1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

154 commits

Author SHA1 Message Date
Akira Tsukamoto
9a5861cf76 jws: lws_gencrypto_jws_alg_to_definition needs sentinel
Otherwise segfault when end of array reached.
2020-03-21 07:02:27 +00:00
Andy Green
de978800f0 openssl: disallow client connections if X509_VERIFY_PARAM_set1_host absent from tls lib
https://github.com/warmcat/libwebsockets/issues/1827
2020-01-16 19:51:44 +00:00
Wojtek Kaniewski
fd70c1ac81 openssl: handle negotiation errors handling in client
If a client connects to a SSL server and the server sends handshake
alert (e.g. no matching ciphers) SSL_connect() fails, but because
SSL_ERROR_SSL return value is not handled, it's not considered a
failure. SSL_want_read() will return 1 and the client will happily wait
for more data from the server. Now if the server closes connection after
sending handshake alert, POLLIN event will be triggered,
lws_tls_client_connect() called again, but SSL_connect() will fail
without calling read(), so the client will end up consuming 100% CPU
because POLLIN will be triggered repeatedly.

Similar error handling is used in lws_tls_server_accept() and the
condition checks for SSL_ERROR_SSL. Using the same condition in
lws_tls_client_connect() fixes the problem.

Tested with OpenSSL 1.0.2k.
2019-12-19 21:32:31 +00:00
Andy Green
f4f4d25faa mbedtls: cast ecdh enum type for some toolchains 2019-11-27 07:43:55 +00:00
Andy Green
d8fa971b8a http_proxy: fix for mbedtls 2019-11-15 09:15:37 +00:00
Kristján Valur Jónsson
f958c0f03e fix integer conversions from 64 bit 2019-10-27 16:38:54 +00:00
Jakob Szumacher
d949b5529a client: LCCSCF_ALLOW_INSECURE
AG add options the minimal http client related to this
2019-09-18 10:09:43 +01:00
Andy Green
cd207447e0 COV225133: coverity false positive 2019-09-17 09:25:18 +01:00
Andy Green
6625cc059c pem_to_der: fix binary mode length handling 2019-09-16 18:19:36 +01:00
Andy Green
2fc35ef6bd stats: move to pt and improve presentation 2019-08-12 06:18:04 +01:00
Andy Green
498a4e2bd7 sul: all timed objects use a single pt sul list
wsi timeout, wsi hrtimer, sequencer timeout and vh-protocol timer
all now participate on a single sorted us list.

The whole idea of polling wakes is thrown out, poll waits ignore the
timeout field and always use infinite timeouts.

Introduce a public api that can schedule its own callback from the event
loop with us resolution (usually ms is all the platform can do).

Upgrade timeouts and sequencer timeouts to also be able to use us resolution.

Introduce a prepared fakewsi in the pt, so we don't have to allocate
one on the heap when we need it.

Directly handle vh-protocol timer if LWS_MAX_SMP == 1
2019-08-09 10:12:09 +01:00
Andy Green
3c12fd72e8 unify us sorted waits
There are quite a few linked-lists of things that want events after
some period.  This introduces a type binding an lws_dll2 for the
list and a lws_usec_t for the duration.

The wsi timeouts, the hrtimer and the sequencer timeouts are converted
to use these, also in the common event wait calculation.
2019-08-08 22:39:47 +01:00
Andy Green
45ec3ce369 lws_dll: upgrade all instances to lws_dll2
lws_dll2 removes the downsides of lws_dll and adds new features like a
running member count and explicit owner type... it's cleaner and more
robust (eg, nodes know their owner, so they can casually switch between
list owners and remove themselves without the code knowing the owner).

This deprecates lws_dll, but since it's public it allows it to continue
to be built for 4.0 release if you give cmake LWS_WITH_DEPRECATED_LWS_DLL.

All remaining internal users of lws_dll are migrated to lws_dll2.
2019-08-08 16:58:55 +01:00
Andy Green
1d954d52a3 sequencer: add second aux message arg
Since the messages are queued and then read in order from the event loop
thread, it's not generally safe to pass pointers to argument structs,
since there's no guarantee the lifetime of the thing sending the message
lasted until the sequencer read the message.

