Some toolchains are in some C++ version mode that objects to redefinition
of a typedef even to the same thing.
Shift a couple for function declarations in the mbedtls wrapper
part so they can piggyback on just the one typedef for their
args.
Since new roles may be incompatible with http, add support for
alpn names at the role struct, automatic generation of the
default list of alpn names that servers advertise, and the
ability to override the used alpn names per-vhost and per-
client connection.
This not only lets you modulate visibility or use of h2,
but also enables vhosts that only offer non-http roles,
as well as restricting http role vhosts to only alpn
identifiers related to http roles.
This just supports "http/1.1" alpn and lets the client know it
can use keepalive earlier if it affirmitively negotiated
"http/1.1" on alpn.
mbedTLS wrapper needed a small adaptation to also allow
per-client-ssl control of the alpn negotiation list.
AG: unlike openssl, mbedtls does not load the system trust store.
So this change will make client tls operations that work OK on openssl fail on
mbedtls unless you provide the correct CA cert.
This allows lws to distinguish between untrusted CAs, hostname
mismatches, expired certificates.
NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and
will also skip hostname verification. This is somewhat a limitiation of
the current lws verification process.
AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument
and add a note specific to mbedtls in the test client. Adapt the test
client to note the CA requirement if built with mbedTLS. Adapt the
minimal test clients to have the CAs available and use them if mbedTLS.
Under the condition the associated client went away (turn off WLAN at the
client), we can spin forever mistaking NET_SEND_FAILED for WANT_WRITE,
which was also true. This makes sure we understand that was fatal
immediately.
This adds a single api on lws that allows querying elements from the
peer certificate on a connection.
The api works the same regardless of the TLS backend.
1) The original wrapper logic for accounting for partial
sends on mbedtls is broken... adapt it
2) mbedtls has an additional restriction you MUST come
back to retry with EXACTLY the unsent part that you
originally asked for, or it loses coherency in the TLS
tunnel.
3) the wrapper is inconsistent between read WANT state
dynamically reported from mbedtls apis and the
SSL_want() api results. Check both on read.
- introduce lib/tls/mbedtls lib/tls/openssl
- move wrapper into lib/tls/mbedtls/wrapper
- introduce private helpers to hide backend
This patch doesn't replace or remove the wrapper, it moves it
to lib/tls/mbedtls/wrapper.
But it should be now that the ONLY functions directly consuming
wrapper apis are isolated in
- lib/tls/mbedtls/client.c (180 lines)
- lib/tls/mbedtls/server.c (317 lines)
- lib/tls/mbedtls/ssl.c (325 lines)
In particular there are no uses of openssl or mbedtls-related
constants outside of ./lib/tls any more.
