1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

335 commits

Author SHA1 Message Date
makejian
2b0c5f1653 mbedtls/ssl: free cert chain when mbedtls_client_preload_filepath enabled
Signed-off-by: makejian <makejian@xiaomi.com>
2025-03-03 07:43:17 +00:00
Andy Green
5d1947474e lws_tls_openssl_asn1time_to_unix: fix 13 char asn1 epoch
Also align to struct tm's year epoch of 1900

https://github.com/warmcat/libwebsockets/issues/3341
2025-02-24 12:52:33 +00:00
Davidovory03
e5506ade69 mbedtls: translate error codes for caller
https://github.com/warmcat/libwebsockets/issues/3315
2025-01-19 16:57:24 +00:00
Orgad Shaneh
5102a5c8d6 tls-sessions: Pass correct type for printf %u 2024-10-06 08:11:58 +01:00
Andy Green
a1ee5a2c50 mbedtls: provide declaration if ge 3.5
https://github.com/warmcat/libwebsockets/issues/3169
2024-09-29 11:50:41 +01:00
Andy Green
154bf55441 openssl: allow custom SSL_CTX with GLOBAL_INIT unset 2024-09-23 13:10:30 +01:00
Seo Suchan
c90a77f124 mbedtls: fix compile on mbedtls ge 3.6 2024-05-07 13:48:09 +01:00
Liu Dongmiao
130a446b90 wolfssl: fix build 2024-03-07 09:50:41 +00:00
zzblydia
96dffe862d cmake: ssl lib paths
replace PC_OPENSSL_LIBRARIES with PC_OPENSSL_LINK_LIBRARIES to link library with absolute path.
2023-11-19 09:06:22 +00:00
Khem Raj
59d42bcc74 gcc: fix mbedtls missing enum
bcd970fb4f
2023-11-17 07:07:35 +00:00
Andy Green
e7db2efabf mbedtls: if we have tls1.2 only accept exactly that 2023-11-07 06:40:58 +00:00
Andy Green
115571f0f3 cmake: mbedtls: mbedtls_ssl_conf_alpn_protocols check 2023-11-07 06:40:46 +00:00
Andy Green
5e060e2968 mbedtls: auto adapt to changed session constant 2023-11-07 06:40:07 +00:00
Andy Green
75b41f4a9d tls: mbedtls-3.5.0: correct privkey size 2023-11-05 08:30:54 +00:00
Nate Karstens
051dfbdb7d openssl: Add lws ctx ref to client vhost's SSL_CTX
Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.

Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
2023-10-24 07:04:08 +01:00
Audric Schiltknecht
c012b12589 openssl: Properly report OpenSSL error in lws_tls_client_connect
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
2023-10-21 07:08:18 +01:00
Andy Green
41ff4ef8ae openssl-server: enum vs int disagreement
https://github.com/warmcat/libwebsockets/issues/2907
2023-06-14 07:16:26 +01:00
Damian Hobson-Garcia
58af7b4409 From df9761a261 Mon Sep 17 00:00:00 2001
Subject: [PATCH] remove LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY
 callback

When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
2022-08-23 12:58:40 +01:00
Fabrice Fontaine
a5f81f8336 lib/tls/CMakeLists.txt: fix build without threads
openssl can be built without threads resulting in the following build
failure:

-- Looking for HMAC_CTX_new
-- Looking for HMAC_CTX_new - not found

[...]

In file included from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets.h:661,
                 from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/core/./private-lib-core.h:140,
                 from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/plat/unix/unix-misc.c:28:
/home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets/lws-genhash.h:85:18: error: field 'ctx' has incomplete type
   85 |         HMAC_CTX ctx;
      |                  ^~~

To fix this build failure, don't unconditionally add pthread if openssl
has been found through pkg-config as openssl.pc will contain the
appropriate dependencies (i.e. -lpthread but also -lz or -latomic)

Fixes:
 - http://autobuild.buildroot.org/results/2ae9e3249b6fcc9e6c30e7783e264fc6599e61df

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2022-06-14 07:50:24 +01:00
Andy Green
2d48f559f0 mbedtls: some versions need x509 overallocation 2022-05-17 15:37:16 +01:00
Fabrice Fontaine
6e997a9e70 tls: cmake: add wolfssl pkg-config support
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95

This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2022-05-17 15:37:16 +01:00
orefkov
cad13a8864 acme: update for v2
https://github.com/warmcat/libwebsockets/issues/2609

AG: api logging updates
2022-05-17 15:37:16 +01:00
Andy Green
49af3742c6 mbedtls: v3.1 reverts privacy of mbedtls_net_context fd
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it.  Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
2022-05-17 15:09:20 +01:00
Poppy
ca3f639edd tls: libressl: refactor set_options to work with macro implementations
Libressl uses macros for set_options(), causing compilation failure.
Refactor the related code to work well with macro definitions for
these apis.

https://github.com/warmcat/libwebsockets/issues/2554
2022-02-09 20:12:31 +00:00
Andy Green
3f19d94040 jit-trust: adapt for esp-idf pre v3 mbedtls
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.

Make sure mbedtls tls validation is noisy and fast.

Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline.  Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
2022-02-09 20:12:31 +00:00
Andy Green
939a512413 mbedtls: improve api detection
mbedtls cmake api detection was not able to work on esp-idf well.

Improve diagnostics and reaction if we ever see that again.
2022-02-01 14:09:19 +00:00
Rosen Penev
1f9925b443 genec: show correct nid when not allowed
As noticed by gcc11 warning

https://github.com/warmcat/libwebsockets/pull/2551
2022-02-01 14:04:33 +00:00
Andy Green
f99bf7748c logs: openssl session: improve detection of INFO enabled
https://github.com/warmcat/libwebsockets/issues/2540
2022-01-27 14:31:10 +00:00
Andy Green
10a34fc43b coverity fixes 2022-01-16 13:32:09 +00:00
Ferenc Gerlits
d90361b771 cmake: fix compilation with OpenSSL subproject
https://github.com/warmcat/libwebsockets/pull/2535
2022-01-13 16:06:46 +00:00
Andy Green
6e9c25d1f7 mbedtls-x509: coverity: remove needless check
ip can't be NULL, it's set to the address of another object.
2021-11-08 11:05:28 +00:00
Andy Green
57c5a0da55 jit-trust: SAN_RFC822_NAME needs other_name union member
->san is a union, in this case we set the type to indicate we use
SAN_OTHER_NAME member, but set the unstructured_name union member, that is
smaller.

This doesn't cause any problem, since the union has space for it.  But
Coverity noticed, it is wrong, so fix it.
2021-11-08 11:05:28 +00:00
Andy Green
240cd55ef6 jit-trust: show coverity we handle NULL attribute source
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.

So explicitly check it, even though it is a NOP.
2021-11-08 11:05:28 +00:00
Andy Green
7882a6dc13 jit-trust: clean after failed mbedtls_x509_get_name
mbedtls_x509_get_name() does not clean up properly after itself in the case
of OOM on multi-segment name.  We have to add extra handling and cleaning.
2021-11-08 11:05:24 +00:00
Andy Green
4935fe9e1e openssl: remove lws_ssl_get_error_string as cruft
It's not exported, it seems nothing wants it any more
2021-11-02 07:23:28 +00:00
Andy Green
b912958a67 cmake: bring tls include requirement out as PUBLIC
There's no problem for library build, also with LWS_WITH_MINIMAL_EXAMPLES,
but after install at least on OSX, there are problems finding the installed
lws include dir (concealed on most platforms by the path being in the
default search list for the toolchain), and the references in the lws
includes to the tls includes meaning that explicit paths for that must be
available at consuming cmakes.

This patch enhances the cmake config installed by lws to deal with adding
the lws include paths to CMAKE_REQUIRED_INCLUDES and include_directories,
so it can be found before the target is introduced.

The tls include is passed back up the CMakeLists layers and the lws targets
marked with target_include_directories(PUBLIC) with them, so they are
understood as needed by consumers.

More boilerplate is moved out of the example consuming cmakes.

After this, on machines with previous installs of older lws, you may have to
clean out the cmake install path, that is usually something like

  /usr/local/lib/cmake/libwebsockets/*

before make installing lws and putting the latest content in there.
2021-10-28 10:47:12 +01:00
Felipe Gasper
ff5257e193 logs: migrate more to log context 2021-10-15 14:15:06 +01:00
Orefkov Aleksander
00b922041b mbedtls: set length even when LWS_HAVE_mbedtls_ssl_get_alpn_protocol 2021-10-12 09:46:32 +01:00
Orefkov Aleksander
c226da3e10 cmake: wrong miniz include dir + mbed link on windows 2021-10-12 09:46:28 +01:00
Tero Turtiainen
3b90c89bab tls: clear unused warning on WITHOUT_SERVER
I’ve got an error when compiling libwebsockets on Mac with -DLWS_WITHOUT_SERVER=ON:

libwebsockets/lib/tls/tls.c:98:22: error: unused variable 'cx' [-Werror,-Wunused-variable]
2021-10-06 09:22:50 +01:00
Kenneth Mastro
3d7d180eb8 wolfssl: adapt SNI for recent changes
It seems WOLFSSL_SNI_HOST_NAME is an enum in later wolfssl, use
the wolfssl define HAVE_SNI as well
2021-10-06 06:27:07 +01:00
caobug
90eb83a307 tls: ensure using ssl before doing tls_shutdown 2021-10-05 07:40:17 +01:00
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Andy Green
733f0c10f0 mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
2021-10-05 07:09:13 +01:00
Andy Green
a8a443e645 wolfssl: update gencrypto 2021-09-08 09:42:11 +01:00
Andy Green
0c94138fd3 tls: handle WANT_WRITE via POLLOUT to POLLIN 2021-09-02 16:43:18 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
d1f3762a05 types: handle ssize_t is int 2021-08-09 17:31:16 +01:00
Yucong Sun
faf091d8cd windows: tls: make sure we are telling correct errno 2021-07-20 10:34:03 +01:00
Yucong Sun
81e54df04d cmake: tls: check correct api for availability 2021-07-20 10:34:03 +01:00