This puts pressure on the single void * argument-passed-as-value... this patch
adds a second void * argument-passed-as-value so it's more possible to put
what's needed directly in the argument.

It's also possible to alloc the argument on the heap and have the sequencer
callback free it after it has read it.
2019-08-08 09:45:09 +01:00
Andy Green
bd36962c17 openssl: add threading apis needed for 1.0.2 and earlier
In later OpenSSL, eg 1.1.1, these apis are NOPs in OpenSSL.
They are required for normal operation with multithreading
on earlier OpenSSL, eg, 1.0.2k
2019-08-02 09:47:23 +01:00
Andy Green
97e9bbbd0b mbedtls: wrapper: avoid redefine forward-typedef of X509_STORE_CTX
Some toolchains are in some C++ version mode that objects to redefinition
of a typedef even to the same thing.

Shift a couple for function declarations in the mbedtls wrapper
part so they can piggyback on just the one typedef for their
args.
2019-07-29 00:37:06 +01:00
Andy Green
00923627c0 client: add more descriptive string cases 2019-07-24 16:48:24 -07:00
Andy Green
080373f18f genhash: add MD5 2019-07-17 13:09:40 -07:00
Andy Green
8ed67dfbc5 gencrypto: aes: improve test key now openssl checks it
Latest 1.1.1c (and patches 1.1.1b on Fedora) check the AES key for entropy
and error out if bad.  Our aes-xts test key was a by-hand pattern repeated 4
times and OpenSSL errors out on it.

Improve the key to a random one.
2019-07-14 15:46:47 -07:00
Andy Green
0f941152f5 COVA10157: expression is unused 2019-07-13 13:41:24 -07:00
Andy Green
fdeadbfdef COVA10663: more mbedtls_mpi_write_binary return check instances 2019-07-13 13:39:43 -07:00
Andy Green
4739c3234b COVA11294: check mpi_write_binary retcode 2019-07-13 13:28:54 -07:00
Andy Green
f60db2fff9 openssl: rename internal api for describe error stack and make it destructive again 2019-07-13 13:28:44 -07:00
Andy Green
89fd3d822e openssl: explicitly clear error queue
https://libwebsockets.org/pipermail/libwebsockets/2019-July/008033.html
2019-07-10 20:34:24 +01:00
Andy Green
e76982a090 boringssl: deal with loss of EVP_PKEY_new_mac_key
Rewrite HMAC stuff to use HMAC_ apis instead of EVP

Bit trickly since modern OpenSSL has opaque HMAC_CTX and older
OpenSSL does not have any apis to allocate and free it.

Add another cmake check for the allocation api to decide
what to do.
2019-07-09 18:18:10 +01:00
Andy Green
896de50de2 boringssl: wrong tag constant 2019-07-09 18:18:10 +01:00
Andy Green
761e7528eb boringssl: adapt to missing AES modes 2019-07-09 18:18:10 +01:00
Andy Green
23fde179f0 boringssl: fix type changes 2019-07-09 18:18:10 +01:00
Hustweimin
17920cadf5 tls: openssl: use lws pem_to_der first for mem cert
https://github.com/warmcat/libwebsockets/issues/1620
2019-07-09 07:48:35 +01:00
Andy Green
805c033b6b openssl: client certs: use info.client_ssl_private_key_password
https://github.com/warmcat/libwebsockets/issues/1599
2019-06-21 07:18:48 +01:00
Chen Xi
892cde2c71 rtos: add support for AMAZON_RTOS 2019-06-05 05:04:17 +01:00
Orgad Shaneh
10660466c1 openssl-server: Fix null dereference
Reported by GCC9.
2019-05-31 06:16:52 +08:00
Orgad Shaneh
71131adb9c tls: Fix yet another strict-aliasing issue on GCC 4.1 2019-05-30 06:03:47 +08:00
Andy Green
832fdae7fd mbedtls: correct memory cert usage
https://github.com/warmcat/libwebsockets/issues/1569
2019-05-11 08:07:27 +01:00
kzhdev
c40394f968 openssl: client: handle no tcr 2019-04-06 05:52:23 +08:00
Andy Green
ede747f1bc openssl: client: check wsi from openssl private data
v2.4 was patched to check NULL wsi in the verify callback,
nobody has reported it on later versions, but might as well
check it too.
2019-04-03 08:06:14 +08:00
Andy Green
62c5a784e3 alpn: handle ALLOW_NON_SSL_ON_SSL_PORT 2019-03-22 05:30:22 +08:00
Andy Green
462847bb6f lws_dll: remove lws_dll_lws and deprecate lws_dll_remove 2019-03-21 06:19:31 +08:00
Andy Green
30eb3e94ab openssl: gencrypto: aes gcm AAD: use EncryptUpdate or DecryptUpdate to set AAD
Until 1.1.1b OpenSSL didn't mind we were setting AAD for AES GCM
using EVP_EncryptUpdate() for both encrypt and decrypt... but now
it noticed and the bug is fixed.
2019-03-21 06:18:32 +08:00
Andy Green
45f2c9f9f8 openssl3: handle EC_POINT_get_affine_coordinates api change 2019-03-20 21:00:29 +08:00
Andy Green
555c34b044 openssl: reuse client SSL_CTX where possible
If you have multiple vhosts with client contexts enabled, under
OpenSSL each one brings in the system cert bundle.

