1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-23 00:00:06 +01:00
Commit graph

275 commits

Author SHA1 Message Date
Andy Green
0dd8a4a503 tls-sessions: remove no stash warning
If there's no stash, we didn't get as far as having a session, so just fail
quietly
2021-06-24 06:31:39 +01:00
Andy Green
cf2dbdc6a0 vhost: create multiple listen sockets per AF
On some platforms AF_INET and AF_INET6 must be listened for on separate
sockets.  Adapt the vhost server creation code to use the new support for
multiple listen sockets per vhost to create up to two listen sockets for
AF_INET and AF_INET6.

It refactors how the decision about the AF is made and propagated so
there's only one place for it.
2021-06-22 16:25:50 +01:00
Andy Green
6163c96727 vhost: allow multiple listen sockets
Some platforms need two sockets with AF_INET and AF_INET6 to listen to both
protocols.

This patch changes the single listen socket each vhost could previously
handle to become an lws_dll2 and adapts the related code to handle them as
a linked-list rather than as a singleton.

The next patch adapts the listen / server code to create multiple listen
wsi for vhosts listening on multiple ip protocols.
2021-06-22 15:55:47 +01:00
Andy Green
272dba8307 http: redo redirects to follow close flow
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.

This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.

h2->h2 redirects work properly after this.

The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
2021-06-22 15:55:29 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
983edafdb4 mbedtls: add AKID and SKID support 2021-06-22 15:55:29 +01:00
kekxv
c61ce6f07f cmake: tls: use CHECK_SYMBOL_EXISTS 2021-06-15 15:17:34 +01:00
Or Lupovitz
16328b1918 mbedtls: server: enforce client cert check when vhost requires 2021-05-23 14:58:07 +01:00
Andy Green
8ebe1d9323 mbedtls: prepare for v3 changes 2021-05-23 10:55:52 +01:00
ycyang1229
e76ee9cb91 mbedtls: privkey from file: fix off-by-one 2021-05-20 11:28:47 +01:00
Yichen Gu
febca16a0b lwip: handle ECONNABORTED on tls read 2021-05-17 11:34:28 +01:00
Catalin Raceanu
cf867faa46 tls: client: session cache synthetic cb 2021-04-29 20:03:41 +01:00
Yucong Sun
abada11fe1 cmake: Allow OPENSSL_INCLUDE_DIR to be empty
on some system the include dir is empty, and the detection will miss a lot of functions and fail to compile.
2021-04-29 05:29:58 +01:00
Catalin
373b50d7d1 tls-sessions: Use OpenSSL API to test if a session was reused 2021-04-27 15:42:53 +01:00
Catalin
d2a40a119e tls-sessions: Assign loaded TLS session to its intended pointer 2021-04-27 14:45:17 +01:00
Catalin
80ca71d598 Remove incorrect session ref count increment 2021-04-27 14:45:14 +01:00
Andy Green
1a6c2a634e client: tls: simplify validation fail reporting at CCE
We have access to a simplified report of the problem name for tls
validation inside the validation cb, let's bring it out and
use it for OpenSSL CCE reporting.
2021-04-15 19:10:54 +01:00
Andy Green
aa6b3f418e mbedtls: allow central trust store preload
Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.

This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
2021-04-15 19:10:54 +01:00
Mykola Stryebkov
eeed0c07d0 smp: openssl: disallow trying to clean up mutexes twice 2021-04-08 13:02:57 +01:00
Mykola Stryebkov
0d06d4bad2 windows: work well with vcpkg pthreads 2021-04-05 10:55:04 +01:00
Catalin
33f5bf2e2d tls sessions: openssl: ttl based internal expiry 2021-04-05 10:54:55 +01:00
Andy Green
9483df3b17 openssl: check for X509_VERIFY_PARAM_set1_host also using CHECK_SYMBOL_EXISTS 2021-04-04 17:20:07 +01:00
Andy Green
7451702722 tls-sessions: serialization 2021-04-04 05:45:53 +01:00
Andy Green
e2f1dd1c82 mbedtls: session cache and resume 2021-04-04 05:44:08 +01:00
Catalin
d5753b6298 tls: openssl-only: client-only: session caching 2021-04-04 05:34:11 +01:00
Andy Green
06509e287d lws_conmon: connection monitoring and stats generation
This provides a build option LWS_WITH_CONMON that lets user code recover
detailed connection stats on client connections with the LCCSCF_CONMON
flag.

In addition to latencies for dns, socket connection, tls and first protocol
response where possible, it also provides the user code an unfiltered list
of DNS responses that the client received, and the peer it actually
succeded to connect to.
2021-03-17 07:31:49 +00:00
Andreas Weigel
12d535f839 x509: support DER recovery 2021-03-13 08:06:17 +00:00
Curi0
dbc89c88ec windows: openssl: load certificates from certificate store 2021-03-12 09:25:51 +00:00
Andy Green
3f4623bb36 lws_metrics
There are a few build options that are trying to keep and report
various statistics

 - DETAILED_LATENCY
 - SERVER_STATUS
 - WITH_STATS

remove all those and establish a generic rplacement, lws_metrics.

lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.

