ss: hello_world uses default policy

This switches the current hello_world to be hello_world-policy now,
and hello_world is simplified to use the __default policy without any
explicit policy of its own.

Using the default policy means it relies on the system tls library to
validate the tls connections using system trust arrangements, that won't
work in cases where the configured tls library does not have its own trust
store.

minimal-examples/client/hello_world-policy/CMakeLists.txt

@@ -0,0 +1,187 @@
+project(lws-minimal-ss-hello_world-policy C)
+cmake_minimum_required(VERSION 2.8.12)
+find_package(libwebsockets CONFIG REQUIRED)
+
+require_lws_config(LWS_ROLE_H1 1 requirements)
+require_lws_config(LWS_WITHOUT_CLIENT 0 requirements)
+require_lws_config(LWS_WITH_SECURE_STREAMS 1 requirements)
+require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements)
+require_lws_config(LWS_WITH_TLS 1 requirements)
+
+require_lws_config(LWS_WITH_SYS_FAULT_INJECTION 1 has_fault_injection)
+require_lws_config(LWS_WITH_SECURE_STREAMS_PROXY_API 1 has_ss_proxy)
+require_lws_config(LWS_WITH_SYS_STATE 1 has_sys_state)
+
+if (requirements)
+
+	add_executable(${PROJECT_NAME}
+			main.c
+			hello_world-ss.c)
+
+	if (websockets_shared)
+		target_link_libraries(${PROJECT_NAME}
+			websockets_shared
+			${LIBWEBSOCKETS_DEP_LIBS})
+		add_dependencies(${PROJECT_NAME}
+			websockets_shared)
+	else()
+		target_link_libraries(${PROJECT_NAME}
+			websockets
+			${LIBWEBSOCKETS_DEP_LIBS})
+	endif()
+
+	### --- this section related to also building example with SSPC / Proxy --->
+
+	if (has_ss_proxy OR LWS_WITH_SECURE_STREAMS_PROXY_API)
+		add_compile_options(-DLWS_SS_USE_SSPC)
+
+		add_executable(${PROJECT_NAME}-client
+				main.c
+				hello_world-ss.c)
+
+		if (websockets_shared)
+			target_link_libraries(${PROJECT_NAME}-client
+				websockets_shared
+				${LIBWEBSOCKETS_DEP_LIBS})
+			add_dependencies(${PROJECT_NAME}-client
+				websockets_shared)
+		else()
+			target_link_libraries(${PROJECT_NAME}-client
+				websockets
+				${LIBWEBSOCKETS_DEP_LIBS})
+		endif()
+	endif()
+
+	### <--- this section related to building with SSPC / Proxy END
+
+
+
+	### ---everything else related to ctest / CI ----->
+
+	find_program(VALGRIND "valgrind")
+
+	if (LWS_CTEST_INTERNET_AVAILABLE AND NOT WIN32)
+	
+		#
+		# When running in CI, wait for a lease on the resources
+		# before starting this test, so the server does not get
+		# thousands of simultaneous tls connection attempts
+		#
+		# sai-resource holds the lease on the resources until
+		# the time given in seconds or the sai-resource instance
+		# exits, whichever happens first
+		#
+		# If running under Sai, creates a lock test called "res_sspc-${PROJECT_NAME}" 
+		#
+		
+		sai_resource(warmcat_conns 1 40 sspc-${PROJECT_NAME})
+		
+		#
+		# simple test not via proxy
+		#
+	
+		if (VALGRIND)
+			message("testing via valgrind")
+			add_test(NAME mss-${PROJECT_NAME}-warmcat COMMAND
+				${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
+				$<TARGET_FILE:${PROJECT_NAME}>)
+		else()
+			add_test(NAME mss-${PROJECT_NAME}-warmcat COMMAND ${PROJECT_NAME})
+		endif()
+
+		set_tests_properties(mss-${PROJECT_NAME}-warmcat
+				     PROPERTIES
+				     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world-policy
+				     TIMEOUT 40)
