1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

223 commits

Author SHA1 Message Date
Orgad Shaneh
ba721d7e2a cmake: mingw: fix openssl linkage
ws32 and friends must come after the openssl libs,
and pthread is required for openssl.
2020-09-17 14:28:39 +01:00
Sakthi Kannan
fcc7429983 mbedtls: use lws helper for PEM DER import 2020-09-15 07:18:33 +01:00
Andy Green
008b355166 freertos: fixes for build on atmel xdk 2020-09-03 12:49:54 +01:00
SCRockz
ad7b17f437 cmake: qnx adaptations
https://github.com/warmcat/libwebsockets/issues/2034
2020-09-03 08:18:52 +01:00
Orgad Shaneh
edb7d6ffc1 openssl: allow build with old glibc headers
strnlen requires _GNU_SOURCE prior to glibc 2.10.
2020-08-31 16:51:37 +01:00
Andy Green
fe7fdef9be clean: SSL_accept failure just needs info logging 2020-08-31 16:51:37 +01:00
Andy Green
692f269045 coverity: 62140: if newer mbedtls apis available use and check returns
mbedtls has older and newer hashing apis, if we detected the newer ones
we use them like the older ones since generally, hashing doesn't have a
way to fail for sha and md5 update etc.

Coverity objects... change it to dumbly check the retcode.
2020-08-19 07:46:21 +01:00
Andy Green
cc5fb48598 coverity: 21034: dont bother assigning shutdown api return 2020-08-18 14:00:54 +01:00
Andy Green
520befb554 coverity: 61708: privkey required for mbedtls 2020-08-18 14:00:54 +01:00
Andy Green
7b847f8315 coverity: 62212: coverity says its dead code 2020-08-18 14:00:54 +01:00
Andy Green
4cd381f933 cmake: tls: wolfssl
PARENT_SCOPE needs adjusting in a few places for wolfssl to work, and
we need a second level export of USE_WOLFSSL through lib/CMakeLists.txt

Add noi/f32 Sai build for WOLFSSL + MINIMAL_EXAMPLES
2020-08-10 15:04:10 +01:00
Andy Green
a424623dc6 docs: add README-debugging.md and provide example points for decrypted traffic handling
Some general debugging advice but also really clarify the official way of how to dump
what is going out and coming in directly from the tls tunnel, so you can see the
actual data unencrypted.
2020-07-30 16:23:59 +01:00
Andy Green
7eb36102a9 ss: server: h1, h2, ws basic support
Add initial support for defining servers using Secure Streams
policy and api semantics.

Serving h1, h2 and ws should be functional, the new minimal
example shows a combined http + SS server with an incrementing
ws message shown in the browser over tls, in around 200 lines
of user code.

NOP out anything to do with plugins, they're not currently used.

Update the docs correspondingly.
2020-07-27 12:05:24 +01:00
Andy Green
1a93e73402 fakewsi: replace with smaller substructure
Currently we always reserve a fakewsi per pt so events that don't have a related actual
wsi, like vhost-protocol-init or vhost cert init via protocol callback can make callbacks
that look reasonable to user protocol handler code expecting a valid wsi every time.

This patch splits out stuff that user callbacks often unconditionally expect to be in
a wsi, like context pointer, vhost pointer etc into a substructure, which is composed
into struct lws at the top of it.  Internal references (struct lws is opaque, so there
are only internal references) are all updated to go via the substructre, the compiler
should make that a NOP.

Helpers are added when fakewsi is used and referenced.

If not PLAT_FREERTOS, we continue to provide a full fakewsi in the pt as before,
although the helpers improve consistency by zeroing down the substructure.  There is
a huge amount of user code out there over the last 10 years that did not always have
the minimal examples to follow, some of it does some unexpected things.

