Addresses issue #2855 by allowing the parsing of the final byte when there are at least 3 bytes remaining in the buffer.
For every 4 bytes of input, a maximum of 3 bytes of output are generated when decoding the base64 string. The buffer space, therefore, only requires an additional 3 bytes of space. The code checks for space in the buffer before adding null termination.
Very very occasionally on server we try to add a NULL buffer to a buflist.
Let's try dealing with that by failing (caller must always be able to
handle failure from OOM) rather than asserting.
We use warmcat dns for testing, but for a while it has become dynamic
breaking the tests.
Fix up the affected tests with IPv4 addresses from getaddrinfo() so they
pass when they match these results.
Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.
Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
LWS_HAVE_SYS_RESOURCE_H is correctly set by lws to prevent including
sys/resource.h. However there is no corresponding guard for setrlimit (a
function from that header). This causes a build failure on platforms
which don't have sys/resource.h available.
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
Linux has a sockopt flag defined by RFC5014 that informs IPv6 systems with
SLAAC config to prefer to bind the socket to a public address instead of
any temporary private address.
This patch adds a client info flag LCCSCF_IPV6_PREFER_PUBLIC_ADDR that lets
the user indicate the client socket should be prepared with the public
address binding preference.
Currently it's only implemented on Linux.
This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.
The issue only appeared when a client connects via IP address directly and
not use a hostname.
When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
NEWADDR was errantly deleting route entities, specifically it happend
to delete IPv6 route entries causing a disconnect of all IPv6 clients.
NEWADDR can be issued on a DHCP lease renew, which does not change any
of the routes.
Code was also cleaned up a bit, and added some helpful logging.
Fix spelling mistake it was found while packaging mosquito for debian:
I: mosquitto: spelling-error-in-binary Inital Initial [usr/sbin/mosquitto]
I: mosquitto: spelling-error-in-binary witholding withholding [usr/sbin/mosquitto]
Forwarded: https://github.com/warmcat/libwebsockets/pull/2927
Signed-off-by: Philippe Coval <rzr@users.sf.net>
When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
https://oss-fuzz.com/testcase-detail/5964400971874304
The original upng code this is based on just sizes the temp buffers for 15,
but the trees can come in 19, 32, or 288 lengths. Set the buffer sizes for
the worst case.
Add some asserts to help catch any further problems more directly.
When building with clang-15, I got the following error:
```
error: variable 'm' set but not used [-Werror,-Wunused-but-set-variable]
int n, m = 0;
^
```
Let's just remove the `m` variable here, it's not used.
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
