Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.
This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.
Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.
With OpenSSL, `X509_VERIFY_PARAM_set1_host` only checks matching hostnames and alternative names that are domain-based.
This change tries calling `X509_VERIFY_PARAM_set1_ip_asc` first, which attempts to parse the hostname as an IP address (v4 or v6). If this fails, it'll fall back to the current `X509_VERIFY_PARAM_set1_host` behavior.
This provides a way to defer closing if the output buflist has
unsent content for the wsi, until the buflist is drained.
It doesn't make any assumption about the content being related
to http, so you can use it on raw.
It follows the semantics of the http transaction completed, ie
if (lws_raw_transaction_completed(wsi))
return -1
return 0;
transaction_complete includes processing for the case we are holding
an output-side buflist, and arranges for it to be sent before the
connection is actually closed.
This stops very slow links not being ablet to use git clone via
cgi mount, because the close races the flushing of the output-side
buflist and in the case the connection is bad, closes before
everything was sent.
Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.
By default everything is as before.
However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.
The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.
A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).
Until now basic auth only protected http actions in the protected
mount.
This extends the existing basic auth scheme to also be consulted for
ws upgrades if a "basic-auth" pvo exists on the selected protocol for
the vhost. The value of the pvo is the usual basic auth credentials
file same as for the http case.
With at least OpenSSL 1.1.0, checking the header is not enough. OpenSSL
does provide a way to check it directly though.
Fixes compilation without ECC support.
The retry stuff for bind failures is actually aimed at the scenarios the interface
either doesn't exist yet, or is not configured enough (having an IP) to be bindable yet.
This patch treats EADDRINUSE as fatal at vhost init.
1) update the logos to svg
2) add svg icon for strict security policy where used
3) define new vhost option flag to enforce sending CSP headers
with the result code
4) add vhost option flag to minimal examples to
enforce sending CSP where applicable
5) Go through all the affecting examples confirming they
still work
6) add LWS_RECOMMENDED_MIN_HEADER_SPACE constant (currently
2048) to clarify when we need a buffer to hold headers...
with CSP the headers have become potentially a lot
larger.
Since the NUL was always taken care of at the end of buf, the worst it could
do was log some junk. This makes it explicitly log it as oversize separately.
https://github.com/warmcat/libwebsockets/issues/1423
If you vhost->options has the flag LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK,
then if the server is sent an upgrade request, the content of the Host: header is
required to match the vhost name + port. The port is set to the well-known values
of 80 and 443 if no :port on the host: value, depending on tls or not on the
connection.
minimal-ws-server can now take a -h flag to set this. lejp-conf (eg, lwsws) can now take
a flag strict-host-check on the vhost to enable it as well.
In the now default case that THREADPOOL is enabled... not sure what OSX
will make of that as previously it blew up with -pthread on clang cmdline
at link time
