!!! WIP
This implements the "genec" layer wrapping mbedtls + openssl
ECDH support.
API tests are added for the parts that are implemented so far.
Stuff related to ec at all, like keys, are prefixed lws_genec_.
Stuff specific to ECDH are prefixed lws_genecdh_.
Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.
This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.
Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.
By default everything is as before.
However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.
The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.
A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
1) update the logos to svg
2) add svg icon for strict security policy where used
3) define new vhost option flag to enforce sending CSP headers
with the result code
4) add vhost option flag to minimal examples to
enforce sending CSP where applicable
5) Go through all the affecting examples confirming they
still work
6) add LWS_RECOMMENDED_MIN_HEADER_SPACE constant (currently
2048) to clarify when we need a buffer to hold headers...
with CSP the headers have become potentially a lot
larger.
https://github.com/warmcat/libwebsockets/issues/1423
If you vhost->options has the flag LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK,
then if the server is sent an upgrade request, the content of the Host: header is
required to match the vhost name + port. The port is set to the well-known values
of 80 and 443 if no :port on the host: value, depending on tls or not on the
connection.
minimal-ws-server can now take a -h flag to set this. lejp-conf (eg, lwsws) can now take
a flag strict-host-check on the vhost to enable it as well.
This builds on the new dbus role support to provide a minimal example proxy
between ws and dbus.
A client app is provided that asks the proxy to connect to libwebsockets.org
and proxy the drawing data from the mirror example there back to the dbus
client using dbus messages.
This adds support for the integrating libdbus into the lws event loop.
Unlike the other roles, lws doesn't completely adopt the fd and libdbus insists
to retain control over the fd lifecycle. However libdbus provides apis for
foreign code (lws) to provide event loop services to libdbus for the fd.
Accordingly, unlike the other roles rx and writeable are not subsumed into
lws callback messages and the events remain the property of libdbus.
A context struct wrapper is provided that is available in the libdbus
callbacks to bridge between the lws and dbus worlds, along with
a minimal example dbus client and server.
During client redirect we "reset" the wsi to the redirect address,
involving closing the current fd that was told to redirect (it will
usually be a completely different server or port).
With libuv and its two-stage close that's not trivial. This solves
the problem we will "reset" (overwrite) where the handle lives in the
wsi with new a new connection / handle by having it copied out into
an allocated watcher struct, which is freed in the uv close callback.
To confirm it the minimal ws client example gets some new options, the
original problem was replicated with this
$ lws-minimal-ws-client-echo -s invalid.url.com -p 80
https://github.com/warmcat/libwebsockets/issues/1390
