fedora-32-x86_64"
+		},
+		"default-examples-boringssl": {
+			"cmake":	"cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
 			"platforms":	"none,linux-fedora-32-x86_64"
 		},
 		"default-examples": {

CMakeLists.txt

@@ -560,15 +560,17 @@ if ((CMAKE_C_COMPILER_ID MATCHES "Clang") OR
 endif()
 
 if (LWS_HAVE_PTHREAD_H AND NOT LWS_PLAT_FREERTOS)
-	if (COMPILER_IS_CLANG)
-		set(LWS_PTHR_FLAGS "-pthread")# -Wno-error=unused-command-line-argument")
-	else()
-		set(LWS_PTHR_FLAGS "-pthread")
-	endif()
-	
-	set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ${LWS_PTHR_FLAGS})
 	if (NOT WIN32 AND NOT MSVC)
-		list(APPEND LIB_LIST_AT_END ${LWS_PTHR_FLAGS})
+		if (COMPILER_IS_CLANG)
+			set(LWS_PTHR_FLAGS "-pthread")# -Wno-error=unused-command-line-argument")
+		else()
+			set(LWS_PTHR_FLAGS "-pthread")
+		endif()
+	
+		set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ${LWS_PTHR_FLAGS})
+		if (NOT WIN32 AND NOT MSVC)
+			list(APPEND LIB_LIST_AT_END ${LWS_PTHR_FLAGS})
+		endif()
 	endif()
 
 	CHECK_C_SOURCE_COMPILES("#define _GNU_SOURCE

READMEs/README.ctest.md

@@ -1,6 +1,6 @@
 ## Using CTest with lws
 
-### Prerequisites
+### Updating ancient cmake
 
 You need a recent cmake to have the CTest tests work properly, if you're on an
 older distro you need to update your cmake.  Luckily Kitware provide a repo for
@@ -29,6 +29,13 @@ The main tests just need `-DLWS_WITH_MINIMAL_EXAMPLES=1`.  You can optionally se
 `-DLWS_CTEST_INTERNET_AVAILABLE=0` to indicate you can't run the tests that need
 internet connectivity.
 
+## Preparing to run the tests
+
+The tests have to spawn by script some "test buddies", for example the client
+tests have to run a test server from the built lws image.  For that reason you
+have to do a side-install into `./destdir` using `make install DESTDIR=../destdir`
+from the build directory before all the tests will work properly.
+
 ## Running the tests
 
 CMake puts the test action into a build-host type specific form, for unix type
@@ -57,10 +64,4 @@ warmcat.com or libwebsockets.org additionally.
 For that reason it's good practice to set the `WORKING_DIRECTORY` property to
 the home dir of the example app in all cases.
 
-### SIGTERM from CTest...
-
-After a lot of headscratching I realized some tests were failing simply because
-CTest was firing SIGTERMs at them for whatever reason.  I added a commandline
-option `--ignore-sigterm` in `lws_cmdline_option_handle_builtin()` to allow the
-test to defeat this, and then it continues and completes fine.
 

cmake/lws_config.h.in

@@ -71,6 +71,8 @@
 #cmakedefine LWS_HAVE_RSA_SET0_KEY
 #cmakedefine LWS_HAVE_RSA_verify_pss_mgf1
 #cmakedefine LWS_HAVE_SSL_CTX_get0_certificate
+#cmakedefine LWS_HAVE_SSL_CTX_load_verify_file
+#cmakedefine LWS_HAVE_SSL_CTX_load_verify_dir
 #cmakedefine LWS_HAVE_SSL_CTX_set1_param
 #cmakedefine LWS_HAVE_SSL_CTX_set_ciphersuites
 #cmakedefine LWS_HAVE_SSL_EXTRA_CHAIN_CERTS

lib/roles/cgi/ops-cgi.c

@@ -92,8 +92,8 @@ lws_cgi_sul_cb(lws_sorted_usec_list_t *sul)
 
 	lws_cgi_kill_terminated(pt);
 
