Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.
Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.
The issue only appeared when a client connects via IP address directly and
not use a hostname.
When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
openssl can be built without threads resulting in the following build
failure:
-- Looking for HMAC_CTX_new
-- Looking for HMAC_CTX_new - not found
[...]
In file included from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets.h:661,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/core/./private-lib-core.h:140,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/plat/unix/unix-misc.c:28:
/home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets/lws-genhash.h:85:18: error: field 'ctx' has incomplete type
85 | HMAC_CTX ctx;
| ^~~
To fix this build failure, don't unconditionally add pthread if openssl
has been found through pkg-config as openssl.pc will contain the
appropriate dependencies (i.e. -lpthread but also -lz or -latomic)
Fixes:
- http://autobuild.buildroot.org/results/2ae9e3249b6fcc9e6c30e7783e264fc6599e61df
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95
This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it. Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.
Make sure mbedtls tls validation is noisy and fast.
Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline. Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
This patch checks for the env var SSLKEYLOGFILE=path, if present, then
client connection tls secrets are appended into path.vhostname.
This allows decryption of captured encrypted data for debugging purposes.
SSKEYLOGFILE=path env var method is the same as provided by Firefox and
Chrome for this purpose.
Although many of the examples must be run from the example directory as
cwd, everyone getting started probably wants to try the examples, cmake
knows how to do it, so let's enable it by default.
->san is a union, in this case we set the type to indicate we use
SAN_OTHER_NAME member, but set the unstructured_name union member, that is
smaller.
This doesn't cause any problem, since the union has space for it. But
Coverity noticed, it is wrong, so fix it.
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.
So explicitly check it, even though it is a NOP.
Pick some common errno constants for the platform and provide strings for
them. Replace numeric errno logging with the new api for client.
Replace any usage of strerror() in network code with the new api. For
constrained devices, this should give a small saving on .rodata.
Leave some usages in daemonize.c and unix plat where the size isn't going
to matter.
There's no problem for library build, also with LWS_WITH_MINIMAL_EXAMPLES,
but after install at least on OSX, there are problems finding the installed
lws include dir (concealed on most platforms by the path being in the
default search list for the toolchain), and the references in the lws
includes to the tls includes meaning that explicit paths for that must be
available at consuming cmakes.
This patch enhances the cmake config installed by lws to deal with adding
the lws include paths to CMAKE_REQUIRED_INCLUDES and include_directories,
so it can be found before the target is introduced.
The tls include is passed back up the CMakeLists layers and the lws targets
marked with target_include_directories(PUBLIC) with them, so they are
understood as needed by consumers.
More boilerplate is moved out of the example consuming cmakes.
After this, on machines with previous installs of older lws, you may have to
clean out the cmake install path, that is usually something like
/usr/local/lib/cmake/libwebsockets/*
before make installing lws and putting the latest content in there.
I’ve got an error when compiling libwebsockets on Mac with -DLWS_WITHOUT_SERVER=ON:
libwebsockets/lib/tls/tls.c:98:22: error: unused variable 'cx' [-Werror,-Wunused-variable]
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.
The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.
The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