+		if (DEFINED ENV{SAI_OVN})
+			set_tests_properties(mss-${PROJECT_NAME}-warmcat PROPERTIES FIXTURES_REQUIRED "res_sspc-${PROJECT_NAME}")
+		endif()
+
+		if (has_fault_injection)
+			if (VALGRIND)
+				add_test(NAME mss-#{PROJECT_NAME}-warmcat-fi1 COMMAND
+					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
+					$<TARGET_FILE:${PROJECT_NAME}>
+					--fault-injection "ss/ss_create_destroy_me"
+					--expected-exit 1)
+				add_test(NAME mss-#{PROJECT_NAME}-warmcat-fi2 COMMAND
+					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
+					$<TARGET_FILE:${PROJECT_NAME}>
+					--fault-injection "ss/ss_no_streamtype_policy"
+					--expected-exit 1)
+			else()
+				add_test(NAME mss-${PROJECT_NAME}-warmcat-fi1 COMMAND lws-minimal-secure-streams
+					 --fault-injection "ss/ss_create_destroy_me"
+					 --expected-exit 1)
+				 add_test(NAME mss-${PROJECT_NAME}-warmcat-fi2 COMMAND lws-minimal-secure-streams
+					 --fault-injection "ss/ss_no_streamtype_policy"
+					 --expected-exit 1)
+ 			 endif()
+
+			 set_tests_properties(mss-${PROJECT_NAME}-warmcat-fi1
+					      mss-${PROJECT_NAME}-warmcat-fi2
+				     PROPERTIES
+				     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world
+				     TIMEOUT 5)
+
+		endif()
+
+
+		if (has_sys_state AND
+		    (HAS_LWS_WITH_SECURE_STREAMS_PROXY_API OR LWS_WITH_SECURE_STREAMS_PROXY_API))
+
+			#
+			# Define test dep to bring up and take down the test
+			# proxy
+			#
+
+			if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+				# uds abstract namespace for linux
+				set(CTEST_SOCKET_PATH "@ctest-mssp-$ENV{SAI_PROJECT}-$ENV{SAI_OVN}")
+			else()
+				# filesystem socket for others
+				set(CTEST_SOCKET_PATH "/tmp/ctest-mssp-$ENV{SAI_PROJECT}-$ENV{SAI_OVN}")
+			endif()
+			add_test(NAME st_mss-${PROJECT_NAME}-proxy COMMAND
+				${CMAKE_SOURCE_DIR}/scripts/ctest-background.sh
+				mss-${PROJECT_NAME}-proxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
+				-i ${CTEST_SOCKET_PATH} )
+			set_tests_properties(st_mss-${PROJECT_NAME}-proxy PROPERTIES WORKING_DIRECTORY . FIXTURES_SETUP mss-${PROJECT_NAME}-proxy TIMEOUT 800)
+
+			add_test(NAME ki_mss-${PROJECT_NAME}-proxy COMMAND
+				${CMAKE_SOURCE_DIR}/scripts/ctest-background-kill.sh
+				mss-${PROJECT_NAME}-proxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
+				-i ${CTEST_SOCKET_PATH})
+			set_tests_properties(ki_mss-${PROJECT_NAME}-proxy PROPERTIES FIXTURES_CLEANUP mss-${PROJECT_NAME}-proxy)
+
+			#
+			# the client part that will connect to the proxy
+			#
+
+			if (VALGRIND)
+				message("testing via valgrind")
+				add_test(NAME msspc-${PROJECT_NAME} COMMAND
+					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
+					$<TARGET_FILE:${PROJECT_NAME}-client> --ssproxy-iface +${CTEST_SOCKET_PATH})
+			else()
+				add_test(NAME msspc-${PROJECT_NAME} COMMAND ${PROJECT_NAME}-client --ssproxy-iface +${CTEST_SOCKET_PATH})
+			endif()
+			
+			set(fixlist "mss-${PROJECT_NAME}-proxy")
+			if (DEFINED ENV{SAI_OVN})
+				list(APPEND fixlist "res_sspc-${PROJECT_NAME}-proxy")
+			endif()
+			
+			set_tests_properties(msspc-${PROJECT_NAME} PROPERTIES
+				WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world
+				FIXTURES_REQUIRED "${fixlist}"
+				TIMEOUT 40)
+
+		endif()
+
+	endif()
+
+	### <--- related to ctest / CI END
+
+endif()
+

