1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

33 commits

Author SHA1 Message Date
Ilya Smelykh
fdfde2ce0b http: auth digest 2023-12-08 10:25:50 +00:00
johnnychen
9f44863e07 tls: fix ssl connection error in raw connection 2023-11-23 09:45:12 +00:00
Sylvian Saunier
38a39a3710 client: support socket source port setting 2022-01-16 10:48:16 +00:00
Andy Green
d3783f0c71 client: connect: confirm we have a protocol
Coverity gets antsy that we were checking wsi->a.protocol for NULL earlier
then start using it... explicitly bail if it's NULL before we start using
it.
2021-11-08 13:44:45 +00:00
Andy Green
f5edf9d75a remove: lws_sequencer
lws_sequencer and lws_abstract were both false starts trying to do the
functionality of secure streams.

Since Secure Streams does a better job for both and there are no known
out-of-tree users of them, let's remove them and focus on Secure Streams.
2021-10-12 07:33:15 +01:00
Andy Green
d447f8f1db client: connect: prefer default vh if none given
Giving NULL vh for the client connection is basically "don't care"....
prefer the "default" vh in that case
2021-10-05 07:40:17 +01:00
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Bing Zhao
74799161b1 tls: fix inbalanced tls restrict borrow/return calls
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.

Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
2021-07-08 06:22:47 +01:00
Andy Green
ee510154a0 fi: wsi: fault to fake peer hangup after a delay range
Example usage, client

$ valgrind ./bin/lws-minimal-secure-streams-stress-client -c 4 --budget 40

proxy

$ valgrind ./lws-minimal-secure-streams-proxy --fault-injection "ss=mintest/wsi/timedclose(20%),ss=mintest/wsi/timedclose_ms(0..100)"
2021-07-04 10:29:54 +01:00
Andy Green
a7edd16399 logs: more internal conversion to log_cx 2021-07-01 05:20:53 +01:00
Andy Green
5d8cf03221 logs: log contexts 2021-07-01 05:20:53 +01:00
Andy Green
8e76634ed3 logs: introduce log_cx 2021-07-01 05:20:53 +01:00
Andy Green
d5475807b0 tls restriction: check before doing bio 2021-06-26 14:59:50 +01:00
Andy Green
8c122cd8bd redirect: make sure we start with / on path 2021-06-22 15:55:36 +01:00
Andy Green
272dba8307 http: redo redirects to follow close flow
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.

This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.

h2->h2 redirects work properly after this.

The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
2021-06-22 15:55:29 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
9c6e2ffb65 smp: fix client tsi detection 2021-05-12 09:06:11 +01:00
Andy Green
51490ae6e6 Fault injection
add lws_xos: xoshiro256 PRNG
2021-04-05 10:55:04 +01:00
Andy Green
3f4623bb36 lws_metrics
There are a few build options that are trying to keep and report
various statistics

 - DETAILED_LATENCY
 - SERVER_STATUS
 - WITH_STATS

remove all those and establish a generic rplacement, lws_metrics.

lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.

Openmetrics export is supported, for, eg, prometheus scraping.
2021-03-08 21:47:28 +00:00
Andy Green
3fe08ce5d8 fault injection 2021-02-20 13:54:35 +00:00
Andy Green
eb782bd41e ip tos support 2021-02-04 10:28:02 +00:00
Andy Green
95a545b741 evlib: count extant evlib handles instead of wsi 2021-01-19 17:07:33 +00:00
Andy Green
aa45de9e2a ss: enforce only valid state transitions
The various stream transitions for direct ss, SSPC, smd, and
different protocols are all handled in different code, let's
stop hoping for the best and add a state transition validation
function that is used everywhere we pass a state change to a
user callback, and knows what is valid for the user state()
callback to see next, given the last state it was shown.

Let's assert if lws manages to violate that so we can find
where the problem is and provide a stricter guarantee about
what user state handler will see, no matter if ss or sspc
or other cases.

