1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

335 commits

Author SHA1 Message Date
Andy Green
08b5ad9299 role: raw-proxy 2018-12-01 11:05:59 +08:00
Andy Green
b318877cd9 adopt: allow associated accepted vhost connections to specific role
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.

By default everything is as before.

However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.

The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.

A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
2018-12-01 11:05:59 +08:00
Rosen Penev
4edd5cad50 OpenSSL: fix ECC support build-time check
With at least OpenSSL 1.1.0, checking the header is not enough. OpenSSL
does provide a way to check it directly though.

Fixes compilation without ECC support.
2018-11-28 15:06:05 +08:00
Andy Green
edeb8a59fa boringssl: update 2018-11-23 10:52:39 +08:00
Andy Green
9bed6d6fc6 clean: general whitespace cleanup 2018-11-23 08:47:56 +08:00
Rosen Penev
c5d6255487 tls: Fix compile without deprecated OpenSSL APIs
These headers are included implicitly with others when deprecated APIs are enabled.
2018-11-09 08:33:04 +08:00
Andy Green
175f2a2d18 tls pending: convert to lws_dll_lws
Also add a check for pending after accept, in case pending was aggregated.
2018-11-05 14:43:50 +08:00
Andy Green
93d4e186c2 openssl tls1.3: allow setting ciphersuites at context creation time
https://github.com/warmcat/libwebsockets/issues/1440
2018-10-27 08:05:21 +08:00
Andy Green
20fb55934b client vhost OpenSSL set and clear options
https://github.com/warmcat/libwebsockets/issues/1438
2018-10-26 13:55:36 +08:00
Andy Green
38fe22e4db openssl: info log with cipher details and tls version 2018-10-20 07:54:58 +08:00
Andy Green
da444d04d1 lws_time_in_microseconds: export
Rename time_in_microseconds() and export the internal
api as lws_time_in_microseconds()
2018-10-14 06:15:36 +08:00
Andy Green
d03c57b87f quench logging 2018-10-13 08:16:27 +08:00
Andy Green
33a6034875 codacy: minor fixes 2018-10-13 08:16:27 +08:00
Andy Green
78e6d45f78 openssl: error handling align 2018-09-11 18:27:59 +08:00
Andy Green
95f3eb2980 plat: ENOTCONN 2018-09-11 18:27:59 +08:00
Andy Green
c1a1e38de0 LWS_WITH_STATS: only report ssl accept delay we have a start time for 2018-09-11 18:27:59 +08:00
Andy Green
9ad08ec9c1 LWS_WITH_STATS: clean refactor dust
https://github.com/warmcat/libwebsockets/issues/1383
2018-09-11 18:27:59 +08:00
Andy Green
d58828692e http: compression methods
Add generic http compression layer eanbled at cmake with LWS_WITH_HTTP_STREAM_COMPRESSION.

This is wholly a feature of the HTTP role (used by h1 and h2 roles) and doesn't exist
outside that context.

Currently provides 'deflate' and 'br' compression methods for server side only.

'br' requires also -DLWS_WITH_HTTP_BROTLI=1 at cmake and the brotli libraries (available in
your distro already) and dev package.

Other compression methods can be added nicely using an ops struct.

The built-in file serving stuff will use this is the client says he can handle it, and the
mimetype of the file either starts with "text/" (html and css etc) or is the mimetype of
Javascript.

zlib allocates quite a bit while in use, it seems to be around 256KiB per stream.  So this
is only useful on relatively strong servers with lots of memory.  However for some usecases
where you are serving a lot of css and js assets, it's a nice help.

The patch performs special treatment for http/1.1 pipelining, since the compression is
performed on the fly the compressed content-length is not known until the end.  So for h1
only, chunked transfer-encoding is automatically added so pipelining can continue of the
connection.

For h2 the chunking is neither supported nor required, so it "just works".

User code can also request to add a compression transform before the reply headers were
sent using the new api

LWS_VISIBLE int
lws_http_compression_apply(struct lws *wsi, const char *name,
			   unsigned char **p, unsigned char *end, char decomp);

... this allows transparent compression of dynamically generated HTTP.  The requested
compression (eg, "deflate") is only applied if the client headers indicated it was
supported, otherwise it's a NOP.

Name may be NULL in which case the first compression method in the internal table at
stream.c that is mentioned as acceptable by the client will be used.