minimal-examples/client/hello_world-policy/README.md

@@ -0,0 +1,45 @@
+# SS Example "hello_world"
+
+This is the simplest example, showing how to do an https
+transaction using Secure Streams (SS).
+
+SS' approach is to segregate "policy" (where and how to connect and authenticate
+for particular kinds of connection) from payloads that are transferred on the
+connection.  In this case, all the information about the example's policy is in
+`example-policy.json`.
+
+|Source|Purpose|
+|---|---|
+|main.c|boilerplate to create the lws_context and event loop|
+|hello_world-ss.c|the secure stream user code|
+|example-policy.json|the example policy|
+
+## Build
+
+You should build and install lws itself first.  Then with this directory as the
+cwd, you can use `cmake . && make` to build the example.  This produces
+`./lws-minimal-ss-hello_world`.
+
+If lws was configured to support SS Proxying with
+`-DLWS_WITH_SECURE_STREAMS_PROXY_API=1`, then a second executable is also
+produced `./lws-minimal-ss-hello_world-client`.  This does not try to do its own
+networking, but instead wants to connect to an SS Proxy process that will fulfil
+connections itself using its own policy.
+
+## Running
+
+You should be able to run `./lws-minimal-ss-hello_world` directly and see it
+fetch a webpage (just the start and end of each chunk are logged).
+
+To go via the SS Proxy, run `./lws-minimal-ss-hello_world-client` and an SS
+Proxy, eg, the example one found in `./minimal-examples/ssproxy/ssproxy-socket`.
+
+## Options
+
+|Commandline option|Meaning|
+|---|---|
+|-d \<bitmap\>|Enable logging levels (default 1031 (USER, ERR, WARN, NOTICE), 1039 = +INFO, 1151 = +INFO, DEBUG), `-DCMAKE_BUILD_TYPE=DEBUG` needed for logs more verbose that NOTICE
+|--ssproxy-port \<port\>|If going via an SS Proxy, default is Unix Domain Socket @proxy.ss.lws, you can force a different proxy's TCP port with this|
+|--ssproxy-ads \<ads\>|Set non-default hostname or IP address proxy is on|
+|--ssproxy-iface \<iface\>|Set non-default UDS path if starts with +, else interface to bind TCP connection to for proxy|
+

minimal-examples/client/hello_world-policy/hello_world-ss.c

@@ -0,0 +1,70 @@
+/*
+ * hello_world example
+ *
+ * Written in 2010-2021 by Andy Green <andy@warmcat.com>
+ *
+ * This file is made available under the Creative Commons CC0 1.0
+ * Universal Public Domain Dedication.
+ *
+ * Demonstrates the simplest example using the LWS high-level SS apis.
+ *
+ *  - main.c:              boilerplate to create the lws_context and event loop
+ *  - hello_world-ss.c:    (this file) the secure stream user code
+ *  - example-policy.json: the example policy
+ */
+
+#include <libwebsockets.h>
+#include <signal.h>
+
+extern int test_result;
+
+LWS_SS_USER_TYPEDEF
+	/* Your per-stream instantiation members go here */
+} hello_world_t;
+
+static lws_ss_state_return_t
+hello_world_rx(void *userobj, const uint8_t *in, size_t len, int flags)
+{
+	hello_world_t *g = (hello_world_t *)userobj;
+	struct lws_ss_handle *h = lws_ss_from_user(g);
+
+	lwsl_ss_user(h, "RX %zu, flags 0x%x", len, (unsigned int)flags);
+
+	if (len) { /* log the first 16 and last 16 bytes of the chunk */
+		lwsl_hexdump_ss_info(h, in, len >= 16 ? 16 : len);
+		if (len >= 16)
+			lwsl_hexdump_ss_info(h, in + len - 16, 16);
+	}
+
+	if ((flags & LWSSS_FLAG_EOM) == LWSSS_FLAG_EOM) /* had whole message */
+		test_result &= ~2;
+
+	return LWSSSSRET_OK;
+}
+
+static lws_ss_state_return_t
+hello_world_state(void *userobj, void *h_src, lws_ss_constate_t state,
+		  lws_ss_tx_ordinal_t ack)
+{
+	hello_world_t *g = (hello_world_t *)userobj;
+
+	switch ((int)state) {
+	case LWSSSCS_CREATING: /* start the transaction as soon as we exist */
+		return lws_ss_request_tx(lws_ss_from_user(g));
+
+	case LWSSSCS_QOS_ACK_REMOTE: /* server liked our request */
+		test_result &= ~1;
+		break;
+
+	case LWSSSCS_DISCONNECTED: /* for our example, disconnect = done */
+		lws_default_loop_exit(lws_ss_cx_from_user(g));
+		break;
+	}
+
+	return LWSSSSRET_OK;
+}
+
+LWS_SS_INFO("sx-hello_world", hello_world_t)
+	.rx		= hello_world_rx,
+	.state		= hello_world_state,
+};

