1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

3150 commits

Author SHA1 Message Date
t00416110
8a4b72463f ws: fix coredump of lws_create_context
Signed-off-by: t00416110 <tanyifeng1@huawei.com>
2019-01-22 18:36:02 +08:00
Andy Green
8587e164f0 jwe: strip padding after rsa-aes 2019-01-22 06:37:53 +08:00
Andy Green
043700a4b0 optee: remove build system 2019-01-15 06:59:48 +08:00
Andy Green
84a57540ab LWS_WITH_NETWORK: cmake option for no network code 2019-01-13 07:54:57 +08:00
Andy Green
9b5e45d383 client: typo in client-handshake 2019-01-13 07:54:57 +08:00
cjakeway
608d34e1b7 ws: subprotocol parsing: allow dot
https://github.com/warmcat/libwebsockets/issues/1467
2019-01-13 07:54:57 +08:00
Bitomaxsp
b4161f5e97 windows: socket keepalive valid is ms
https://github.com/warmcat/libwebsockets/issues/1477
2019-01-13 07:54:56 +08:00
Guillaume Burel
4319ffe588 Subject: [PATCH] Fix control messages are inflated
RFC7692 states that control messages should not be compressed so there is no
need to inflate these messages.

There can be a bug if a control message is received while processing a
compressed message since lws relies on the RSV bit of the first message to
inflate the rx buffer or not.
Here we also check the opcode to only inflate a message if it is a data message.

Fixes: #1470
2019-01-13 07:32:11 +08:00
Andy Green
613993300d x509-warning-fixes 2019-01-11 18:46:38 +08:00
pblemel
39e19c85f1 qnx: qnx6.5 compatibility 2019-01-11 17:14:14 +08:00
Andy Green
d2a1bbd8aa optee: other plat fixes 2019-01-11 17:14:14 +08:00
Andy Green
ad9c99a6d3 mbedtls: finer-grained enable checks and OP-TEE 2019-01-11 13:17:06 +08:00
Andy Green
4608dfc581 tls: client: also allow vhost client ctx to be initialized with in-memory certs 2019-01-11 13:17:00 +08:00
Andy Green
d995d75ffb adopt: keep most of adopt.c even with WITHOUT_SERVER 2019-01-11 13:16:59 +08:00
Andy Green
c8987a14bc adaptations 2019-01-11 13:13:19 +08:00
Andy Green
0adc845507 lws-x509: validation functions 2018-12-31 20:35:54 +08:00
Andy Green
21889b53f7 ecdh-es
Mainly JWE support for ecdh-es and initial refactor to support multiple
recipients / signatures.
2018-12-27 06:45:32 +08:00
Andy Green
eda102e397 jwe 2018-12-27 06:45:32 +08:00
Andy Green
a3dcc95471 genec: generic ECDH crypto layer
!!! WIP

This implements the "genec" layer wrapping mbedtls + openssl
ECDH support.

API tests are added for the parts that are implemented so far.

Stuff related to ec at all, like keys, are prefixed lws_genec_.
Stuff specific to ECDH are prefixed lws_genecdh_.
2018-12-27 06:45:31 +08:00
Andy Green
47e14ba34b genrsa: add OAEP and PSS and convert openssl to EVP
Wanting PSS padding on signatures triggers and avalanche of
openssl EVP conversions as the only way to do it with the
openssl public apis.
2018-12-27 06:45:31 +08:00
Andy Green
ddb94d4e27 genaes: generic AES layer independent of tls library
Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.

This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.
2018-12-27 06:45:31 +08:00
Andy Green
440dacc992 JOSE: refactor and prepare for JWE
Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.
2018-12-27 06:45:31 +08:00
Andy Green
5976e4b334 deaddrop: handle @ urldecode in delete 2018-12-27 06:43:39 +08:00
Andy Green
5092350d16 autobahn: keep doing tests until we get a 500 2018-12-19 07:10:20 +08:00
Andy Green
97aa696dc6 minimal-ws-client: fix couple of breakages 2018-12-17 19:09:13 +08:00
John Kamp
30315ec688 windows: proposed fix for CANCELLED
https://github.com/warmcat/libwebsockets/issues/1291
2018-12-07 21:13:19 +08:00
=?UTF-8?q?Samuel=20Lor=C3=A9tan?=
31d1d73f74 openssl: Allow IP-based SAN in automatic hostname check
With OpenSSL, `X509_VERIFY_PARAM_set1_host` only checks matching hostnames and alternative names that are domain-based.

