1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

229 commits

Author SHA1 Message Date
Andy Green
e502a5fb44 ss-h1: reset message state for repeated use
This lets one "opportunistic" mode http policy SS be able to be used
multiple times.
2021-09-14 05:31:29 +01:00
Yichen Gu
d90cd7be6d conmon: pass userobj to ss rx not handle 2021-08-13 05:51:37 +01:00
Jed Lu
82e2e6cb7f ss: unpick failed create using destroy
The late_bail discrete unpick flow is missing some pieces compared
to lws_ss_destroy.  Unify the creation fail flow to also use
lws_ss_destroy so everything in one place.

Make lws_ss_destroy() not issue any states if the creation flow
didn't get as far as issuing CREATING.
2021-08-13 05:49:53 +01:00
Andy Green
21697b3210 ss: handle DESTROY_ME from inside ss creation
Normally when doing a Client Connection Error handling,
we can action any ss relationship straight away since
we are in a wsi callback without any ss-aware parents
in the call stack.

But in the specific case we're doing the initial onward
wsi connection part on behalf of a ss, in fact the call
stack does have earlier  parents holding references on
the related ss.

For example

  secstream_h1 (ss-h1.c:470)                          CCE
  lws_inform_client_conn_fail (close.c:319)           fails early
  lws_client_connect_2_dnsreq (connect2.c:349)
  lws_http_client_connect_via_info2 (connect.c:71)
  lws_header_table_attach (parsers.c:291)
  rops_client_bind_h1 (ops-h1.c:1001)
  lws_client_connect_via_info (connect.c:429)         start onward connect
  _lws_ss_client_connect (secure-streams.c:859)
  _lws_ss_request_tx (secure-streams.c:1577)
  lws_ss_request_tx (secure-streams.c:1515)           request tx
  ss_cpd_state (captive-portal-detect.c:50)
  lws_ss_event_helper (secure-streams.c:408)
  lws_ss_create (secure-streams.c:1256)                SS Create

Under these conditions, we can't action the DESTROY_ME that
is coming when the CCE exhausts the retries.

This patch adds a flag that is set during the SS's onward wsi
connection attempt and causes it to stash rather than action
the result code.

The result code is brought out from the stash when we return to
_lws_ss_client_connect level, and passed up in the SS flow until
it is actioned, cleanly aborting the ss create.
2021-08-13 05:47:00 +01:00
Yichen Gu
5624659d37 conmon: only build if WITH_CONMON 2021-08-13 05:44:59 +01:00
Andy Green
c042ba8c65 mqtt: handle NULL mqtt publish metadata 2021-07-08 10:18:20 +01:00
Andy Green
eeea000ced dns: handle EAI_NONAME as fatal
This causes the blocking dns lookup to treat EAI_NONAME as immediately
fatal, this is usually caused by an assertive NXDOMAIN from the DNS server
or similar.

Not being able to reach the server should continue to retry.

In order to make the problem visible, it reports the situation using
CLIENT_CONNECTION_ERROR, even though it is still inside the outer client
creation call.
2021-07-07 08:43:56 +01:00
Andy Green
10c1b882c6 ss: check destroy null policy 2021-06-24 06:36:10 +01:00
Andy Green
e4aa3ece17 ss: check serialize null policy 2021-06-24 06:35:57 +01:00
Andy Green
4141a68f23 ss: avoid null ss policy on req tx len 2021-06-24 06:35:46 +01:00
Andy Green
de8185db9f ss: avoid null ss policy on req tx 2021-06-24 06:35:33 +01:00
Haopeng Li
526310dfea ss: h1: log dereferences NULL 2021-06-24 06:34:04 +01:00
Haopeng Li
896a2e09fc strexp: handle NULL better 2021-06-17 14:19:55 +01:00
Andy Green
e1ef230187 ss: h2: handle zero length COLON_PATH for metadata 2021-06-06 11:47:43 +01:00
Andy Green
0557e919bb sspc: handle nonexistent metadata cleanly 2021-06-06 11:47:30 +01:00
Andy Green
d155970b67 coverity: h->cwsi must be valid if we are handling rx on it 2021-06-06 11:46:51 +01:00
Jed Lu
c3dd4d05fe ss: sspc: handle destroy for client_connect and request_tx 2021-06-06 11:46:06 +01:00
Andy Green
da512b08c1 coverity: ss: handle NULL omd 2021-05-27 17:13:06 +01:00
Andy Green
d85bfb2816 ss: deal with missing handle metadata 2021-05-27 17:12:57 +01:00
Jin Wang
eef783631f sspc: handle DESTROY_ME at proxy link close cb
It's open to user state callback to respond to the DISCONNECT we issue on
the proxy link closure by escalating it to a DESTROY_ME... we have to deal
with that if it comes.
2021-05-20 15:31:36 +01:00
Andy Green
fda7294bd0 ss: h2: leave the ss bound to its affiliated wsi until close clears it
In sai, on Xenial (only...) noticed that the wsi is still bound to the ss
handle, and can reference it even after the ss has been destroyed on
ss-testsfail sometimes.