Openmetrics export is supported, for, eg, prometheus scraping.
2021-03-08 21:47:28 +00:00
Andy Green
6d0f2500b0 windows: doesnt have #warning 2021-03-05 20:08:49 +00:00
Andy Green
9af105ebf8 sai: xenial 2021-02-28 19:05:25 +00:00
Andy Green
dc051fb2ae OpenBSD: various api ports 2021-02-17 11:39:15 +00:00
Andy Green
8e5f8491db opensslv3: handle deprecation of EC apis
openssl v3-alpha11 has marked EC_KEY pieces as deprecated... we use it in
LWS_WITH_GENCRYPTO but the related RSA etc pieces were already deprecated
for that.  We use EC_KEY pieces in vhost init...

The apis are not removed but deprecated, we should have a way to keep
trucking, but as it is the deprecation warning is promoted to an error.

Let's add LWS_SUPPRESS_DEPRECATED_API_WARNINGS option off by default.  If
enabled at cmake, external deprecated api warnings are suppressed.  This
gives a general workaround for now for opensslv3.

In addition, even if you don't do that, let's notice we are on openssl v3
and don't build the EC curve selection stuff, I don't think anyone is
actually using it anyway.
2021-02-17 11:39:15 +00:00
Andy Green
1f019f99f4 libressl: adapt type rules
Update libressl rules for options api type,
add some docs to build, use CHECK_SYMBOL_EXISTS since
CHECK_FUNCTION_EXISTS is fooled by the conditionals
in the headers
2021-02-17 11:39:15 +00:00
Jed Lu
0a453e3be3 tls: wrapper: make sure alpn freed once 2021-02-03 08:49:59 +00:00
Andy Green
334212ef2e windows: mbedtls: clean warnings 2021-01-29 21:22:35 +00:00
Andy Green
fd24392cd3 tls: add cmake options to dump tls 2021-01-23 20:58:36 +00:00
Andy Green
ffa0a38a1a openssl: acquire ex indexes once for multicontext
https://github.com/warmcat/libwebsockets/issues/2178
2021-01-23 04:55:56 +00:00
Andy Green
d5618f6059 Wconversion: workarounds for CentOS7 2021-01-22 12:25:03 +00:00
Andy Green
50d032c0f5 openssl: client ctx: track tcrs in vh object 2021-01-19 14:13:41 +00:00
Andy Green
e5b191be35 h2: post buflist: track rx_content_length
On h2 server POST, there's a race to see if the POST body is going to be
received coalesced with the headers.

The problem is on h2, we can't action the stream http request or body until
the stream is writeable, since we may start issuing the response right away;
there's already DEFERRING_ACTION state to manage this.  And indeed, the
coalesced, not-immediately-actionable POST body is buflisted properly.

However when we come to action the POST using buflisted data, we don't follow
the same pattern as dealing with the incoming data immediately.

This patch aligns the pattern dumping the buflist content to track
expected rx_content_length and handle BODY_COMPLETION if we got to
the end of it, along with removal from the pt list of wsi with pending
buflists if we used it up.
2021-01-18 19:49:02 +00:00
Andy Green
c403b129ad mbedtls: change cert load semantics to append
Adapt the wrapper for SSL_CTX_add_client_CA_ASN1 to reuse
any existing x.509 chain and just add to it.  Previously it
was replacing it.
2021-01-13 20:05:59 +00:00
Andy Green
a8d6ac8923 netbsdBE: enable ctest and fix test cert generation
NetBSD test server cert gen lacked a CN, add it for localhost

Enable Sai -j6 from -j4 for netbsdBE... it's slow but it is SMP

Add build in sai for secure-streams-proxy scenario
2021-01-05 10:56:38 +00:00
Andy Green
ce3b99cd8f clean: reduce logging and add some conditional debug helpers 2021-01-05 10:56:38 +00:00
Andy Green
c9731c5f17 type comparisons: fixes
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00
Andy Green
0ceba15d9c lws_lifecycle
This adds some new objects and helpers for keeping and logging
info on grouped allocations, a group is, eg, SS handles or client
wsis.

Allocated objects get a context-unique "tag" string intended to replace
%p / wsi pointers etc.  Pointers quickly become confusing when
allocations are freed and reused, the tag string won't repeat
until you produce 2^64 objects in a context.

In addition the tag string documents the object group, with prefixes
like "wsi-" or "vh-" and contain object-specific additional
information like the vhost name, address / port  or the role of the wsi.
At creation time the lws code can use a format string and args
to add whatever group-specific info makes sense, eg, a wsi bound
to a secure stream can also append the guid of the secure stream,
it's copied into the new object tag and so is still available
cleanly after the stream is destroyed if the wsi outlives it.
2021-01-04 05:26:50 +00:00
Andy Green
eb5f437578 h2: post: add states to wait for body 2020-12-24 16:14:36 +00:00
Andy Green
9b42fc6aae NetBSD: also need two-arg setpgid
Enable sai
2020-12-07 11:31:53 +00:00
Andy Green
8b82560014 cmake: netbsd: no libdl 2020-12-06 19:39:35 +00:00
Andy Green
44e860642b docs: switch to use main 2020-10-19 16:35:03 +01:00