1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

76 commits

Author SHA1 Message Date
Andy Green
a58586b3a4 README.coding: update libev section 2019-12-20 18:37:17 +00:00
Andy Green
0f983d0aca lws_sul: make it clear NULL no longer valid in lws_service_fd 2019-09-12 11:14:14 +01:00
Andy Green
f12e116188 lws_retry_bo_t: generic retry backoff
Add a generic table-based backoff scheme and a helper to track the
try count and calculate the next delay in ms.

Allow lws_sequencer_t to be given one of these at creation time...
since the number of creation args is getting a bit too much
convert that to an info struct at the same time.
2019-08-05 14:47:51 +01:00
Andy Green
b6b6915837 lws_sequencer_t: allow wsi binding 2019-07-22 14:02:00 -07:00
Andy Green
d727c89d79 cmake: miniz: add as option 2019-07-03 19:46:23 +01:00
Andy Green
b3d6e28bc7 lws_sequencer 2019-06-25 12:10:18 +01:00
Andy Green
38fb0e31da lws_struct
lws_struct JSON + sqlite3 serializer and deserializer


See READMEs/README.lws_struct.md
2019-04-06 06:08:47 +08:00
Andy Green
080a72669b docs: add READMEs/README.porting.md 2019-03-28 06:47:02 +08:00
Andy Green
9bcbefea26 docs: lws_dll and lws_dll2 documentation 3 2019-03-26 14:54:50 +08:00
Andy Green
1062370f07 unix skt: allow control over skt user:group
If you're providing a unix socket service that will be proxied / served by another
process on the same machine, the unix fd permissions on the listening unix socket fd
have to be managed so only something running under the server credentials
can open the listening unix socket.
2019-03-26 14:54:49 +08:00
Andy Green
ce1f395ead context: add info members to drop privileges using user and group name strings
Up until now if you wanted to drop privs, a numeric uid and gid had to be
given in info to control post-init permissions... this adds info.username
and info.groupname where you can do the same using user and group names.

The internal plat helper lws_plat_drop_app_privileges() is updated to directly use
context instead of info both ways it can be called, and to be able to return fatal
errors.

All failures to lookup non-0 or -1 uid or gid names from uid, or to look up
uid or gid from username or groupnames given, get an err message and fatal exit.
2019-03-26 14:54:49 +08:00
Andy Green
f8cd973f85 mingw: windows: make minimal examples build 2019-03-10 08:02:02 +08:00
Andy Green
0adc845507 lws-x509: validation functions 2018-12-31 20:35:54 +08:00
Andy Green
21889b53f7 ecdh-es
Mainly JWE support for ecdh-es and initial refactor to support multiple
recipients / signatures.
2018-12-27 06:45:32 +08:00
Andy Green
eda102e397 jwe 2018-12-27 06:45:32 +08:00
Andy Green
a3dcc95471 genec: generic ECDH crypto layer
!!! WIP

This implements the "genec" layer wrapping mbedtls + openssl
ECDH support.

API tests are added for the parts that are implemented so far.

Stuff related to ec at all, like keys, are prefixed lws_genec_.
Stuff specific to ECDH are prefixed lws_genecdh_.
2018-12-27 06:45:31 +08:00
Andy Green
ddb94d4e27 genaes: generic AES layer independent of tls library
Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.

This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.
2018-12-27 06:45:31 +08:00
Andy Green
440dacc992 JOSE: refactor and prepare for JWE
Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.
2018-12-27 06:45:31 +08:00
Andy Green
08b5ad9299 role: raw-proxy 2018-12-01 11:05:59 +08:00
Andy Green
b318877cd9 adopt: allow associated accepted vhost connections to specific role
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.

By default everything is as before.

However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.

The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.

A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
2018-12-01 11:05:59 +08:00
Andy Green
a74a966fbf ws: support basic auth
Until now basic auth only protected http actions in the protected
mount.

This extends the existing basic auth scheme to also be consulted for
ws upgrades if a "basic-auth" pvo exists on the selected protocol for
the vhost.  The value of the pvo is the usual basic auth credentials
file same as for the http case.
2018-11-28 15:06:10 +08:00
Andy Green
89eedcaa94 v3.1.0 2018-11-23 11:30:56 +08:00
Andy Green
edeb8a59fa boringssl: update 2018-11-23 10:52:39 +08:00
Andy Green
37d6116374 cmake: copy include/libwebsockets into the build dir
https://libwebsockets.org/pipermail/libwebsockets/2018-November/007745.html

This allows user code to use the build dir ./include without
having to do the make install, as a convenience.
2018-11-23 08:54:40 +08:00
Andy Green
9bed6d6fc6 clean: general whitespace cleanup 2018-11-23 08:47:56 +08:00
Andy Green
c027c3db28 docs: cleanups 2018-11-21 17:03:29 +08:00
Andy Green
d9f982a055 minimal examples: update for CSP best practices
1) update the logos to svg

2) add svg icon for strict security policy where used

3) define new vhost option flag to enforce sending CSP headers
   with the result code

4) add vhost option flag to minimal examples to
   enforce sending CSP where applicable

5) Go through all the affecting examples confirming they
   still work

6) add LWS_RECOMMENDED_MIN_HEADER_SPACE constant (currently
   2048) to clarify when we need a buffer to hold headers...
   with CSP the headers have become potentially a lot
   larger.
2018-11-21 17:03:29 +08:00
Andy Green
ac032544bf README.md: update in preparation for v3.1 2018-11-16 09:10:41 +08:00
Andy Green
0647806f4c docs: release-policy README and pics 2018-11-14 08:57:29 +08:00
Andy Green
cbb8b1d3e9 LWS_WITH_ASAN
This lets you build using the runtime Address Sanitizer in gcc.