minimal-examples/client/hello_world-policy/main.c

@@ -0,0 +1,65 @@
+/*
+ * hello_world-policy example
+ *
+ * Written in 2010-2021 by Andy Green <andy@warmcat.com>
+ *
+ * This file is made available under the Creative Commons CC0 1.0
+ * Universal Public Domain Dedication.
+ *
+ * Demonstrates the simplest example using the LWS high-level SS apis, doing
+ * an h1 GET from warmcat.com.
+ *
+ * It specifies its own policy and restricts the tls library to validating the
+ * certificate through a single trusted CA cert defined in the policy.
+ *
+ *  - main.c:              (this file) boilerplate to create the lws_context
+ *			   and event loop
+ *  - hello_world-ss.c:    the secure stream user code
+ *  - example-policy.json: the example policy
+ *
+ * Configure lws with -DCMAKE_BUILD_TYPE=DEBUG to build verbose logs, enable at
+ * runtime by giving -d 1039 or -d 1151 on this example commandline.
+ */
+
+#include <libwebsockets.h>
+#include <signal.h>
+
+int test_result = 3; /* b0: clr when peer ACKed request, b1: clr when rx done */
+extern const lws_ss_info_t ssi_hello_world_t; /* from hello_world-ss.c */
+static struct lws_context *cx; /* so the SIGINT handler below can access it */
+
+static void
+sigint_handler(int sig)
+{
+	lws_default_loop_exit(cx);
+}
+
+int
+main(int argc, const char **argv)
+{
+	struct lws_context_creation_info info;
+
+	lws_context_info_defaults(&info, "example-policy.json");
+	lws_cmdline_option_handle_builtin(argc, argv, &info);
+	signal(SIGINT, sigint_handler);
+
+	cx = lws_create_context(&info);
+	if (!cx) {
+		lwsl_err("lws init failed\n");
+		return 1;
+	}
+
+	lwsl_cx_user(cx, "LWS hello_world example [-d<verb>]\n");
+
+	if (lws_ss_create(cx, 0, &ssi_hello_world_t, NULL, NULL, NULL, NULL)) {
+		lwsl_cx_err(cx, "failed to create SS");
+		lws_context_destroy(cx);
+		return 1;
+	}
+
+	lws_context_default_loop_run_destroy(cx);
+
+	/* process ret 0 if result is as expected (0, or --expected-exit 123) */
+
+	return lws_cmdline_passfail(argc, argv, test_result);
+}

minimal-examples/client/hello_world/CMakeLists.txt

@@ -7,6 +7,12 @@ require_lws_config(LWS_WITHOUT_CLIENT 0 requirements)
 require_lws_config(LWS_WITH_SECURE_STREAMS 1 requirements)
 require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements)
 require_lws_config(LWS_WITH_TLS 1 requirements)
+require_lws_config(LWS_WITH_SECURE_STREAMS_AUTH_SIGV4 0 requirements)
+
+# uses system trust store
+require_lws_config(LWS_WITH_MBEDTLS 0 requirements)
+require_lws_config(LWS_WITH_WOLFSSL 0 requirements)
+require_lws_config(LWS_WITH_CYASSL 0 requirements)
 
 require_lws_config(LWS_WITH_SYS_FAULT_INJECTION 1 has_fault_injection)
 require_lws_config(LWS_WITH_SECURE_STREAMS_PROXY_API 1 has_ss_proxy)
@@ -14,7 +20,7 @@ require_lws_config(LWS_WITH_SYS_STATE 1 has_sys_state)
 
 if (requirements)
 
