Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.
This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.
h2->h2 redirects work properly after this.
The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
Add support for dynamically determining the CAs needed to validate server
certificates. This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.
Works for both openssl and mbedtls.
See READMEs/README.jit-trust.md for the documentation
You likely want the next patch for http redirect enhancements as well.
The wilcard part was always length driven... but the check part relied on
being NUL terminated. Change that to also use a length specifier and not
need any NUL.
To migrate old uses, just add a fourth param as strlen(check).
Adapt the event lib support slighly so we can pass an event lib "plugin"
header in at context creation time, and direct all event loop handling to
go via that.
This can then be lightly adapted to interface to an existing custom event
loop cleanly, without the problems of EXTERNAL_POLL.
The external loop must consult with us about the max wait timeout as shown
in the added minimal-http-server-eventlib-custom example.
The example shows a complete implementation working with a custom poll()
loop cleanly while only needing 5 ops in the custom event lib handler.
variable 'n' is being set but it is not used anywhere, latest clang is
able to detect this and flags it
Fixes
lib/core-net/route.c:41:6: error: variable 'n' set but not used [-Werror,-Wunused-but-set-variable]
| int n = 0;
| ^
The --blob option requires GENCRYPTO that's not on by default, to handle
the hash checks... that's going to cause a lot of confusion because it
means the simplest ss example won't build by default then.
Let's remove the blob support (and GENCRYPTO dependency) from the simplest
example and make a new minimal-secure-streams-blob example that has --blob
support and the GENCRYPTO dependency as well.
this patch makes ubsan (-fsanitize-undefined-trap-on-error) happy.
let's look at the following scenario:
1. netlink sends RTM_NEWADDR/RTM_DELADDR message
2. rops_handle_POLLIN_netlink() handles message attributes as RTA_*
3. rops_handle_POLLIN_netlink() finds RTA_PRIORITY attribute and
handles it as u32 value, but it's IFA_CACHEINFO attribute in reality
and payload holds another type
4. ubsan throws SIGTRAP
so, don't handle RTM_NEWADDR/RTM_DELADDR attributes as RTA_*
It's open to user state callback to respond to the DISCONNECT we issue on
the proxy link closure by escalating it to a DESTROY_ME... we have to deal
with that if it comes.
At init-time, PROTOCOL_INIT needs to be sent to each vhost-protocol
combination to give them a chance to instantiate themselves.
PROTOCOL_INIT can be deferred a bit, and since its subject is per vhost,
which has no tsi affinity, in SMP case, its current use of context->pt[0]
fakewsi can clash with other stuff happening simultaneously, eg,
CANCEL_SERVICE broadcast, which happens on each pt.
Solve this by changing PROTOCOL_INIT to use an on-stack fakewsi that cannot
clash with any other service loop use of them.
Take care about using a full fake wsi or an lws_a fakewsi if PLAT_FREERTOS.
