Updates the `lws_pt_destroy()` logic to ensure the pipe fds are closed if either `pt->dummy_pipe_fds[0]` or `pt->dummy_pipe_fds[1]` are still valid (previously was only checking `pt->dummy_pipe_fds[0]` which was resulting in the write fd to leak whenever a context was destroyed).
LWS_HAVE_SYS_RESOURCE_H is correctly set by lws to prevent including
sys/resource.h. However there is no corresponding guard for setrlimit (a
function from that header). This causes a build failure on platforms
which don't have sys/resource.h available.
This adds an optional lws VFS layer that exposes the named dlo object
registry. So you can register a blob like a JPG named "my.jpg", and
access it on the vfs as, eg, /dlofs/my.jpg (or file:///dlofs/my.jpg
if using the SS file:// support for VFS namespace).
VFS needs some small updates... pass in the bound fops as well as the
context fops to the member callbacks. ZIP_FOPS only cared about doing
operations on the platform / context vfs to walk the ZIP file, but other
uses are valid where we are doing operation inside the bound VFS itself.
Also, stash a cx pointer into file ops struct for convenience.
Just like there is a default protocol provided if none is specified that is
suitable for handling http GET, introduce a default SS policy that is also
suitable for the case of http GET where the user trusts the CA using the
ssl library or system trust store.
These have been disabled via a preprocessor symbol with no UI to enable it
for a year or so, it looks like they are not going to be needed.
The model of in-tree auth selectable from cmake looks like it will do for
everything, or if not, the solution will probably look different to this.
lws_sequencer and lws_abstract were both false starts trying to do the
functionality of secure streams.
Since Secure Streams does a better job for both and there are no known
out-of-tree users of them, let's remove them and focus on Secure Streams.
This is a NOP for existing usecases.
At the moment the only implemented transport for serialized SS is wsi, it's
typically used with Unix Domain Sockets, but it also works over tcp the
same.
It generalizes the interface between serialized chunks and the
transport, separately for client and proxy. The wsi transport is migrated
to use the new transport ops structs.
It will then be possible to "bring your own transport", so long as it is
reliable, and in-order, both for proxy and client / sspc.
We also adapt minimal-secure-streams-binance to build the -client variant
via SS proxy as well.
LWS_ONLY_SSPC is added so libwebsockets can be produced with just sspc
client support even for tiny targets.
A new embedded minimal example for rpi pico is also provided that
demonstrates using Serialized SS over a UART to an SS proxy, to implement
the SS Binance example on the pico, even though it has no networking itself.
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.
The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.
The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.
On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
in 100 interations, average 68.7k
Add support for dynamically determining the CAs needed to validate server
certificates. This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.
Works for both openssl and mbedtls.
See READMEs/README.jit-trust.md for the documentation
You likely want the next patch for http redirect enhancements as well.
Adapt the event lib support slighly so we can pass an event lib "plugin"
header in at context creation time, and direct all event loop handling to
go via that.
This can then be lightly adapted to interface to an existing custom event
loop cleanly, without the problems of EXTERNAL_POLL.
The external loop must consult with us about the max wait timeout as shown
in the added minimal-http-server-eventlib-custom example.
The example shows a complete implementation working with a custom poll()
loop cleanly while only needing 5 ops in the custom event lib handler.
Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.
This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
Defer recording the ss metrics histogram until wsi close, so it has a
chance to collect all the tags that apply.
Defer dumping metrics until the FINALIZE phase of context destroy, so we
had a chance to get any metrics recorded.
This provides a way to get ahold of LWS_WITH_CONMON telemetry from Secure
Streams, it works the same with direct onward connections or via the proxy.
You can mark streamtypes with a "perf": true policy attribute... this
causes the onward connections on those streamtypes to collect information
about the connection performance, and the unsorted DNS results.
Streams with that policy attribute receive extra data in their rx callback,
with the LWSSS_FLAG_PERF_JSON flag set on it, containing JSON describing the
performance of the onward connection taken from CONMON data, in a JSON
representation. Streams without the "perf" attribute set never receive
this extra rx.
The received JSON is based on the CONMON struct info and looks like
{"peer":"46.105.127.147","dns_us":596,"sockconn_us":31382,"tls_us":28180,"txn_resp_us:23015,"dns":["2001:41d0:2:ee93::1","46.105.127.147"]}
A new minimal example minimal-secure-streams-perf is added that collects
this data on an HTTP GET from warmcat.com, and is built with a -client
version as well if LWS_WITH_SECURE_STREAMS_PROXY_API is set, that operates
via the ss proxy and produces the same result at the client.
Really not having any logs makes it difficult to know what is really
happening, but if that's you're thing this will align debug and release
modes to just have ERR and USER if you give WITH_NO_LOGS
There are a few build options that are trying to keep and report
various statistics
- DETAILED_LATENCY
- SERVER_STATUS
- WITH_STATS
remove all those and establish a generic rplacement, lws_metrics.
lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.
Openmetrics export is supported, for, eg, prometheus scraping.