To facilitate that, move the states to start from 1, where
0 indicates the state unset.
2021-01-11 08:12:43 +00:00
Andy Green
c9731c5f17 type comparisons: fixes
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00
Andy Green
e11d78dc5e sspc: cleanup bridged wsi 2021-01-04 05:40:12 +00:00
Andy Green
93f54c61c5 ss: enforce balanced CONNECT vs DISCONNECT 2021-01-04 05:26:50 +00:00
Andy Green
0ceba15d9c lws_lifecycle
This adds some new objects and helpers for keeping and logging
info on grouped allocations, a group is, eg, SS handles or client
wsis.

Allocated objects get a context-unique "tag" string intended to replace
%p / wsi pointers etc.  Pointers quickly become confusing when
allocations are freed and reused, the tag string won't repeat
until you produce 2^64 objects in a context.

In addition the tag string documents the object group, with prefixes
like "wsi-" or "vh-" and contain object-specific additional
information like the vhost name, address / port  or the role of the wsi.
At creation time the lws code can use a format string and args
to add whatever group-specific info makes sense, eg, a wsi bound
to a secure stream can also append the guid of the secure stream,
it's copied into the new object tag and so is still available
cleanly after the stream is destroyed if the wsi outlives it.
2021-01-04 05:26:50 +00:00
Andy Green
d330dbd76a wsi: unify base wsi creation function
A few different places want to create wsis and basically repeat their
own versions of the flow.  Let's unify it into one helper in wsi.c

Also require the context lock held (this only impacts LWS_MAX_SMP > 1)
2021-01-04 05:26:50 +00:00
Andy Green
5947e54a66 ss: mark client wsi bound to ss using flag 2020-12-24 16:14:36 +00:00
Andy Green
1f477e4915 client: clean up pwsi if late failure 2020-12-24 16:14:36 +00:00
Andy Green
2bcae2b3b6 context: refactor destroy flow 2020-11-28 10:58:38 +00:00
Andy Green
3549a94ce6 roles: compress role ops structs
role ops are usually only sparsely filled, there are currently 20
function pointers but several roles only fill in two.  No single
role has more than 14 of the ops.  On a 32/64 bit build this part
of the ops struct takes a fixed 80 / 160 bytes then.

First reduce the type of the callback reason part from uint16_t to
uint8_t, this saves 12 bytes unconditionally.

Change to a separate function pointer array with a nybble index
array, it costs 10 bytes for the index and a pointer to the
separate array, for 32-bit the cost is

2 + (4 x ops_used)

and for 64-bit

6 + (8 x ops_used)

for 2 x ops_used it means 32-bit: 10 vs 80 / 64-bit: 22 vs 160

For a typical system with h1 (9), h2 (14), listen (2), netlink (2),
pipe (1), raw_skt (3), ws (12), == 43 ops_used out of 140, it means
the .rodata for this reduced from 32-bit: 560 -> 174 (386 byte
saving) and 64-bit: 1120 -> 350 (770 byte saving)

This doesn't account for the changed function ops calling code, two
ways were tried, a preprocessor macro and explicit functions

For an x86_64 gcc 10 build with most options, release mode,
.text + .rodata

before patch:          553282
accessor macro:        552714 (568 byte saving)
accessor functions:    553674 (392 bytes worse than without patch)

therefore we went with the macros
2020-11-28 10:58:38 +00:00
Andy Green
62e566b9de client: move staged connect pieces into core-net
They have been in lib/roles/http for historical reasons, and all
ended up in client-handshake.c that doesn't describe what they
actually do any more.  Separate out the staged client connect
related stage functions into

  lib/core-net/client/client2.c: lws_client_connect_2_dnsreq()
  lib/core-net/client/client3.c: lws_client_connect_3_connect()
  lib/core-net/client/client4.c: lws_client_connect_4_established()

Move a couple of other functions from there that don't belong out to
tls-client.c and client-http.c, which is related to http and remains
in the http role dir.
2020-09-21 12:47:11 +01:00
Renamed from lib/core-net/connect.c (Browse further)