On libwebsockets.org, there are many vhosts and the waste adds up
to about 9MB of heap.

This patch makes a sha256 from the client context configuration, and
if a suitable client context already exists on another vhost, bumps
a refcount and reuses the client context.

In the case client contexts are configured differently, a new one
is created (and is available for reuse as well).
2019-03-18 06:54:38 +08:00
Andy Green
59a2a787ee openssl: try to reduce memory usage 2019-03-16 10:17:28 +08:00
Andy Green
75c058e250 mbedtls: handle vhost without valid cert gracefully 2019-03-16 09:54:52 +08:00
Santeri Hernejärvi
5d1cd3cb4b mbedtls: Fix reads getting stuck when the socket has disconnected
We've seen this behaviour when iOS resumes from sleep:

dbg> 0x11cd03750: ssl err dbg> lws_ssl_capable_read: WANT_READ
dbg> 0x11cd03750: LWS_SSL_CAPABLE_MORE_SERVICE
dbg> SSL Capable more service
dbg> 0x11cd03750: SSL_read says -1
dbg> 0x11cd03750: ssl err 2 errno 57
dbg> lws_ssl_capable_read: WANT_READ
dbg> 0x11cd0375dbg> SSL Capable more service
dbg> 0x11cd03750: SSL_read says -1
dbg> 0x11cd03750: ssl err 2 errno 57
dbg> lws_ssl_capable_read: WANT_READ
2019-03-14 19:09:33 +08:00
Andy Green
3b65f9885b old openssl: dont build with membuffer apis 2019-03-12 11:57:43 +08:00
Andy Green
c3f30bf1fa vhost info: add memory buffer cert support 2019-03-12 11:57:43 +08:00
Andy Green
0079099f10 vhost: add pprotocols to vhost info
info.protocols works okay, but it has an annoying problem... you have to know
the type for each protocol's pss at the top level of the code, so you can set
the struct lws_protocols user_data size for it.

Lws already rewrites the protocol tables for a vhost in the case of runtime
protocol plugins... this adapts that already-existing code slightly to give
a new optional way to declare the protocol array.

Everything works as before by default, but now info.protocols may be NULL and
info.pprotocols defined instead (if that's also NULL, as it will be if you
just ignore it after memsetting to 0, then it continues to fall back to the
dummy protocol handler as before).

info.pprotocols is a NULL-termined array of pointers to lws_protocol
structs.  This can be composed at the top level of your code without knowing
anything except the name of the externally-defined lws_protocol struct(s).

The minimal example http-server-dynamic is changed to use the new scheme as
an example.
2019-03-10 08:02:02 +08:00
Andy Green
f8cd973f85 mingw: windows: make minimal examples build 2019-03-10 08:02:02 +08:00
Andy Green
30d992dbe2 clean: LWS_SSL_ENABLED use vh as the macro arg name to clarify what should be given 2019-03-10 08:02:02 +08:00
Andy Green
2d086db6e8 codacy: fixes for warnings 2019-03-10 08:02:02 +08:00