-	add_executable(lws-minimal-ss-hello_world
+	add_executable(${PROJECT_NAME}
 			main.c
 			hello_world-ss.c)
 
@@ -71,10 +77,10 @@ if (requirements)
 		# the time given in seconds or the sai-resource instance
 		# exits, whichever happens first
 		#
-		# If running under Sai, creates a lock test called "res_sspcmin" 
+		# If running under Sai, creates a lock test called "res_sspc-${PROJECT_NAME}" 
 		#
 		
-		sai_resource(warmcat_conns 1 40 sspcmin-hello-world)
+		sai_resource(warmcat_conns 1 40 sspc-${PROJECT_NAME})
 		
 		#
 		# simple test not via proxy
@@ -82,44 +88,44 @@ if (requirements)
 	
 		if (VALGRIND)
 			message("testing via valgrind")
-			add_test(NAME mss-warmcat COMMAND
+			add_test(NAME mss-${PROJECT_NAME} COMMAND
 				${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
 				$<TARGET_FILE:${PROJECT_NAME}>)
 		else()
-			add_test(NAME mss-warmcat COMMAND ${PROJECT_NAME})
+			add_test(NAME mss-${PROJECT_NAME} COMMAND ${PROJECT_NAME})
 		endif()
 
-		set_tests_properties(mss-warmcat
+		set_tests_properties(mss-${PROJECT_NAME}
 				     PROPERTIES
 				     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world
 				     TIMEOUT 40)
 		if (DEFINED ENV{SAI_OVN})
-			set_tests_properties(mss-warmcat PROPERTIES FIXTURES_REQUIRED "res_msspcmin")		     
+			set_tests_properties(mss-${PROJECT_NAME} PROPERTIES FIXTURES_REQUIRED "resmsspc-${PROJECT_NAME}")
 		endif()
 
 		if (has_fault_injection)
 			if (VALGRIND)
-				add_test(NAME mss-warmcat-fi1 COMMAND
+				add_test(NAME mss-${PROJECT_NAME}-fi1 COMMAND
 					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
 					$<TARGET_FILE:${PROJECT_NAME}>
 					--fault-injection "ss/ss_create_destroy_me"
 					--expected-exit 1)
-				add_test(NAME mss-warmcat-fi2 COMMAND
+				add_test(NAME mss-${PROJECT_NAME}-fi2 COMMAND
 					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
 					$<TARGET_FILE:${PROJECT_NAME}>
 					--fault-injection "ss/ss_no_streamtype_policy"
 					--expected-exit 1)
 			else()
-				add_test(NAME mss-warmcat-fi1 COMMAND lws-minimal-secure-streams
+				add_test(NAME mss-${PROJECT_NAME}-fi1 COMMAND lws-minimal-secure-streams
 					 --fault-injection "ss/ss_create_destroy_me"
 					 --expected-exit 1)
-				add_test(NAME mss-warmcat-fi2 COMMAND lws-minimal-secure-streams
+				add_test(NAME mss-${PROJECT_NAME}-fi2 COMMAND lws-minimal-secure-streams
 					 --fault-injection "ss/ss_no_streamtype_policy"
 					 --expected-exit 1)
  			 endif()
 
-			set_tests_properties(mss-warmcat-fi1
-					     mss-warmcat-fi2
+			set_tests_properties(mss-${PROJECT_NAME}-fi1
+					     mss-${PROJECT_NAME}-fi2
 				     PROPERTIES
 				     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world
 				     TIMEOUT 5)
@@ -142,17 +148,17 @@ if (requirements)
 				# filesystem socket for others
 				set(CTEST_SOCKET_PATH "/tmp/ctest-mssp-$ENV{SAI_PROJECT}-$ENV{SAI_OVN}")
 			endif()
-			add_test(NAME st_mssproxy COMMAND
+			add_test(NAME st_mss-${PROJECT_NAME}-proxy COMMAND
 				${CMAKE_SOURCE_DIR}/scripts/ctest-background.sh
-				mssproxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
+				mss-${PROJECT_NAME}-proxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
 				-i ${CTEST_SOCKET_PATH} )
-			set_tests_properties(st_mssproxy PROPERTIES WORKING_DIRECTORY . FIXTURES_SETUP mssproxy TIMEOUT 800)
+			set_tests_properties(st_mss-${PROJECT_NAME}-proxy PROPERTIES WORKING_DIRECTORY . FIXTURES_SETUP mss-${PROJECT_NAME}-proxy TIMEOUT 800)
 