LWS is heavily tested with valgrind routinely during development.  But ASAN
did find some theoretical-only issues with shifting, strictly ~(1 << 31) is
a signed int, it should be ~(1u << 31).  Gcc does the same for both, but it's
good to have the ability to find these.
2018-11-03 14:47:48 +08:00
Andy Green
93d4e186c2 openssl tls1.3: allow setting ciphersuites at context creation time
https://github.com/warmcat/libwebsockets/issues/1440
2018-10-27 08:05:21 +08:00
Andy Green
20fb55934b client vhost OpenSSL set and clear options
https://github.com/warmcat/libwebsockets/issues/1438
2018-10-26 13:55:36 +08:00
Andy Green
33a6034875 codacy: minor fixes 2018-10-13 08:16:27 +08:00
Andy Green
bdaa339a6e README.ci.md 2018-10-13 08:16:27 +08:00
Andy Green
df3e29ea16 README.vulnerability-reporting.md 2018-10-13 08:16:27 +08:00
Andy Green
fb2d13b462 README.contributing.md 2018-10-13 08:16:27 +08:00
Andy Green
2f8efa1082 auth: record basic auth user
This causes the WSI_TOKEN_HTTP_AUTHORIZATION content to be
replaced by the plaintext username that succeeded to be
authenticated.
2018-10-02 10:52:09 +08:00
Andy Green
fd810f198a http proxy: client: unix socket support
This allows the client stuff to understand that addresses beginning with '+'
represent unix sockets.

If the first character after the '+' is '@', it understands that the '@'
should be read as '\0', in order to use Linux "abstract namespace"
sockets.

Further the lws_parse_uri() helper is extended to understand the convention
that an address starting with + is a unix socket, and treats the socket
path as delimited by ':', eg

http://+/var/run/mysocket:/my/path

HTTP Proxy is updated to allow mounts to these unix socket paths.

Proxy connections go out on h1, but are dynamically translated to h1 or h2
on the incoming side.

Proxy usage of libhubbub is separated out... LWS_WITH_HTTP_PROXY is on by
default, and LWS_WITH_HUBBUB is off by default.
2018-09-12 13:58:13 +08:00
Andy Green
dc38eea060 docs: CSP 2018-09-12 13:58:13 +08:00
Andy Green
f6a3aa01c9 http: enlarge headers buffers since they may meet large headers from vhost config 2018-09-11 18:27:59 +08:00
Andy Green
d1f9f0ae2d libwebsockets.h: split out into a dir of sub-includes included by libwebsockets.h
This has no effect on user code or backward compatibility.

It moves the in-tree public api header libwebsockets.h from ./lib
to ./include, and introduces a dir ./include/libwebsockets/

The single public api header is split out into 31 sub-headers
in ./include/libwebsockets.  ./include/libwebsockets.h contains
some core types and platform adaptation code, but the rest of it
is now 31 #include <libwebsockets/...>

At install time, /usr/[local/]include/libwebsockets.h is installed
as before, along now with the 31 sub-headers in ...include/libwebsockets/

There's no net effect on user code.

But the api header is now much easier to maintain and study, with 31
topic-based sub headers.
2018-09-11 18:27:59 +08:00
Andy Green
5d06f610a9 travis: h2spec integration 2018-04-26 15:27:02 +08:00
Andy Green
7b227eb333 autobahn fixes
This replaces the old test-app for echo with separate client and server
minimal versions.

The autobahn test script is made more autonomous and tests both
client and server.
2018-04-22 06:45:46 +08:00
Andy Green
2a9b6f54c6 client: h2
This adds h2 http support for the client api.

The public client api requires no changes, it will detect by
ALPN if the server can handle http/2, if so, it will use it.

Multiple client connections using the lws api will be mapped on
to the same single http/2 + tls socket using http/2 streams
that are serviced simultaneously where possible.
2018-04-06 10:38:03 +08:00
Andy Green
8f19a3fa9a network interface: defer bindings to absent network interfaces
Previously down network interfaces without an IPv4 address are
removed from the posix api that lists network interfaces.

That means if you bound a vhost listen socket to a particular
interface, it will fail at startup time.

This patch adds these vhosts to a list, starts the vhost without
a listen socket, and checks to see if the vhost's network interface
has appeared while the rest of lws is running.

If it appears, the listen socket is opened on the network interface
and the vhost becomes reachable.
2018-04-06 10:38:03 +08:00
Andy Green
04e1661411 client: http1.1 pipelining 2018-04-06 10:38:03 +08:00
Fabio Alessandrelli
94f3981bef mbedtls: wrapper: client: Force mbedTLS to attemp to verify cert
AG: unlike openssl, mbedtls does not load the system trust store.
So this change will make client tls operations that work OK on openssl fail on
mbedtls unless you provide the correct CA cert.

This allows lws to distinguish between untrusted CAs, hostname
mismatches, expired certificates.

NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and
will also skip hostname verification. This is somewhat a limitiation of
the current lws verification process.

AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument
and add a note specific to mbedtls in the test client.  Adapt the test
client to note the CA requirement if built with mbedTLS.  Adapt the
minimal test clients to have the CAs available and use them if mbedTLS.
2018-04-06 10:38:03 +08:00
Andy Green
7cef6fcc7b udp 2018-04-06 10:38:03 +08:00
Andy Green
5acbb04b51 unixskt: add test server support and cleanup inode on exit 2018-04-06 10:38:03 +08:00
Andy Green
0d8b11d250 smp: add user pthread helpers that are NOP for LWS_SMP_MAX == 1 2018-03-02 19:19:35 +08:00