1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

37 commits

Author SHA1 Message Date
Andy Green
d026f6d1b6 idf: cleanups 2024-11-03 07:59:12 +00:00
Andy Green
24fdd1f225 base64: improve sanity checking
Improve rejection of invalid chars
2022-03-25 08:18:30 +00:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andreas Weigel
319a00c067 jwt: sign via info
Offer a more extensible way to form and sign JWTs
2021-03-25 08:40:52 +00:00
Andy Green
c9731c5f17 type comparisons: fixes
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00
Andy Green
634a97ad79 lws_jwt_token_sanity 2020-07-15 16:18:00 +01:00
Andy Green
77530f8ccb jwt: sign and create jws helper 2020-07-15 16:17:59 +01:00
Andy Green
5b3ea74b77 jwt: validate jws helper
Introduce a signed JWT validation helper
2020-07-15 16:17:59 +01:00
Andy Green
cf41c3e793 jws: compact representation helper must use dots 2020-07-15 16:17:59 +01:00
Andy Green
b3131fdfdd cmakelist: Augean Stables refactor
Establish a new distributed CMake architecture with CMake code related to
a source directory moving to be in the subdir in its own CMakeLists.txt.
In particular, there's now one in ./lib which calls through to ones
further down the directory tree like ./lib/plat/xxx, ./lib/roles/xxx etc.

This cuts the main CMakelists.txt from 98KB -> 33KB, about a 66% reduction,
and it's much easier to maintain sub-CMakeLists.txt that are in the same
directory as the sources they manage, and conceal all the details that that
level.

Child CMakelists.txt become responsible for:

 - include_directories() definition (this is not supported by CMake
   directly, it passes it back up via PARENT_SCOPE vars in helper
   macros)

 - Addition child CMakeLists.txt inclusion, for example toplevel ->
   role -> role subdir

 - Source file addition to the build

 - Dependent library path resolution... this is now a private thing
   in the child CMakeLists.txt, it just passes back any adaptations
   to include_directories() and the LIB_LIST without filling the
   parent namespace with the details
2020-05-27 08:40:12 +01:00
Andy Green
af26f0c765 lejp: correct return temp type to int
lejp_parse() return type is an int... but in the function, the temp
for it is a char.  This leads to badness that is currently worked
around by casting the return through a signed char type.

But that leads to more badness since if there's >127 bytes of buffer
left after the end of the JSON object, we misreport it.

Bite the bullet and fix the temp type, and fix up all the guys
who were working around it at the caller return casting to use the
resulting straight int.

If you are using this api, remove any casting you may have cut-
and-pasted like this

n = (int)(signed char)lejp_parse(...);

... to just be like this...

n = lejp_parse(...);
2020-05-11 15:17:14 +01:00
Andy Green
e3d780dac6 gencrypto: windows: warnings
Coming out of increasing number of build variants on windows via Sai
2020-04-12 08:39:27 +01:00
Andy Green
94d488d2d5 jose: copy typ into jose object without testing for JWT 2020-03-04 11:00:04 +00:00
dzakarias
3d8fbdd3ac Added missing PKCS#7 padding/unpadding from AES-CBC in JWE 2020-02-21 17:32:41 +00:00
dzakarias
4f504a7a54 JWE: lws_jwe_render_compact to always return negative value on error 2020-02-21 17:32:41 +00:00
Andy Green
86fe71fdf3 lws_get_random: change length to size_t for coverity 2020-01-11 07:58:37 +00:00
Andy Green
0bfd39135e cleaning 2020-01-05 22:17:58 +00:00
Andy Green
0ab4a707fb format strings: ban %.*s as some platforms lack it
The %.*s is very handy to print strings where you have a length, but
there is no NUL termination.  It's quite widely supported but at least
one vendor RTOS toolchain doesn't have it.

Since there aren't that many uses of it yet, audit all uses and
convert to a new helper lws_strnncpy() which uses the smaller of
two lengths.
2019-11-04 13:49:14 +00:00
Andy Green
e1cf534775 jwk: add export option to suppress final CRLF
https://github.com/warmcat/libwebsockets/issues/1746

Adding the final CRLF is a NOP at JSON level, but can disrupt hashing the
JSON if it isn't expecting it.

Add flags to the jwk export so it can be controlled... operation remains
unchanged for old values 0 and 1 but a second flag can be OR-ed to control
issue of final CRLF.
2019-11-04 13:49:13 +00:00
Andy Green
5b780b85b5 COV225132: check if no JOSE alg
In the cases where an alg was expected, make sure it
came.
2019-09-22 09:35:07 -07:00
Andy Green
d7f0521aeb private.h: rename to contain dir
Having unique private header names is a requirement of a particular
platform build system it's desirable to work with
2019-08-15 10:49:52 +01:00
Andy Green
26319663f7 license: switch LGPLv2.1+SLE parts to MIT 2019-08-14 10:44:38 +01:00
Andy Green
38fb0e31da lws_struct
lws_struct JSON + sqlite3 serializer and deserializer


See READMEs/README.lws_struct.md
2019-04-06 06:08:47 +08:00
Andy Green
579ed35249 jwk: remove unistd.h include 2019-03-14 21:22:17 +08:00
Andy Green
c0b0c0ed72 rsa-aes-gcm: only strip padding when required 2019-01-30 08:08:16 +08:00
Andy Green
e7aacc8510 jwk: openssl: fix key parameter ordering for older OpenSSL 2019-01-30 07:19:38 +08:00
Andy Green
658afbc658 crypto: openssl: use EVP hmac objects directly 2 2019-01-29 15:28:56 +08:00
Andy Green
63ad616941 gencrypto: mbedtls: manual rsa padding removal only needed on old mbedtls in optee 2019-01-27 19:38:59 +08:00
Andy Green
8587e164f0 jwe: strip padding after rsa-aes 2019-01-22 06:37:53 +08:00
Andy Green
043700a4b0 optee: remove build system 2019-01-15 06:59:48 +08:00
Andy Green
0adc845507 lws-x509: validation functions 2018-12-31 20:35:54 +08:00
Andy Green
21889b53f7 ecdh-es
Mainly JWE support for ecdh-es and initial refactor to support multiple
recipients / signatures.
2018-12-27 06:45:32 +08:00
Andy Green
eda102e397 jwe 2018-12-27 06:45:32 +08:00
Andy Green
a3dcc95471 genec: generic ECDH crypto layer
!!! WIP

This implements the "genec" layer wrapping mbedtls + openssl
ECDH support.

API tests are added for the parts that are implemented so far.

Stuff related to ec at all, like keys, are prefixed lws_genec_.
Stuff specific to ECDH are prefixed lws_genecdh_.
2018-12-27 06:45:31 +08:00
Andy Green
47e14ba34b genrsa: add OAEP and PSS and convert openssl to EVP
Wanting PSS padding on signatures triggers and avalanche of
openssl EVP conversions as the only way to do it with the
openssl public apis.
2018-12-27 06:45:31 +08:00
Andy Green
ddb94d4e27 genaes: generic AES layer independent of tls library
Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.

This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.
2018-12-27 06:45:31 +08:00
Andy Green
440dacc992 JOSE: refactor and prepare for JWE
Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.
2018-12-27 06:45:31 +08:00