-			add_test(NAME ki_mssproxy COMMAND
+			add_test(NAME ki_mss-${PROJECT_NAME}-proxy COMMAND
 				${CMAKE_SOURCE_DIR}/scripts/ctest-background-kill.sh
-				mssproxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
+				mss-${PROJECT_NAME}-proxy $<TARGET_FILE:lws-minimal-secure-streams-proxy>
 				-i ${CTEST_SOCKET_PATH})
-			set_tests_properties(ki_mssproxy PROPERTIES FIXTURES_CLEANUP mssproxy)
+			set_tests_properties(ki_mss-${PROJECT_NAME}-proxy PROPERTIES FIXTURES_CLEANUP mss-${PROJECT_NAME}-proxy)
 
 			#
 			# the client part that will connect to the proxy
@@ -160,19 +166,19 @@ if (requirements)
 
 			if (VALGRIND)
 				message("testing via valgrind")
-				add_test(NAME msspc-minimal COMMAND
+				add_test(NAME msspc-${PROJECT_NAME} COMMAND
 					${VALGRIND} --tool=memcheck --leak-check=yes --num-callers=20
 					$<TARGET_FILE:${PROJECT_NAME}-client> --ssproxy-iface +${CTEST_SOCKET_PATH})
 			else()
-				add_test(NAME msspc-minimal COMMAND ${PROJECT_NAME}-client --ssproxy-iface +${CTEST_SOCKET_PATH})
+				add_test(NAME msspc-${PROJECT_NAME} COMMAND ${PROJECT_NAME}-client --ssproxy-iface +${CTEST_SOCKET_PATH})
 			endif()
 			
-			set(fixlist "mssproxy")
+			set(fixlist "mss-${PROJECT_NAME}-proxy")
 			if (DEFINED ENV{SAI_OVN})
-				list(APPEND fixlist "res_mssproxy")
+				list(APPEND fixlist "res_mss-${PROJECT_NAME}-proxy")
 			endif()
 			
-			set_tests_properties(msspc-minimal PROPERTIES
+			set_tests_properties(msspc-${PROJECT_NAME} PROPERTIES
 				WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/client/hello_world
 				FIXTURES_REQUIRED "${fixlist}"
 				TIMEOUT 40)

minimal-examples/client/hello_world/README.md

@@ -1,7 +1,10 @@
 # SS Example "hello_world"
 
-This is the simplest example, showing how to do an https
-transaction using Secure Streams (SS).
+This is the simplest example, showing how to do an https transaction using Secure
+Streams (SS) and the default policy.  Because it doesn't specify a CA for the
+tls library to trust, it only works on systems where the tls library has its own
+trust store, like openssl typically.  See hello_world-policy for a similar example
+that specifies the CA to trust for the connection in the policy.
 
 SS' approach is to segregate "policy" (where and how to connect and authenticate
 for particular kinds of connection) from payloads that are transferred on the

minimal-examples/client/hello_world/hello_world-ss.c

@@ -1,7 +1,7 @@
 /*
  * hello_world example
  *
- * Written in 2010-2021 by Andy Green <andy@warmcat.com>
+ * Written in 2010-2022 by Andy Green <andy@warmcat.com>
  *
  * This file is made available under the Creative Commons CC0 1.0
  * Universal Public Domain Dedication.
@@ -10,7 +10,6 @@
  *
  *  - main.c:              boilerplate to create the lws_context and event loop
  *  - hello_world-ss.c:    (this file) the secure stream user code
- *  - example-policy.json: the example policy
  */
 
 #include <libwebsockets.h>
@@ -30,6 +29,18 @@ hello_world_rx(void *userobj, const uint8_t *in, size_t len, int flags)
 
 	lwsl_ss_user(h, "RX %zu, flags 0x%x", len, (unsigned int)flags);
 