Leave the handle knowing its wsi and able to detach it later during close.
2021-05-20 14:07:11 +01:00
Andy Green
74b96f831a ss: avs: let multipart handle content-type
We added the neccessary return check on set_metadata which is good, but it
doesn't take into account that for LWA, we will normally use the multipart
stuff, that provides its own conflicting content-type.

Currently the lwa streamtype policy doesn't even provide ctype metadata
type, let's just comment it out.
2021-05-20 14:06:51 +01:00
Andy Green
afb77240ad h2: just log nwsi close and pass thru
User reports problems with the close / retry flow not happening if we don't
pass thru the nwsi close... it may be happening before the sid1 migration.

Just log it and don't end the handling before the passthru.  Logging it
because there was a reason for the change to not passing it through...
2021-04-21 19:32:03 +01:00
Andy Green
a0bebb9f67 ss: proxy: fix conn deref on onward
Trying to use the opaque pointer in the handle to point to the conn isn't
going to work when we need it to point to the ss handle.

Move it to have its on place in the handle.
2021-04-21 19:31:45 +01:00
Andy Green
5e7617ae9e ss: add test for OS trust store mdoe
It's already the case that leaving off the "tls_trust_store" member of the
streamtype definition in the policy causes the streamtype to validate its
tls connections via the OS trust store, usually a bundle OpenSSL has been
configured to load at init automagically, but also literally the OS trust
store in windows case.

Add tests to confirm that.
2021-04-15 18:43:52 +01:00
Chunho Lee
0276f3e635 ss: mqtt: Avoid CONNECTING to DISCONNECTED transition
Check previous states with 'ss_dangling_connected'.
If it did not visit CONNECTED, transit to UNREACHABLE
instead of DISCONNECTED.
2021-04-15 17:34:01 +01:00
Andy Green
402e97a679 ss: metrics: http: just report at wsi close
Defer recording the ss metrics histogram until wsi close, so it has a
chance to collect all the tags that apply.

Defer dumping metrics until the FINALIZE phase of context destroy, so we
had a chance to get any metrics recorded.
2021-04-08 06:47:54 +01:00
Haopeng
2a7ded310f ss: metrics: add result tag reflecting ss txn disposition
For http ss, add a tag result=SS_ACK_REMOTE or SS_NACK_REMOTE
2021-04-08 06:37:35 +01:00
Andy Green
42dc817d8f ss: proxy: get rx flow control working
This fixes the proxy rx flow by adding an lws_dsh helper to hide the
off-by-one in the "kind" array (kind 0 is reserved for tracking the
unallocated dsh blocks).

For testing, it adds a --blob option on minimal-secure-streams[-client]
which uses a streamtype "bulkproxflow" from here

https://warmcat.com/policy/minimal-proxy-v4.2-v2.json

		"bulkproxflow": {
			"endpoint": "warmcat.com",
			"port": 443,
			"protocol": "h1",
			"http_method": "GET",
			"http_url": "blob.bin",
			"proxy_buflen": 32768,
			"proxy_buflen_rxflow_on_above": 24576,
			"proxy_buflen_rxflow_off_below": 8192,
			"tls": true,
			"retry": "default",
			"tls_trust_store": "le_via_dst"
		}

This downloads a 51MB blob of random data with the SHA256sum

ed5720c16830810e5829dfb9b66c96b2e24efc4f93aa5e38c7ff4150d31cfbbf

The minimal-secure-streams --blob example client delays the download by
50ms every 10KiB it sees to force rx flow usage at the proxy.

It downloads the whole thing and checks the SHA256 is as expected.

Logs about rxflow status are available at LLL_INFO log level.
2021-04-07 15:54:26 +01:00
Andy Green
fdc1e1e9a5 sspc: states for proxy failure 2021-04-07 14:48:52 +01:00
Andy Green
877fcc3e4d ss: policy: atoll needed for 32-bit machines
On 32-bit Linux compilers, long int == int == 32-bit.  So even atol() cannot
handle ints above 0x7fffffff and clips any it finds at that.

There's only one instance in policy-json.c, use atoll() cast to uint64_t
to allow values up to 64-bit INT_MAX even on 32-bit machines.
2021-04-07 09:52:04 +01:00
Andy Green
3ad0a3d223 ss: server: allow bind to existing vhost
If the larger application is defining vhosts using lejp-conf JSON, it's
often more convenient to describe the vhost for ss server binding to
that.

If the server policy endpoint (usually used to describe the server
interface bind) begins with '!', take the remainder of the endpoint
string as the name of a preexisting vhost to bind ss server to at
creation-time.
2021-04-05 10:55:04 +01:00
Andy Green
d291c02a23 ss: sspc: add conmon performance telemetry
This provides a way to get ahold of LWS_WITH_CONMON telemetry from Secure
Streams, it works the same with direct onward connections or via the proxy.