If it is PLAT_FREERTOS, that is a newer thing in lws and users have the benefit of
being able to follow the minimal examples' approach.  For PLAT_FREERTOS we don't
reserve the fakewsi in the pt any more, saving around 800 bytes.  The helpers then
create a struct lws_a (the substructure) on the stack, zero it down (but it is only
like 4 pointers) and prepare it with whatever we know like the context.

Then we cast it to a struct lws * and use it in the user protocol handler call.
In this case, the remainder of the struct lws is undefined.  However the amount of
old protocol handlers that might touch things outside of the substructure in
PLAT_FREERTOS is very limited compared to legacy lws user code and the saving is
significant on constrained devices.

User handlers should not be touching everything in a wsi every time anyway, there
are several cases where there is no valid wsi to do the call with.  Dereference of
things outside the substructure should only happen when the callback reason shows
there is a valid wsi bound to the activity (as in all the minimal examples).
2020-07-20 06:28:52 +01:00
Andy Green
6b3221ffc1 mbedtls: only free crt_parse when something came back
Mbedtls mbedtls_x509_crt_parse() returns 0 for success which is good.
But it has a complicated idea about what to return on fail... if it
couldn't make even one cert from the data, then it returns a negative
return indicating the parsing problem and there is nothing to free.

If it managed to parse at least one cert, instead it retuns a positive
number indicating the number of certs it didn't parse successfully,
and there is something to free.

Adapt the code to understand this quirk.
2020-07-09 15:30:34 +01:00
Andy Green
6747ab830e content_info: make members conditional 2020-06-18 08:29:43 +01:00
Andy Green
30e6c22e14 openssl3: migrate genhmac to EVP
The low level apis for HMAC (including those only introduced at 1.1.0...)
are all deprecated in OpenSSL v3.

Let's bite the bullet and migrate to EVP, it's already existing in modern
OpenSSL and we already use it for genhash.

EVP needs a PKEY, sort that out and keep it around until the hmac is
destroyed.
2020-06-16 19:45:35 +01:00
Andy Green
2a772776a9 windows: for data exports use explicit extern
LWS_EXTERN needs to be empty for windows when declaring functions in the
headers.  But for data, it needs the explicit extern otherwise on windows
or mingw based builds, it thinks we are redeclaring the data each time.
2020-06-07 07:53:36 +01:00
Andy Green
f0c1ea801c mingw: fix for different sockfd type in udp example
As found by Sai
2020-06-06 15:53:58 +01:00
alex
5d514b35fc tls: add read client .pem or .der from memory #1941
and added read private key from mem
2020-06-06 13:09:31 +01:00
Andy Green
c0294c3e10 clean: use lws_intptr_t where needed 2020-06-03 06:48:06 +01:00
Andy Green
286cf4357a sul: multiple timer domains
Adapt the pt sul owner list to be an array, and define two different lists,
one that acts like before and is the default for existing users, and another
that has the ability to cooperate with systemwide suspend to restrict the
interval spent suspended so that it will wake in time for the earliest
thing on this wake-suspend sul list.

Clean the api a bit and add lws_sul_cancel() that only needs the sul as the
argument.

Add a flag for client creation info to indicate that this client connection
is important enough that, eg, validity checking it to detect silently dead
connections should go on the wake-suspend sul list.  That flag is exposed in
secure streams policy so it can be added to a streamtype with
"swake_validity": true

Deprecate out the old vhost timer stuff that predates sul.  Add a flag
LWS_WITH_DEPRECATED_THINGS in cmake so users can get it back temporarily
before it will be removed in a v4.2.