+#if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR)
+	if ((flags & LWSSS_FLAG_SOM) == LWSSS_FLAG_SOM) {
+		char *md;
+		size_t md_len;
+
+		if (!lws_ss_get_metadata(g->ss, "content-length:", (const void **)&md, &md_len))
+			lwsl_ss_user(g->ss, "clen %s", md);
+		else
+			lwsl_ss_user(g->ss, "Unable to get content length");
+	}
+#endif
+
 	if (len) { /* log the first 16 and last 16 bytes of the chunk */
 		lwsl_hexdump_ss_info(h, in, len >= 16 ? 16 : len);
 		if (len >= 16)
@@ -64,7 +75,7 @@ hello_world_state(void *userobj, void *h_src, lws_ss_constate_t state,
 	return LWSSSSRET_OK;
 }
 
-LWS_SS_INFO("sx-hello_world", hello_world_t)
+LWS_SS_INFO("__default", hello_world_t)
 	.rx		= hello_world_rx,
 	.state		= hello_world_state,
 };

minimal-examples/client/hello_world/main.c

@@ -1,18 +1,21 @@
 /*
  * hello_world example
  *
- * Written in 2010-2021 by Andy Green <andy@warmcat.com>
+ * Written in 2010-2022 by Andy Green <andy@warmcat.com>
  *
  * This file is made available under the Creative Commons CC0 1.0
  * Universal Public Domain Dedication.
  *
  * Demonstrates the simplest example using the LWS high-level SS apis, doing
- * an h1 GET from warmcat.com.
+ * an h2 GET from warmcat.com.
+ *
+ * It uses the default SS policy and relies on the tls library to know what
+ * CAs are trusted.  See hello_world-policy for a version with its own defined
+ * policy which specifies the CA to trust.
  *
  *  - main.c:              (this file) boilerplate to create the lws_context
  *			   and event loop
  *  - hello_world-ss.c:    the secure stream user code
- *  - example-policy.json: the example policy
  *
  * Configure lws with -DCMAKE_BUILD_TYPE=DEBUG to build verbose logs, enable at
  * runtime by giving -d 1039 or -d 1151 on this example commandline.
@@ -34,12 +37,18 @@ sigint_handler(int sig)
 int
 main(int argc, const char **argv)
 {
+	const char *url = "https://warmcat.com/index.html", *p;
 	struct lws_context_creation_info info;
+	struct lws_ss_handle *h;
 
-	lws_context_info_defaults(&info, "example-policy.json");
+	lws_context_info_defaults(&info, NULL /* default policy */);
 	lws_cmdline_option_handle_builtin(argc, argv, &info);
 	signal(SIGINT, sigint_handler);
 
+	p = lws_cmdline_option(argc, argv, "--url");
+	if (p)
+		url = p;
+
 	cx = lws_create_context(&info);
 	if (!cx) {
 		lwsl_err("lws init failed\n");
@@ -48,10 +57,14 @@ main(int argc, const char **argv)
 
 	lwsl_cx_user(cx, "LWS hello_world example [-d<verb>]\n");
 
-	if (lws_ss_create(cx, 0, &ssi_hello_world_t, NULL, NULL, NULL, NULL)) {
-		lwsl_cx_err(cx, "failed to create get secure stream");
-		lws_context_destroy(cx);
-		return 1;
+	if (lws_ss_create(cx, 0, &ssi_hello_world_t, NULL, &h, NULL, NULL)) {
+		lwsl_cx_err(cx, "failed to create SS");
+		goto bail;
+	}
+
+	if (lws_ss_set_metadata(h, "endpoint", url, strlen(url))) {
+		lwsl_err("%s: failed to use metadata %s\n", __func__, url);
+		goto bail;
 	}
 
 	lws_context_default_loop_run_destroy(cx);
@@ -59,4 +72,10 @@ main(int argc, const char **argv)
 	/* process ret 0 if result is as expected (0, or --expected-exit 123) */
 
 	return lws_cmdline_passfail(argc, argv, test_result);
+
+bail:
+	lws_context_destroy(cx);
+
+	return 1;
 }
+