Since new roles may be incompatible with http, add support for
alpn names at the role struct, automatic generation of the
default list of alpn names that servers advertise, and the
ability to override the used alpn names per-vhost and per-
client connection.
This not only lets you modulate visibility or use of h2,
but also enables vhosts that only offer non-http roles,
as well as restricting http role vhosts to only alpn
identifiers related to http roles.
This just supports "http/1.1" alpn and lets the client know it
can use keepalive earlier if it affirmitively negotiated
"http/1.1" on alpn.
mbedTLS wrapper needed a small adaptation to also allow
per-client-ssl control of the alpn negotiation list.
This is just an internal mass change of LWS_NO_EXTENSIONS to
LWS_WITHOUT_EXTENSIONS to match the public name and eliminate
all instances of LWS_NO_EXTENSIONS.
This adds an lws cmake option that builds all the minimal examples as part of lws,
it's useful for QA.
It adds a macro to examples that depend on a particular lws configuration to understand
they should just null out their project definition in builds where the lws configuration
requirement is not met, and we are building as part of lws.
It also adapts all the example library additions to select the just-built-but-not-yet-installed
library in the case it is built as part of lws. If built standalone, it now uses the cmake
platform-abstracted way to add the library requirement too.
Using the build user and build hostname as part of the git hash breaks
reproducible builds. Make this part optional, but build reproducible by
default.
ESP32 module price is now within range of 8266 price.
ESP32 capability and OS support is hugely better than 8266,
we can support mbedtls tls, http/2 etc with ESP32.
I'm no longer testing on ESP8266... there's no more
user traffic... it's time to go.
Add LWS_EXPORT_LWSTARGETS (defaults to ON) that can be used to disable
CMake export targets as well as install export for libwebsockets.
AG: add _WITH_
1) Introduce LWS_WITH_GCOV to build with gcc / clang coverage instrumentation.
$ cd build
$ make clean && rm -f `find . -name "*.gcno" -o -name "*.gcda"` && make -j16 && sudo make install && sudo /usr/local/bin/libwebsockets-test-server -s
...
$ gcov `find . -name *.c.gcno | grep -v test-apps` -b | sed "/\.h.\$/,/^$/d"
The above are available in two helper scripts
- scripts/build-gcov.sh
- scripts/gcov.sh
2)
CMake defaults changed:
- LWS_WITH_ZIP_FOPS: OFF
- LWS_WITH_RANGES: OFF
- LWS_WITHOUT_EXTENSIONS: ON
- LWS_WITH_ZLIB: OFF
New CMake controls that default-OFF:
- LWS_WITH_GENHASH
- LWS_WITH_GENRSA
these are implied by LWS_WITH_JWS (which is implied by LWS_WITH_ACME)
3) rename ./lib/tls/XXX/server.c and client.c to XXX-server.c / XXX-client.c.
This is because gcov dumps its results using the .c filename part only,
the copies overwrite each other if there are different .c files in the tree
with the same filename part.
4) Add onetime test-client mode and test to ./test-apps/attack.sh
5) Add gcov howto in READMEs/README.build.md using attack.sh
This adds support for a plugin that can be attached to a vhost
to acquire and maintain its TLS cert automatically.
It works the same with both OpenSSL and mbedTLS backends, but
they can't share auth keys, delete the 'auth.jwk' file as it is
in the example JSON when switching between libs
apart from LWS_WITHOUT_TEST_SERVER the test server will also not be
built if LWS_WITHOUT_TESTAPPS or LWS_WITHOUT_SERVER is defined,
we update the CMake configuration to skip cert generation and
installation in those cases.
Signed-off-by: Adam Wolk <adam.wolk@koparo.com>
This adds a single api on lws that allows querying elements from the
peer certificate on a connection.
The api works the same regardless of the TLS backend.
This adds some optional apis around JSON Web Keys and JSON Web Signatures.
HMAC SHA256/384/512 and RSA + SHA256/384/512 are supported.
This also add a new "LWS_WITH_SELFTESTS" that enables the selftests.
Like the simple hashes, these work the same regardless of if the backend is
OpenSSL or mbedTLS.
Also move into ./lib/tls/ and split into two specific to mbedtls or openssl
backends.
This enables selected things from -Wextra, can't use -Wextra because it is
fussy enough to complain about unused params on functions... they are
there for a reason.
-Wsign-compare
-Wignored-qualifiers
not -Wimplicit-fallthrough=3 ... only on gcc 7
-Wtype-limits
-Wuninitialized
not -Wclobbered ... only on gcc 7ish
fix the warnings everywhere they were found.
- introduce lib/tls/mbedtls lib/tls/openssl
- move wrapper into lib/tls/mbedtls/wrapper
- introduce private helpers to hide backend
This patch doesn't replace or remove the wrapper, it moves it
to lib/tls/mbedtls/wrapper.
But it should be now that the ONLY functions directly consuming
wrapper apis are isolated in
- lib/tls/mbedtls/client.c (180 lines)
- lib/tls/mbedtls/server.c (317 lines)
- lib/tls/mbedtls/ssl.c (325 lines)
In particular there are no uses of openssl or mbedtls-related
constants outside of ./lib/tls any more.
HTTP/2 support is now able to serve the test server, complete with
websockets, from a single vhost.
- This works the same with both OpenSSL and mbedTLS.
- POST is now wired up and works (also for file upload).
- CGI is wired up and works.
- Redirect is adapted and works
- lwsws works.
- URI urldecode, sanitation and argument parsing wired up for :path
valgrind clean (aside from openssl-style false uninit data usage in mbedtls send occasionally)
h2spec reports:
$ h2spec -h 127.0.0.1 -p 7681 -t -k -o 1
...
145 tests, 145 passed, 0 skipped, 0 failed"
Incorporates:
- "https://github.com/warmcat/libwebsockets/pull/1039
Fixes issue with -Werror=unused-variable flag
- 2c843a1395
ssl: fix infinite loop on client cert verification failure
Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>"
Caused and fixes Coverity 184887 - 184892
Almost all the CMake options begin with LWS_WITH_..., but many of the
symbols passed to lws are LWS_USE_... , this causes neededless confusion,
compounded by the fact that a few CMake options also begin with
LWS_USE_.
This patch globally converts all LWS_USE_... to LWS_WITH_..., so there
is only one prefix to remember in both CMake and the code.
The affected public CMake options are
LWS_USE_BORINGSSL -> LWS_WITH_BORINGSSL
LWS_USE_CYASSL -> LWS_WITH_CYASSL
LWS_USE_WOLFSSL -> LWS_WITH_WOLFSSL
LWS_USE_MBEDTLS -> LWS_WITH_MBEDTLS
LWS_USE_BUNDLED_ZLIB -> LWS_WITH_BUNDLED_ZLIB
Introduces an optional, settable restriction on the number of
simultaneous wsi connections and ah that a single peer IP can
obtain.
The default is disabled for build, and if enabled, unlimited.
However when enabled at CMake, setting info.ip_limit_ah and / or
info.ip_limit_wsi at context creation time will enforce the limits.
Connections past the info.ip_limit_wsi limit are dropped, and
connections needing an ah are forced to stay in the ah waiting list
even when ah are available, while the peer is at the number of
ah in info.ip_limit_ah.
