Add a dlo-based layout callback for use with lhp.
If lhp_dl_render() is used as the Lws Html/CSS parser callback, it
produces a display_list representation of the Html as DLOs, referencing the
appropriate CSS to drive the layout as best it can.
The display list can be rasterized on to an lws_display using the display's
state object
lds->disp->blit(lds, (uint8_t *)&dl, &box);
Add EXPECT_MORE flag to indicate that running out of input is not (yet)
indicating the end of the document. The caller should remove this flag
when it identifies that it does not have the chunk with the end of the
document: the last chunk may be zero length.
Track line numbers so the caller can infer CR, absorb CRLF -> CR.
Also add COLON_NONTERM needed for ipv6 literal addresses.
This adds an optional lws VFS layer that exposes the named dlo object
registry. So you can register a blob like a JPG named "my.jpg", and
access it on the vfs as, eg, /dlofs/my.jpg (or file:///dlofs/my.jpg
if using the SS file:// support for VFS namespace).
This adds optional display list support to lws_display, using DLOs (Display
List Objects). DLOs for rectangle / rounded rectangle (with circle as the
degenerate case), PNGs, JPEG and compressed, antialiased bitmapped fonts
and text primitives are provided.
Logical DLOs are instantiated on heap and listed into an lws_display_list
owner, DLOs handle attributes like position, bounding box, colour +
opacity, and local error diffusion backing buffer.
When the display list is complete, it can be rasterized a line at a time,
with scoped error diffusion resolved, such that no allocation for the
framebuffer is required at any point. DLOs are freed as the rasterization
moves beyond their bounding box.
Adds a platform registry binding names and other metadata to lws_display
fonts / PNGs / JPEGs. Provides registration, destruction and best match
selection apis.
The adapted upng has a very compact fully-stateful lws-aligned
implementation already.
Adapt it to also be buildable and operable standalone, and to
understand gzip headers.
Provide some apis to inflate gzip simply reusing opaque inflator
contexts from upng.
Provide an api test that inflates gzip files from stdin -> stdout
This introduces a fixed precision signed 32.32 fractional type that can
work on devices without an FPU.
The integer part works as an int32_t, the fractional part represents the
fractional proportion expressed as part of 100M, so 8 fractional decimal
digit precision which is more than enough for many applications.
Add and Sub are reasonably fast as they are scaled on to a combined
uint64_t, Multiply is a little slower as it takes four uint64_t multiplies
that are summed, and divide is expensive but accurate, done bitwise taking
up to 32 iterations involving uint64_t div and mod.
This adds apis that enable usage of compressed backtraces in heap
instrumentation.
A decompressor tool is also provided that emits a textual
call stack suitable for use with addr2line.
VFS needs some small updates... pass in the bound fops as well as the
context fops to the member callbacks. ZIP_FOPS only cared about doing
operations on the platform / context vfs to walk the ZIP file, but other
uses are valid where we are doing operation inside the bound VFS itself.
Also, stash a cx pointer into file ops struct for convenience.
Add a generic struct to manage a buflist with an incrementally-consumable
head, and helpers to deal with retiring the last segment and starting the
new head.
The lws_flow is added to using the buflist member directly, it autohandles
SS window management to try to keep the total buffered at the client to the
window member limit.
Just like there is a default protocol provided if none is specified that is
suitable for handling http GET, introduce a default SS policy that is also
suitable for the case of http GET where the user trusts the CA using the
ssl library or system trust store.
Leave the http minilex as it is, and add an improved version in lib/misc
- get a list of strings from stdin and emit C header to stdout
- support ambiguous terminals (xxx and xxx-something) correctly regardless
of introduction order
- add generic parser in lib/misc
minilex doesn't build as part of lws since it's only needed by developers,
there's a one-line build documented at a comment at the top of
lib/misc/minilex.c
This patch checks for the env var SSLKEYLOGFILE=path, if present, then
client connection tls secrets are appended into path.vhostname.
This allows decryption of captured encrypted data for debugging purposes.
SSKEYLOGFILE=path env var method is the same as provided by Firefox and
Chrome for this purpose.
These have been disabled via a preprocessor symbol with no UI to enable it
for a year or so, it looks like they are not going to be needed.
The model of in-tree auth selectable from cmake looks like it will do for
everything, or if not, the solution will probably look different to this.
lws_sequencer and lws_abstract were both false starts trying to do the
functionality of secure streams.
Since Secure Streams does a better job for both and there are no known
out-of-tree users of them, let's remove them and focus on Secure Streams.
This is a NOP for existing usecases.
At the moment the only implemented transport for serialized SS is wsi, it's
typically used with Unix Domain Sockets, but it also works over tcp the
same.
It generalizes the interface between serialized chunks and the
transport, separately for client and proxy. The wsi transport is migrated
to use the new transport ops structs.
It will then be possible to "bring your own transport", so long as it is
reliable, and in-order, both for proxy and client / sspc.
We also adapt minimal-secure-streams-binance to build the -client variant
via SS proxy as well.
LWS_ONLY_SSPC is added so libwebsockets can be produced with just sspc
client support even for tiny targets.
A new embedded minimal example for rpi pico is also provided that
demonstrates using Serialized SS over a UART to an SS proxy, to implement
the SS Binance example on the pico, even though it has no networking itself.
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.
The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.
The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.
Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey. Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.
> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.
On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
in 100 interations, average 68.7k
Add support for dynamically determining the CAs needed to validate server
certificates. This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.
Works for both openssl and mbedtls.
See READMEs/README.jit-trust.md for the documentation
You likely want the next patch for http redirect enhancements as well.