NOTE: the compression translation, same as h2 support, relies on the user code using
LWS_WRITE_HTTP and then LWS_WRITE_HTTP_FINAL on the last part written.  The internal
lws fileserving code already does this.
2018-09-02 14:43:05 +08:00
Andy Green
d461f46a97 libwebsockets.h: clean out some boilerplate better put in core/private.h
https://github.com/warmcat/libwebsockets/issues/1370
2018-08-16 19:10:32 +08:00
Dmytro Ivanov
ff2b1eab36 tls:Implement client_ssl_ca_mem/client_ssl_ca_mem_len to load root CA certs from memory. 2018-07-17 18:25:53 +08:00
Rosen Penev
eb4cefceae openssl: Fix compile with 1.1.0 - deprecated APIs
These function have been deprecated. Keep compatibility with OpenSSL 1.0.2 as it is still supported.
2018-06-30 09:42:44 +08:00
Andy Green
ac3bd36c60 vhost_destroy: use vhost wsi reference counting to trigger destroy
This changes the vhost destroy flow to only hand off the listen
socket if another vhost sharing it, and mark the vhost as
being_destroyed.

Each tsi calls lws_check_deferred_free() once a second, if it sees
any vhost being_destroyed there, it closes all wsi on its tsi on
the same vhost, one time.

As the wsi on the vhost complete close (ie, after libuv async close
if on libuv event loop), they decrement a reference count for all
wsi open on the vhost.  The tsi who closes the last one then
completes the destroy flow for the vhost itself... it's random
which tsi completes the vhost destroy but since there are no
wsi left on the vhost, and it holds the context lock, nothing
can conflict.

The advantage of this is that owning tsi do the close for wsi
that are bound to the vhost under destruction, at a time when
they are guaranteed to be idle for service, and they do it with
both vhost and context locks owned, so no other service thread
can conflict for stuff protected by those either.

For the situation the user code may have allocations attached to
the vhost, this adds args to lws_vhost_destroy() to allow destroying
the user allocations just before the vhost is freed.
2018-06-18 09:11:46 +08:00
Andy Green
290e4f1e44 mbedtls: allow build with LWS_ROLE_WS=0 2018-05-11 16:41:34 +08:00
Andy Green
7bced4fac7 LWS_INLINE: replace all inline 2018-05-09 09:28:06 +08:00
Andy Green
412ff64be9 lws_ring: implement lagging client culling 2018-05-06 07:36:31 +08:00
Andy Green
c4dc102a0b windows: cleanup wrong and duplicated socket validity helpers
https://github.com/warmcat/libwebsockets/issues/1259
2018-05-06 07:22:25 +08:00
Andy Green
de064fd65a refactor: core code in lib/core and private-libwebsockets.h to core/private.h
This commit is coverity-clean as tested

cmake .. -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITHOUT_EXTENSIONS=1 -DLWS_WITH_ACME=1 -DLWS_WITH_LWSWS=1 -DLWS_WITH_LIBUV=1 -DLWS_WITH_HTTP2=1 -DLWS_WITHOUT_CLIENT=0 -DLWS_WITHOUT_SERVER=0 -DLWS_UNIX_SOCK=1 -DLWS_WITH_TLS=0 -DLWS_WITH_MBEDTLS=0 -DLWS_WITH_CGI=1 -DCMAKE_BUILD_TYPE=DEBUG -DLWS_WITH_GENERIC_SESSIONS=1 -DLWS_WITH_RANGES=1 -DLWS_ROLE_WS=1 -DLWS_MAX_SMP=16 -DLWS_ROLE_H1=1 -DLWS_WITH_WOLFSSL=0 -DLWS_WITH_LIBEV=0 -DLWS_WITH_LIBEVENT=1
2018-05-03 10:49:36 +08:00
Andy Green
a01ad0dd20 hrtimer: add support for libevent and libev 2018-05-02 19:27:33 +08:00
Andy Green
bce8cca042 refactor: also migrate tls to the ops struct and private.h pattern
Several new ops are planned for tls... so better to bite the bullet and
clean it out to the same level as roles + event-libs first.

Also adds a new travis target "mbedtls" and all the tests except
autobahn against mbedtls build.
2018-05-02 12:10:36 +08:00
kaleb-himes
65b68bdc70 wolfSSL updates 2018-04-28 07:55:27 +08:00
Andy Green
ac6c48d98f refactor: most preparation for -DLWS_ROLE_H1=0 2018-04-27 19:16:50 +08:00
Andy Green
7ff8f023d1 context info struct: make lws usage all const 2018-04-27 08:37:20 +08:00
Andy Green
27e86e2641 cmake: allow setting LWS_ROLE_WS
You can build lws without support for ws, with -DLWS_ROLE_WS=0.

