The mbedTLS / OpenSSL wrapper spins for the duration of the
handshake, which is a slow 31ms on my x86_64 box (by comparison
it's ~1ms on actual OpenSSL on the same box).
This doesn't change the 31ms but it stops us spinning during the
accept and has us retry on POLLIN instead like OpenSSL.
Note this also fixes the endemic mismatches in returncode
between mbedTLS and OpenSSL semantics...
For some targets like ESP32, the ah pool is mainly sitting idle wasting memory.
For HTTP/2, if the client sends a series of pipelined headers on different SIDs
that exist simultaneously, there is no way to stall the headers to wait for an
ah, because we must read the stream for stuff like WINDOW_UPDATE on the other
streams.
In both these cases having the ability to free unused ah completely and allocate
more dynamically if there is memory is useful, so this patch makes the ah pool
an initially-empty linked list that allocates on demand up to the "max pool
size" limit from the context info. When nobody wants an ah, it is freed (if
someone was waiting for it, it is directly reused).
For ESP32 it means no large, permanent alloc when lws starts and dynamic alloc
according to how many streams the client opens, which can be controlled by
SETTINGS.
This adds the necessary OpenSSL Apis to the mbedTLS openssl wrapper
to allow ALPN negotiation OpenSSL-style.
The OpenSSL upgrade list format is supported and converted to mbedtls
format at runtime.
Almost all the CMake options begin with LWS_WITH_..., but many of the
symbols passed to lws are LWS_USE_... , this causes neededless confusion,
compounded by the fact that a few CMake options also begin with
LWS_USE_.
This patch globally converts all LWS_USE_... to LWS_WITH_..., so there
is only one prefix to remember in both CMake and the code.
The affected public CMake options are
LWS_USE_BORINGSSL -> LWS_WITH_BORINGSSL
LWS_USE_CYASSL -> LWS_WITH_CYASSL
LWS_USE_WOLFSSL -> LWS_WITH_WOLFSSL
LWS_USE_MBEDTLS -> LWS_WITH_MBEDTLS
LWS_USE_BUNDLED_ZLIB -> LWS_WITH_BUNDLED_ZLIB
libuv .events or .pevents in the io watcher don't seem to hold the POLLIN / POLLOUT
state correctly. When POLLIN is defeated, using the rx flow control, POLLOUT seems
to go away somewhere along the line when trying to OR on to the active mask.
This has us track what we enabled outside in a container struct and use that for
the mask instead. With this rx flow control works properly with the latest mirror
using libuv (it worked fine with poll() event loop without libuv).
0 is the natural default for the info struct.
If you are not 0 (root) then you can't change to root, it will fail
without having done anything. What the user probably wanted is
just leave it as the uid/gid it was started as.
If you are 0 (root) you are already at 0 and the change has no
meaning.
Net effect is get rid of two warning logs if you left it at 0 in
the info struct and start as non-root.
Introduces an optional, settable restriction on the number of
simultaneous wsi connections and ah that a single peer IP can
obtain.
The default is disabled for build, and if enabled, unlimited.
However when enabled at CMake, setting info.ip_limit_ah and / or
info.ip_limit_wsi at context creation time will enforce the limits.
Connections past the info.ip_limit_wsi limit are dropped, and
connections needing an ah are forced to stay in the ah waiting list
even when ah are available, while the peer is at the number of
ah in info.ip_limit_ah.
Update test-client from the deprecated server ssl members that still work for
backwards compatibility to the preferred client-specific ones.
Remove .client_ssl_... member dependency on OPENSSL
https://github.com/warmcat/libwebsockets/issues/1022
This gives you a thin api on top of your TLS library digest functions
which abstracts away whether you are using mbedtls apis or openssl
ones. Using lws_genhash... apis the same code works either way and
the dependencies on which TLS lib is hidden.
This defines the OpenSSL X509_CHECK_FLAG_...s and the set/clear
accessors. Since none of them are supported, the set / clear
accessor always does nothing and returns error.
This adds the standard OpenSSL api to get a pointer to the SSL struct's
X509_VERIFY_PARAM. We need this for the OpenSSL api to set the peer
hostname introduced in the next patch.
This a) directly discovers cgi stdout POLLUP and b) modulates rx flow control on CGI STDOUT
according to the outgoing writeable service. When the outgoing writeable service finally sees
0 read() waiting for it even though it was signalled for POLLIN, it knows it is a POLLHUP.
Critically when it sees POLLHUP like that, it leaves the rx flow control defeating any
further stdout POLLIN signalling while the rest of the CGI lifecycle completes, eliminating
busywaiting during the CGI.