-	__lws_sul_insert(&pt->pt_sul_owner, &pt->sul_cgi,
-			 3 * LWS_US_PER_SEC);
+	__lws_sul_insert_us(&pt->pt_sul_owner, &pt->sul_cgi,
+			    3 * LWS_US_PER_SEC);
 }
 
 static int

lib/tls/CMakeLists.txt

@@ -293,6 +293,8 @@ CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE)
 
 if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS)
+	# we don't want to confuse what's in or out of the wrapper with
+	# what's in an openssl also installed on the build host
 CHECK_C_SOURCE_COMPILES("#include <openssl/ssl.h>\nint main(void) { STACK_OF(X509) *c = NULL; SSL_CTX *ctx = NULL; return (int)SSL_CTX_get_extra_chain_certs_only(ctx, &c); }\n" LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
 CHECK_C_SOURCE_COMPILES("#include <openssl/ssl.h>\nint main(void) { EVP_MD_CTX *md_ctx = NULL; EVP_MD_CTX_free(md_ctx); return 0; }\n" LWS_HAVE_EVP_MD_CTX_free)
 set(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS ${LWS_HAVE_SSL_EXTRA_CHAIN_CERTS} PARENT_SCOPE)
@@ -301,6 +303,8 @@ CHECK_FUNCTION_EXISTS(${VARIA}ECDSA_SIG_set0 LWS_HAVE_ECDSA_SIG_set0 PARENT_SCOP
 CHECK_FUNCTION_EXISTS(${VARIA}BN_bn2binpad LWS_HAVE_BN_bn2binpad PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_wrap LWS_HAVE_EVP_aes_128_wrap PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EC_POINT_get_affine_coordinates LWS_HAVE_EC_POINT_get_affine_coordinates PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_load_verify_file LWS_HAVE_SSL_CTX_load_verify_file PARENT_SCOPE)
+CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_load_verify_dir LWS_HAVE_SSL_CTX_load_verify_dir PARENT_SCOPE)
 endif()
 
 if (LWS_WITH_MBEDTLS)

lib/tls/openssl/openssl-client.c

@@ -722,15 +722,25 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 
 	/* openssl init for cert verification (for client sockets) */
 	if (!ca_filepath && (!ca_mem || !ca_mem_len)) {
+#if defined(LWS_HAVE_SSL_CTX_load_verify_dir)
+		if (!SSL_CTX_load_verify_dir(
+			vh->tls.ssl_client_ctx, LWS_OPENSSL_CLIENT_CERTS))
+#else
 		if (!SSL_CTX_load_verify_locations(
 			vh->tls.ssl_client_ctx, NULL, LWS_OPENSSL_CLIENT_CERTS))
+#endif
 			lwsl_err("Unable to load SSL Client certs from %s "
 			    "(set by LWS_OPENSSL_CLIENT_CERTS) -- "
 			    "client ssl isn't going to work\n",
 			    LWS_OPENSSL_CLIENT_CERTS);
 	} else if (ca_filepath) {
+#if defined(LWS_HAVE_SSL_CTX_load_verify_file)
+		if (!SSL_CTX_load_verify_file(
+			vh->tls.ssl_client_ctx, ca_filepath)) {
+#else
 		if (!SSL_CTX_load_verify_locations(
 			vh->tls.ssl_client_ctx, ca_filepath, NULL)) {
+#endif
 			lwsl_err(
 				"Unable to load SSL Client certs "
 				"file from %s -- client ssl isn't "

lib/tls/openssl/openssl-server.c

@@ -519,8 +519,13 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
 #endif
 
 	if (info->ssl_ca_filepath &&
+#if defined(LWS_HAVE_SSL_CTX_load_verify_file)
+	    !SSL_CTX_load_verify_file(vhost->tls.ssl_ctx,
+				      info->ssl_ca_filepath)) {
+#else
 	    !SSL_CTX_load_verify_locations(vhost->tls.ssl_ctx,
 					   info->ssl_ca_filepath, NULL)) {
+#endif
 		lwsl_err("%s: SSL_CTX_load_verify_locations unhappy\n",
 			 __func__);
 	}