You can mark streamtypes with a "perf": true policy attribute... this
causes the onward connections on those streamtypes to collect information
about the connection performance, and the unsorted DNS results.

Streams with that policy attribute receive extra data in their rx callback,
with the LWSSS_FLAG_PERF_JSON flag set on it, containing JSON describing the
performance of the onward connection taken from CONMON data, in a JSON
representation.  Streams without the "perf" attribute set never receive
this extra rx.

The received JSON is based on the CONMON struct info and looks like

{"peer":"46.105.127.147","dns_us":596,"sockconn_us":31382,"tls_us":28180,"txn_resp_us:23015,"dns":["2001:41d0:2:ee93::1","46.105.127.147"]}

A new minimal example minimal-secure-streams-perf is added that collects
this data on an HTTP GET from warmcat.com, and is built with a -client
version as well if LWS_WITH_SECURE_STREAMS_PROXY_API is set, that operates
via the ss proxy and produces the same result at the client.
2021-04-05 10:55:04 +01:00
Andy Green
51490ae6e6 Fault injection
add lws_xos: xoshiro256 PRNG
2021-04-05 10:55:04 +01:00
Andy Green
e4d381eadd metrics: increase type of us_schedule to uint64_t 2021-04-02 16:50:49 +01:00
Jed Lu
69f2ad9ced ss: allow that request_tx may get told DESTROY_ME 2021-04-01 09:09:10 +01:00
Chunho Lee
ff76604006 ss: mqtt: Wrap ACK_REMOTE to ACK_REMOTE transition with LWS_ROLE_MQTT
Wrap ACK_REMOTE to ACK_REMOTE transition with
"#if defined(LWS_ROLE_MQTT) /.../ #endif".
2021-03-31 09:39:12 +01:00
Andy Green
0c98d94481 ss: mqtt: allow ACK_REMOTE to ACK_REMOTE transition
MQTT doesn't follow http type transaction flow, so it's
quite possible to have n PUBLISH getting acked in a row.
2021-03-30 08:10:52 +01:00
Chunho Lee
25ae9facc9 mqtt: topic validation for different mqtt servers
AWS IoT enforces limits topic level and length. If 'aws_iot' is set
on the policy, the topic limits will be enforced for AWS IoT.
2021-03-30 07:38:37 +01:00
Sakthi Kannan
f3531ef673 mqtt: wildcard topic and topic to 256 chars
Adding supports to MQTT wildcard support, topic to 256 chars,
incorrect topic validation.
2021-03-30 07:38:37 +01:00
Sakthi Kannan
a088b72696 mqtt: Setting the CONNECTED state only when SUBACK is received
Setting the CONNECTED state only when SUBACK is received if the stream has
defined a subscription topic. This is to avoid SS from sending out SUBSCRIBE
right after CONNACK, even when the connection is not valid.
2021-03-30 07:38:32 +01:00
Andy Green
eda5c1b60a sai: openbsd: fix sigv4 2021-03-29 19:36:26 +01:00
Andy Green
1000a52df3 logs: prioritize WITH_NO_LOGS even in release
Really not having any logs makes it difficult to know what is really
happening, but if that's you're thing this will align debug and release
modes to just have ERR and USER if you give WITH_NO_LOGS
2021-03-15 12:56:15 +00:00
Andy Green
ad5047a687 sspc: make sure we cancel any retry 2021-03-14 19:50:08 +00:00
Andy Green
baccd5b238 ss: make sure pointer to failed ss creation is wiped out 2021-03-14 15:05:19 +00:00
Andy Green
f35a3b8969 ssproxy: break immediately after determining we will not allow the stream 2021-03-14 15:05:19 +00:00
Andy Green
4df5e015ed ssproxy: deal with lack of policy when replying with stream denied 2021-03-14 15:05:19 +00:00
Andy Green
546c151555 ss: add set_metadata that takes a heap copy and make ss-h1 use it
Until now we set metadata value pointers into the onward wsi ah data
area... that's OK until we get a situation the wsi has gone away before we
have a chance to deliver the metadata over the proxy link.

Add a variant lws_ss_alloc_set_metadata() that allocates space on the heap
and takes a copy of the input metadata.  Change ss-h1 to alloc copies of
its metadata so we no longer race the wsi ah lifetime.
2021-03-14 15:05:18 +00:00
Andy Green
4804624905 ss: force check all set_metadata returns
lws_ss_set_metadata can fail... eg, due to transient OOM situation... if it does,
caller must take appropriate action like disconnect and retry.

So mark the api as requiring the result checking, and make sure all the
examples do it.
2021-03-14 08:58:26 +00:00
Haopeng Li
108b4608f4 ss: make ss timeout handle underlying wsi gone 2021-03-13 07:16:15 +00:00