1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

357 commits

Author SHA1 Message Date
makejian
a656eb5f1b mbedtls/ssl: free cert chain when mbedtls_client_preload_filepath enabled
Signed-off-by: makejian <makejian@xiaomi.com>
2025-03-03 07:40:34 +00:00
Andy Green
4b1b4a4caa lws_tls_openssl_asn1time_to_unix: fix 13 char asn1 epoch
Also align to struct tm's year epoch of 1900

https://github.com/warmcat/libwebsockets/issues/3341
2025-02-24 12:41:07 +00:00
Davidovory03
207d634fc0 mbedtls: translate error codes for caller
https://github.com/warmcat/libwebsockets/issues/3315
2025-01-22 08:43:45 +00:00
Andy Green
d026f6d1b6 idf: cleanups 2024-11-03 07:59:12 +00:00
Jeongik Cha
367ba7efe1 mbedtls: fix verify_mode properly in LWS_HAVE_mbedtls_ssl_set_hs_authmode as well 2024-11-02 09:36:41 +00:00
Jeongik Cha
84e640ddb8 mbedtls: verify_mode should match to auth_mode
SSL_VERIFY_PEER->MBEDTLS_SSL_VERIFY_REQUIRED
SSL_VERIFY_FAIL_IF_NO_PEER_CERT->MBEDTLS_SSL_VERIFY_OPTIONAL
2024-11-02 09:36:34 +00:00
Jeongik Cha
319b2e74c3 mbedtls: client: check cert exists and is valid
It should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but it was only SSL_VERIFY_FAIL_IF_NO_PEER_CERT, so it didn't verify the cert, it only checked its existence.

To fix that, turn on both just like openssl-server.c does.
2024-11-02 09:36:26 +00:00
makejian
2718a4572f mbedtls-client: Enable the version number is correct
After mbedtls version 3.0, support for TLS 1.0 and 1.1 has been removed. For details, please see https://github.com/Mbed-TLS/mbedtls/issues/4286.
If use a new version of mbedtls, connection errors may occur due to version reasons. So we hope it can be configured according to the supported version.

Signed-off-by: makejian <makejian@xiaomi.com>
2024-10-31 16:14:00 +00:00
Orgad Shaneh
c3a5c097ce tls-sessions: Pass correct type for printf %u 2024-10-06 08:10:51 +01:00
Andy Green
5f3d5e3a3d custom_event: fake_POLLIN_override
As discussed in

https://github.com/warmcat/libwebsockets/issues/3219
2024-09-30 12:49:08 +01:00
Andy Green
78a6d17aa2 mbedtls: provide declaration if ge 3.5
https://github.com/warmcat/libwebsockets/issues/3169
2024-09-29 11:50:00 +01:00
Andy Green
9e0bc9e259 openssl: allow custom SSL_CTX with GLOBAL_INIT unset 2024-09-23 13:11:40 +01:00
Andy Green
c0267eceec tls: openssl: ensure actual error first 2024-09-23 07:00:29 +01:00
Seo Suchan
9ba1504d01 mbedtls: fix compile on mbedtls 3.6+
they moved mbedtls_x509_get_name into interal zone.

Signed-off-by: Seo Suchan <tjtncks@gmail.com>
2024-05-07 13:49:23 +01:00
makejian
0d76f0950a mbedtls_wrapper: Modify 'd2i_X509' with standard declaration in openssl
https://github.com/warmcat/libwebsockets/pull/3095

Signed-off-by: makejian <makejian@xiaomi.com>
2024-03-18 12:50:30 +00:00
Liu Dongmiao
e38e85e71f wolfssl: fix build 2024-03-07 09:49:41 +00:00
AD001\z0048zxj
4f3ce6458b openssl: support SSLKEYLOGFILE server secret logging 2024-02-16 15:45:45 +00:00
Andy Green
837db622eb clean: avoid maybe-uninitialized
https://github.com/warmcat/libwebsockets/issues/3049
2024-01-16 07:15:30 +00:00
Andy Green
638558a4db openssl: only use pc libs if no find_package 2024-01-15 09:18:48 +00:00
Fabrice Fontaine
f18fc2316f lib/tls/CMakeLists.txt: fix wolfssl build with pkg-config 2023-12-27 06:36:59 +00:00
zzblydia
5442cf7ebf cmake: ssl lib paths
replace PC_OPENSSL_LIBRARIES with PC_OPENSSL_LINK_LIBRARIES to link library with absolute path.
2023-11-23 09:45:12 +00:00
Khem Raj
a07699d269 gcc: fix mbedtls missing enum
bcd970fb4f
2023-11-23 09:45:12 +00:00
Andy Green
26c3f9a01b tls: mbedtls-3.5.0: correct privkey size 2023-11-05 08:25:59 +00:00
Andy Green
407f88615f mbedtls: if we have tls1.2 only accept exactly that 2023-11-02 09:57:32 +00:00
Andy Green
2da771b129 cmake: mbedtls: mbedtls_ssl_conf_alpn_protocols check 2023-11-02 09:55:50 +00:00
Andy Green
e71398c02a mbedtls: auto adapt to changed session constant 2023-10-31 10:51:20 +00:00
Nate Karstens
d4c9158d88 openssl: Add lws ctx ref to client vhost's SSL_CTX
Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.

Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
2023-10-24 07:00:13 +01:00
Audric Schiltknecht
5736786391 openssl: Properly report OpenSSL error in lws_tls_client_connect
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
2023-10-21 07:00:01 +01:00
Daniel Danzberger
4144c1e61b mbedtls-server: Fix broken client verification
This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.

The issue only appeared when a client connects via IP address directly and
not use a hostname.

When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
2023-09-28 11:06:05 +01:00
Andy Green
f9d1f25abe openssl-server: enum vs int disagreement
https://github.com/warmcat/libwebsockets/issues/2907
2023-06-14 07:14:51 +01:00
Sylvain Saunier
6a55f448e2 tls: alpn for client 2022-09-18 08:18:22 +01:00
Damian Hobson-Garcia
a5ea6eabca remove LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY callback
When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
2022-09-18 06:13:47 +01:00
Fabrice Fontaine
c83cf48b90 lib/tls/CMakeLists.txt: fix build without threads
openssl can be built without threads resulting in the following build
failure:

-- Looking for HMAC_CTX_new
-- Looking for HMAC_CTX_new - not found

[...]

In file included from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets.h:661,
                 from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/core/./private-lib-core.h:140,
                 from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/plat/unix/unix-misc.c:28:
/home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets/lws-genhash.h:85:18: error: field 'ctx' has incomplete type
   85 |         HMAC_CTX ctx;
      |                  ^~~

To fix this build failure, don't unconditionally add pthread if openssl
has been found through pkg-config as openssl.pc will contain the
appropriate dependencies (i.e. -lpthread but also -lz or -latomic)

Fixes:
 - http://autobuild.buildroot.org/results/2ae9e3249b6fcc9e6c30e7783e264fc6599e61df

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2022-06-14 07:37:03 +01:00
Andy Green
19d9869af6 lejp: increase default complexity limits 2022-06-14 07:36:57 +01:00
Andy Green
ab7937f2bc mbedtls: some versions need x509 overallocation 2022-04-23 07:39:43 +01:00
Fabrice Fontaine
079726c4b2 tls: cmake: add wolfssl pkg-config support
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95

This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2022-04-22 07:41:11 +01:00
orefkov
edf670a3e6 acme: update for v2
https://github.com/warmcat/libwebsockets/issues/2609

AG: api logging updates
2022-04-11 06:39:55 +01:00
Andy Green
24fdd1f225 base64: improve sanity checking
Improve rejection of invalid chars
2022-03-25 08:18:30 +00:00
Andy Green
843ee10205 mbedtls: v3.1 reverts privacy of mbedtls_net_context fd
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it.  Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
2022-03-15 10:28:09 +00:00
Poppy
6c53da692e tls: libressl: refactor set_options to work with macro implementations
Libressl uses macros for set_options(), causing compilation failure.
Refactor the related code to work well with macro definitions for
these apis.

https://github.com/warmcat/libwebsockets/issues/2554
2022-03-15 10:28:09 +00:00
Andy Green
ba2441585d jit-trust: adapt for esp-idf pre v3 mbedtls
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.

Make sure mbedtls tls validation is noisy and fast.

Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline.  Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
2022-03-15 10:28:09 +00:00
Andy Green
0ca97586d6 mbedtls: improve api detection
mbedtls cmake api detection was not able to work on esp-idf well.

Improve diagnostics and reaction if we ever see that again.
2022-02-01 11:09:48 +00:00
Rosen Penev
2f93a8b178 genec: show correct nid when not allowed
As noticed by gcc11 warning

https://github.com/warmcat/libwebsockets/pull/2551
2022-02-01 09:13:58 +00:00
Andy Green
5124ffe9d4 openssl: x509: truncate CN in presence of other attr
https://github.com/warmcat/libwebsockets/issues/2542
2022-01-26 11:54:08 +00:00
Andy Green
176b2ca5a1 logs: openssl session: improve detection of INFO enabled
https://github.com/warmcat/libwebsockets/issues/2540
2022-01-26 11:53:54 +00:00
Ferenc Gerlits
133063fc68 cmake: fix compilation with OpenSSL subproject
https://github.com/warmcat/libwebsockets/pull/2535
2022-01-16 10:48:16 +00:00
Andy Green
7e841130e0 coverity fixes 2022-01-16 10:48:11 +00:00
Andy Green
0dae22e4dd logging: gate_accepts: reduce verbosity 2021-12-13 19:02:56 +00:00
Andy Green
b8c4820be4 openssl: support SSLKEYLOGFILE client secret logging
This patch checks for the env var SSLKEYLOGFILE=path, if present, then
client connection tls secrets are appended into path.vhostname.

This allows decryption of captured encrypted data for debugging purposes.

SSKEYLOGFILE=path env var method is the same as provided by Firefox and
Chrome for this purpose.
2021-12-13 19:02:49 +00:00
Andy Green
53d195022f cmake: Enable WITH_MINIMAL_EXAMPLES by default
Although many of the examples must be run from the example directory as
cwd, everyone getting started probably wants to try the examples, cmake
knows how to do it, so let's enable it by default.
2021-11-11 11:52:46 +00:00