This change tries calling `X509_VERIFY_PARAM_set1_ip_asc` first, which attempts to parse the hostname as an IP address (v4 or v6). If this fails, it'll fall back to the current `X509_VERIFY_PARAM_set1_host` behavior.
2018-12-07 06:00:24 +08:00
Andy Green
08b5ad9299 role: raw-proxy 2018-12-01 11:05:59 +08:00
Andy Green
d78457425d lws_raw_transaction_completed
This provides a way to defer closing if the output buflist has
unsent content for the wsi, until the buflist is drained.

It doesn't make any assumption about the content being related
to http, so you can use it on raw.

It follows the semantics of the http transaction completed, ie

     if (lws_raw_transaction_completed(wsi))
	return -1

     return 0;
2018-12-01 11:05:59 +08:00
Andy Green
43cf8bb391 wsi: opaque_user_data and accessors
Under some circumstances it's useful to tag a wsi with user
data, while still having an lws-allocated and destroyed pss.
2018-12-01 11:05:59 +08:00
Andy Green
6830f2d296 cgi: use transaction_complete when stdout goes away
transaction_complete includes processing for the case we are holding
an output-side buflist, and arranges for it to be sent before the
connection is actually closed.

This stops very slow links not being ablet to use git clone via
cgi mount, because the close races the flushing of the output-side
buflist and in the case the connection is bad, closes before
everything was sent.
2018-12-01 11:05:59 +08:00
Andy Green
b318877cd9 adopt: allow associated accepted vhost connections to specific role
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.

By default everything is as before.

However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.

The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.

A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
2018-12-01 11:05:59 +08:00
Andy Green
531ad7ee2b minimal example deaddrop 2018-12-01 11:05:59 +08:00
Andy Green
4e2eef35d4 plugin: lws deaddrop 2018-11-28 15:06:10 +08:00
Andy Green
a74a966fbf ws: support basic auth
Until now basic auth only protected http actions in the protected
mount.

This extends the existing basic auth scheme to also be consulted for
ws upgrades if a "basic-auth" pvo exists on the selected protocol for
the vhost.  The value of the pvo is the usual basic auth credentials
file same as for the http case.
2018-11-28 15:06:10 +08:00
Andy Green
110f1ecf46 post-demo: fix h2 flags 2018-11-28 15:06:10 +08:00
Andy Green
30be5cb441 lwsac: unreference: allow to be called with NULL 2018-11-28 15:06:10 +08:00
Rosen Penev
4edd5cad50 OpenSSL: fix ECC support build-time check
With at least OpenSSL 1.1.0, checking the header is not enough. OpenSSL
does provide a way to check it directly though.

Fixes compilation without ECC support.
2018-11-28 15:06:05 +08:00
Andy Green
2d245ae18e master: version to 3.1.99 2018-11-23 11:33:40 +08:00
Andy Green
89eedcaa94 v3.1.0 2018-11-23 11:30:56 +08:00
Andy Green
edeb8a59fa boringssl: update 2018-11-23 10:52:39 +08:00
Andy Green
37d6116374 cmake: copy include/libwebsockets into the build dir
https://libwebsockets.org/pipermail/libwebsockets/2018-November/007745.html

This allows user code to use the build dir ./include without
having to do the make install, as a convenience.
2018-11-23 08:54:40 +08:00
Andy Green
9bed6d6fc6 clean: general whitespace cleanup 2018-11-23 08:47:56 +08:00
Andy Green
cdd8ad702c bind: treat EADDRINUSE as fatal
The retry stuff for bind failures is actually aimed at the scenarios the interface
either doesn't exist yet, or is not configured enough (having an IP) to be bindable yet.

This patch treats EADDRINUSE as fatal at vhost init.
2018-11-22 17:58:30 +08:00
Andy Green
a1b642f4fe pmd: do not inflate 0 input length
It generates repeated byte alignments plus EOT sequences
2018-11-21 19:58:34 +08:00
Andy Green
8f2edbe822 minimal-example-pmd-corner: pmd corner case exerciser 2018-11-21 17:03:29 +08:00
Andy Green
c027c3db28 docs: cleanups 2018-11-21 17:03:29 +08:00
Andy Green
d9f982a055 minimal examples: update for CSP best practices
1) update the logos to svg

2) add svg icon for strict security policy where used

3) define new vhost option flag to enforce sending CSP headers
   with the result code

4) add vhost option flag to minimal examples to
   enforce sending CSP where applicable

5) Go through all the affecting examples confirming they
   still work

6) add LWS_RECOMMENDED_MIN_HEADER_SPACE constant (currently
   2048) to clarify when we need a buffer to hold headers...
   with CSP the headers have become potentially a lot
   larger.
2018-11-21 17:03:29 +08:00
Andy Green
ac032544bf README.md: update in preparation for v3.1 2018-11-16 09:10:41 +08:00
Andy Green
3eb329bb32 reverse proxy: correct scan length so NUL goes in right place 2018-11-15 20:16:54 +08:00