Adapt all remaining in-tree users of it to use explicit suls.
2020-06-02 08:37:10 +01:00
Andy Green
d5773c01be openssl-v3: deal with deprecated SSL_CTX_load_verify_locations
Add Sai for openssl-v3 and for boringssl
2020-06-02 08:37:10 +01:00
Andy Green
f98e4a845c sai: add f32 plus openssl-v3 combination 2020-06-02 08:37:10 +01:00
Andy Green
911898ad70 windows: recent win10 support Unix Domain
Allow selection of Unix Domain Sockets on windows since it is supported
for the last couple of years on windows 10

https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/

... if only they could add a full set of posix pieces to go with it
(and abstract namespace UDS which doesn't work apparently) so that
the parts dealing with uid / gid don't have to be disabled.
2020-06-02 08:37:10 +01:00
Seonah Moon
b6e215ee7f openssl: fix improper use of negative value 2020-06-02 08:37:10 +01:00
Andy Green
10146575a2 clean: turn down verbosity on some debugging printfs 2020-06-02 08:37:10 +01:00
Andy Green
b3131fdfdd cmakelist: Augean Stables refactor
Establish a new distributed CMake architecture with CMake code related to
a source directory moving to be in the subdir in its own CMakeLists.txt.
In particular, there's now one in ./lib which calls through to ones
further down the directory tree like ./lib/plat/xxx, ./lib/roles/xxx etc.

This cuts the main CMakelists.txt from 98KB -> 33KB, about a 66% reduction,
and it's much easier to maintain sub-CMakeLists.txt that are in the same
directory as the sources they manage, and conceal all the details that that
level.

Child CMakelists.txt become responsible for:

 - include_directories() definition (this is not supported by CMake
   directly, it passes it back up via PARENT_SCOPE vars in helper
   macros)

 - Addition child CMakeLists.txt inclusion, for example toplevel ->
   role -> role subdir

 - Source file addition to the build

 - Dependent library path resolution... this is now a private thing
   in the child CMakeLists.txt, it just passes back any adaptations
   to include_directories() and the LIB_LIST without filling the
   parent namespace with the details
2020-05-27 08:40:12 +01:00
Andy Green
cabe021955 esp32: shift to support latest esp-idf
Esp-idf has an improved but still kind of abused cmake-
based build system now.

If we see ESP_PLATFORM coming as a cmake var, we can know we
are being built from inside the esp-idf config system.

Leave the existing esp32 arrangements alone but triggered off
ESP_PLATFORM, adapt to use the cross toolchain file and
various quirks automatically.

In this way you can build lws a part of your project in a
much cleaner way.

Prepare a minimal esp32 test app for use in Sai

Adapt .sai.json to build for esp32
2020-05-27 08:40:12 +01:00
Andy Green
33f8e219eb tls: defer listing of pending tls wsi to be managed by tls read only
https://github.com/warmcat/libwebsockets/issues/1920
2020-05-27 08:40:12 +01:00
Andy Green
9f1d019352 CTest: migrate and deprecate existing selftest scripts
Replace the bash selftest plumbing with CTest.

To use the selftests, build with -DLWS_WITH_MINIMAL_EXAMPLES=1
and `CTEST_OUTPUT_ON_FAILURE=1 make test` or just
`make test`.

To disable tests that require internet access, also give
-DLWS_CTEST_INTERNET_AVAILABLE=0

Remove travis and appveyor scripts on master.

Remove travis and appveyor decals on README.md.
2020-05-11 15:40:13 +01:00
Steve Kyoungwon Kim
a9275d8dea BoringSSL: provide X509_VERYFY_PARAM_Set1_host length
X509_VERYFY_PARAM_Set1_host of openSSL allows the third argument, which
is the length of the hostname string, to be 0. Then, it assumes hostname
is a null-terminated C string. BoringSSL enforces the actual length to
be specified, and the hostname string should end with a null char.

Just provide the length, making both OpenSSL and BoringSSL happy.
2020-04-30 05:20:29 +01:00
Andy Green
d9f793ae12 logs: allow giving log bitfields from cmake to force build or exclusion
By default this doesn't change any existing logging behaviour at all.

But it allows you to define cmake options to force or force-disable the
build of individual log levels using new cmake option bitfields
LWS_LOGGING_BITFIELD_SET and LWS_LOGGING_BITFIELD_CLEAR.