This is thanks to the role ops isolating all the ws-specific business
in the ws role.

Also retire more test apps replaced by minmal-examples.
2018-04-25 08:42:18 +08:00
Andy Green
3f683351b3 refactor: split out private role header content
Private header stuff specific to roles should go in the
role dir and only be included if the role is enabled for
build.

Only definitions related to lws core should go in the actual
private-libwebsockets.h
2018-04-20 07:13:05 +08:00
Andy Green
8829c2f365 selftests
This converts several of the selftests to return a status in their exit code
about whether they 'worked'.

A small bash script framework is added, with a selftest.sh in the mininmal
example dirs that support it, and a ./minimal-examples/selftests.sh script
that can be run from the build dir with no args that discovers and runs all
the selftest.sh scripts underneath.

That is also integrated into travis and the enabled tests must pass now for
travis to pass.  Travis does not have a modern libuv so it can't run a
couple of tests which are nulled out if it sees it's running in travis env.
2018-04-19 16:16:48 +08:00
Andy Green
aa816e98a9 alpn: assemble defaults from roles and allow override
Since new roles may be incompatible with http, add support for
alpn names at the role struct, automatic generation of the
default list of alpn names that servers advertise, and the
ability to override the used alpn names per-vhost and per-
client connection.

This not only lets you modulate visibility or use of h2,
but also enables vhosts that only offer non-http roles,
as well as restricting http role vhosts to only alpn
identifiers related to http roles.
2018-04-19 16:15:10 +08:00
Andy Green
126be3ccf3 refactor role ops
This only refactors internal architecture and representations, the user
api is unaffected.
2018-04-11 13:39:42 +08:00
Andy Green
16e2f09710 refactor mode and states into roles and states 2018-04-06 12:22:19 +08:00
Andy Green
9a51bd0a63 LWS_TLS_CERT_INFO_OPAQUE_PUBLIC_KEY 2018-04-06 10:38:04 +08:00
Andy Green
9586acb560 Coverity 189189: client: new openssl alpn handling off-by-one 2018-04-06 10:38:04 +08:00
Andy Green
fddebfcfae QA 2018-04-06 10:38:04 +08:00
Andy Green
2a9b6f54c6 client: h2
This adds h2 http support for the client api.

The public client api requires no changes, it will detect by
ALPN if the server can handle http/2, if so, it will use it.

Multiple client connections using the lws api will be mapped on
to the same single http/2 + tls socket using http/2 streams
that are serviced simultaneously where possible.
2018-04-06 10:38:03 +08:00
Andy Green
865b2439ce mingw: also workaround ENOTCONN 2018-04-06 10:38:03 +08:00
Andy Green
b45956fcb9 client: add alpn processing on mbedtls and openssl
This just supports "http/1.1" alpn and lets the client know it
can use keepalive earlier if it affirmitively negotiated
"http/1.1" on alpn.

mbedTLS wrapper needed a small adaptation to also allow
per-client-ssl control of the alpn negotiation list.
2018-04-06 10:38:03 +08:00
Fabio Alessandrelli
94f3981bef mbedtls: wrapper: client: Force mbedTLS to attemp to verify cert
AG: unlike openssl, mbedtls does not load the system trust store.
So this change will make client tls operations that work OK on openssl fail on
mbedtls unless you provide the correct CA cert.

This allows lws to distinguish between untrusted CAs, hostname
mismatches, expired certificates.

NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and
will also skip hostname verification. This is somewhat a limitiation of
the current lws verification process.

AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument
and add a note specific to mbedtls in the test client.  Adapt the test
client to note the CA requirement if built with mbedTLS.  Adapt the
minimal test clients to have the CAs available and use them if mbedTLS.
2018-04-06 10:38:03 +08:00
Andy Green
3e4a1f3b0e client: choose right vh client ssl_ctx 2018-04-06 10:38:03 +08:00
Andy Green
b04708178a minimal: http-server-tls 2018-04-06 10:38:03 +08:00
Andy Green
302f8fad82 h2 ws: fixes against chrome 2018-04-06 10:38:02 +08:00
Andy Green
aae2c24678 lws_snprintf 2018-03-12 09:28:42 +08:00
Andy Green
dc15a77dfa openssl: avoid warning on versions with ECDH header 2018-03-11 18:07:16 +08:00