Nobody uses this from the wrapper... it brings in mbedtls_x509_crt_info()
even if you're using -ffunctionsections for a loss of about 1.7KB on Arm.
Let's chop it out...
The mbedtls openssl wrapper wants to use exports from mbedtls' net_sockets.c,
but this is only supposed to work on *nix and windows. Typically people
are using mbedtls on RTOS type platforms and to use it, net_sockets.c
needs some hacking.
Try to avoid that situation by porting the two exports we need into the
lws plat code and call from the wrapper.
Surprisingly -fdata-sections -ffunction-sections does not remove any string literals and __func__
implicit .rodata generated by the removed function's compilation.
That means potentially considerable deadweight is in the image even if the function is removed
at linktime.
This adds support for POST in both h1 and h2 queues / stream binding.
The previous queueing tried to keep the "leader" wsi who made the
actual connection around and have it act on the transaction queue
tail if it had done its own thing.
This refactors it so instead, who is the "leader" moves down the
queue and the queued guys inherit the fd, SSL * and queue from the
old leader as they take over.
This lets them operate in their own wsi identity directly and gets
rid of all the "effective wsi" checks, which was applied incompletely
and getting out of hand considering the separate lws_mux checks for
h2 and other muxed protocols alongside it.
This change also allows one wsi at a time to own the transaction for
POST. --post is added as an option to lws-minimal-http-client-multi
and 6 extra selftests with POST on h1/h2, pipelined or not and
staggered or not are added to the CI.
Now the generic lws_system blobs can cover client certs + key, let's
add support for applying one of the blob sets to a specific client
connection (rather than doing it via the vhost).
Some toolchains are in some C++ version mode that objects to redefinition
of a typedef even to the same thing.
Shift a couple for function declarations in the mbedtls wrapper
part so they can piggyback on just the one typedef for their
args.
Since new roles may be incompatible with http, add support for
alpn names at the role struct, automatic generation of the
default list of alpn names that servers advertise, and the
ability to override the used alpn names per-vhost and per-
client connection.
This not only lets you modulate visibility or use of h2,
but also enables vhosts that only offer non-http roles,
as well as restricting http role vhosts to only alpn
identifiers related to http roles.
This just supports "http/1.1" alpn and lets the client know it
can use keepalive earlier if it affirmitively negotiated
"http/1.1" on alpn.
mbedTLS wrapper needed a small adaptation to also allow
per-client-ssl control of the alpn negotiation list.
AG: unlike openssl, mbedtls does not load the system trust store.
So this change will make client tls operations that work OK on openssl fail on
mbedtls unless you provide the correct CA cert.
This allows lws to distinguish between untrusted CAs, hostname
mismatches, expired certificates.
NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and
will also skip hostname verification. This is somewhat a limitiation of
the current lws verification process.
AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument
and add a note specific to mbedtls in the test client. Adapt the test
client to note the CA requirement if built with mbedTLS. Adapt the
minimal test clients to have the CAs available and use them if mbedTLS.
Under the condition the associated client went away (turn off WLAN at the
client), we can spin forever mistaking NET_SEND_FAILED for WANT_WRITE,
which was also true. This makes sure we understand that was fatal
immediately.
This adds a single api on lws that allows querying elements from the
peer certificate on a connection.
The api works the same regardless of the TLS backend.
1) The original wrapper logic for accounting for partial
sends on mbedtls is broken... adapt it
2) mbedtls has an additional restriction you MUST come
back to retry with EXACTLY the unsent part that you
originally asked for, or it loses coherency in the TLS
tunnel.
3) the wrapper is inconsistent between read WANT state
dynamically reported from mbedtls apis and the
SSL_want() api results. Check both on read.
- introduce lib/tls/mbedtls lib/tls/openssl
- move wrapper into lib/tls/mbedtls/wrapper
- introduce private helpers to hide backend
This patch doesn't replace or remove the wrapper, it moves it
to lib/tls/mbedtls/wrapper.
But it should be now that the ONLY functions directly consuming
wrapper apis are isolated in
- lib/tls/mbedtls/client.c (180 lines)
- lib/tls/mbedtls/server.c (317 lines)
- lib/tls/mbedtls/ssl.c (325 lines)
In particular there are no uses of openssl or mbedtls-related
constants outside of ./lib/tls any more.