Eg, -DLWS_LOGGING_BITFIELD_SET="(LLL_INFO)" can force INFO log level
built even in release mode.  -DLWS_LOGGING_BITFIELD_CLEAR="(LLL_NOTICE)"
will likewise remove NOTICE logging from the build regardless of
DEBUG or RELEASE mode.
2020-04-22 06:59:01 +01:00
Andy Green
a57e62d502 ctest: fixes-and-changes 2020-04-19 08:43:01 +01:00
Andy Green
e4c59e3a91 osx: mbedtls: SYSCALL and errno 35 is WANT_READ 2020-04-17 12:39:53 +01:00
Andy Green
e3d780dac6 gencrypto: windows: warnings
Coming out of increasing number of build variants on windows via Sai
2020-04-12 08:39:27 +01:00
Andy Green
39b05e7db3 mbedtls: remove mbedtls_x509_crt_info reference
Nobody uses this from the wrapper... it brings in mbedtls_x509_crt_info()
even if you're using -ffunctionsections for a loss of about 1.7KB on Arm.


Let's chop it out...
2020-03-31 11:36:47 +01:00
Andy Green
be32d0554e mbedtls: attempt to remove dependency on net_sockets.c
The mbedtls openssl wrapper wants to use exports from mbedtls' net_sockets.c,
but this is only supposed to work on *nix and windows.  Typically people
are using mbedtls on RTOS type platforms and to use it, net_sockets.c
needs some hacking.

Try to avoid that situation by porting the two exports we need into the
lws plat code and call from the wrapper.
2020-03-27 13:24:44 +00:00
Andy Green
2a7a92f4d5 mbedtls: support old 2.2-era version from xenial 2020-03-21 14:43:53 +00:00
Akira Tsukamoto
47ea968e16 jws: lws_gencrypto_jws_alg_to_definition needs sentinel
Otherwise segfault when end of array reached.
2020-03-21 14:43:53 +00:00
Andy Green
5c657e0865 wolfssl: build fixes
Solve wolfssl wrappers being defines and header path availability for cmake tests
2020-03-20 09:35:54 +00:00
Andy Green
11837db0e0 mbedtls: support older versions without net_sockets.h 2020-03-19 10:14:25 +00:00
Andy Green
5b9fe01863 build: release mode compile fixes 2020-03-10 06:45:24 +00:00
Andy Green
7efe93bb34 fallback: dont check after first ssl accept attempt 2020-03-06 10:18:43 +00:00
Andy Green
c25c37febd client: make sure all paths after connect go via tls if set 2020-03-04 12:17:49 +00:00
Andy Green
28ce32af64 client: secure streams
Secure Streams is an optional layer on top of lws that separates policy
like endpoint selection and tls cert validation into a device JSON
policy document.

Code that wants to open a client connection just specifies a streamtype name,
and no longer deals with details like the endpoint, the protocol (!) or anything
else other than payloads and optionally generic metadata; the JSON policy
contains all the details for each streamtype.  h1, h2, ws and mqtt client
connections are supported.

Logical secure streams outlive any particular connection and supports "nailed-up"
connectivity regardless of underlying connection stability.
2020-03-04 12:17:49 +00:00
Andy Green
bb1a8d37fb rtos diet: make basic auth support a config option on by default
Remove wrapper content for < tls v1.2
2020-03-04 11:00:04 +00:00
Andy Green
3c663da99e rtos diet: mbedtls: wrapper: delete unused functions
Surprisingly -fdata-sections -ffunction-sections does not remove any string literals and __func__
implicit .rodata generated by the removed function's compilation.

That means potentially considerable deadweight is in the image even if the function is removed
at linktime.
2020-03-04 11:00:04 +00:00
Andy Green
0dd23d7073 tls restriction: account for pipelining and add test 2020-03-01 08:14:43 +00:00
dzakarias
3d8fbdd3ac Added missing PKCS#7 padding/unpadding from AES-CBC in JWE 2020-02-21 17:32:41 +00:00