1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

274 commits

Author SHA1 Message Date
Andy Green
041baf93cf mbedtls: sessions: clean session on bail path 2021-07-10 08:28:30 +01:00
calvin2021y
439651fa7e openssl: manage _GNU_SOURCE better 2021-07-10 08:27:33 +01:00
Bing Zhao
bae99f63a3 tls: add option to serialize ssl handshake
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.

On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
  in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
  in 100 interations, average 68.7k
2021-07-07 08:49:36 +01:00
Bing Zhao
ff1b8ed0c9 tls: fix inbalanced tls restrict borrow/return calls
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.

Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
2021-07-07 08:47:37 +01:00
Andy Green
aea9d0cead tls-sessions: remove no stash warning
If there's no stash, we didn't get as far as having a session, so just fail
quietly
2021-06-24 06:37:25 +01:00
Andy Green
94c50618a4 tls: mbedtls: fix cast for dump helper 2021-06-17 14:24:32 +01:00
kekxv
cd87bc1cbe cmake: tls: use CHECK_SYMBOL_EXISTS 2021-06-17 14:21:11 +01:00
Or Lupovitz
a0bfc98edf mbedtls: server: enforce client cert check when vhost requires 2021-05-23 17:16:32 +01:00
Andy Green
6c39ba15c7 mbedtls: prepare for v3 changes 2021-05-23 17:16:20 +01:00
Yichen Gu
6c011f0530 lwip: handle ECONNABORTED on tls read 2021-05-20 14:07:35 +01:00
ycyang1229
3fa6b23a08 mbedtls: privkey from file: fix off-by-one 2021-05-20 13:33:00 +01:00
Catalin Raceanu
3ae611cdca tls: client: session cache synthetic cb 2021-05-04 15:54:32 +01:00
Yucong Sun
a27cff4c11 cmake: Allow OPENSSL_INCLUDE_DIR to be empty
on some system the include dir is empty, and the detection will miss a lot of functions and fail to compile.
2021-04-29 05:42:38 +01:00
Catalin
2fac32543a tls-sessions: Use OpenSSL API to test if a session was reused 2021-04-27 15:43:36 +01:00
Catalin
dccb61dae7 tls-sessions: Assign loaded TLS session to its intended pointer 2021-04-27 14:50:02 +01:00
Catalin
d9e044b91f Remove incorrect session ref count increment 2021-04-27 14:49:57 +01:00
Andy Green
935894f1f7 client: tls: simplify validation fail reporting at CCE
We have access to a simplified report of the problem name for tls
validation inside the validation cb, let's bring it out and
use it for OpenSSL CCE reporting.
2021-04-15 18:45:35 +01:00
Mykola Stryebkov
eeed0c07d0 smp: openssl: disallow trying to clean up mutexes twice 2021-04-08 13:02:57 +01:00
Mykola Stryebkov
0d06d4bad2 windows: work well with vcpkg pthreads 2021-04-05 10:55:04 +01:00
Catalin
33f5bf2e2d tls sessions: openssl: ttl based internal expiry 2021-04-05 10:54:55 +01:00
Andy Green
9483df3b17 openssl: check for X509_VERIFY_PARAM_set1_host also using CHECK_SYMBOL_EXISTS 2021-04-04 17:20:07 +01:00
Andy Green
7451702722 tls-sessions: serialization 2021-04-04 05:45:53 +01:00
Andy Green
e2f1dd1c82 mbedtls: session cache and resume 2021-04-04 05:44:08 +01:00
Catalin
d5753b6298 tls: openssl-only: client-only: session caching 2021-04-04 05:34:11 +01:00
Andy Green
06509e287d lws_conmon: connection monitoring and stats generation
This provides a build option LWS_WITH_CONMON that lets user code recover
detailed connection stats on client connections with the LCCSCF_CONMON
flag.

In addition to latencies for dns, socket connection, tls and first protocol
response where possible, it also provides the user code an unfiltered list
of DNS responses that the client received, and the peer it actually
succeded to connect to.
2021-03-17 07:31:49 +00:00
Andreas Weigel
12d535f839 x509: support DER recovery 2021-03-13 08:06:17 +00:00
Curi0
dbc89c88ec windows: openssl: load certificates from certificate store 2021-03-12 09:25:51 +00:00
Andy Green
3f4623bb36 lws_metrics
There are a few build options that are trying to keep and report
various statistics

 - DETAILED_LATENCY
 - SERVER_STATUS
 - WITH_STATS

remove all those and establish a generic rplacement, lws_metrics.

lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.

Openmetrics export is supported, for, eg, prometheus scraping.
2021-03-08 21:47:28 +00:00
Andy Green
6d0f2500b0 windows: doesnt have #warning 2021-03-05 20:08:49 +00:00
Andy Green
9af105ebf8 sai: xenial 2021-02-28 19:05:25 +00:00
Andy Green
dc051fb2ae OpenBSD: various api ports 2021-02-17 11:39:15 +00:00
Andy Green
8e5f8491db opensslv3: handle deprecation of EC apis
openssl v3-alpha11 has marked EC_KEY pieces as deprecated... we use it in
LWS_WITH_GENCRYPTO but the related RSA etc pieces were already deprecated
for that.  We use EC_KEY pieces in vhost init...

The apis are not removed but deprecated, we should have a way to keep
trucking, but as it is the deprecation warning is promoted to an error.

Let's add LWS_SUPPRESS_DEPRECATED_API_WARNINGS option off by default.  If
enabled at cmake, external deprecated api warnings are suppressed.  This
gives a general workaround for now for opensslv3.

In addition, even if you don't do that, let's notice we are on openssl v3
and don't build the EC curve selection stuff, I don't think anyone is
actually using it anyway.
2021-02-17 11:39:15 +00:00
Andy Green
1f019f99f4 libressl: adapt type rules
Update libressl rules for options api type,
add some docs to build, use CHECK_SYMBOL_EXISTS since
CHECK_FUNCTION_EXISTS is fooled by the conditionals
in the headers
2021-02-17 11:39:15 +00:00
Jed Lu
0a453e3be3 tls: wrapper: make sure alpn freed once 2021-02-03 08:49:59 +00:00
Andy Green
334212ef2e windows: mbedtls: clean warnings 2021-01-29 21:22:35 +00:00
Andy Green
fd24392cd3 tls: add cmake options to dump tls 2021-01-23 20:58:36 +00:00
Andy Green
ffa0a38a1a openssl: acquire ex indexes once for multicontext
https://github.com/warmcat/libwebsockets/issues/2178
2021-01-23 04:55:56 +00:00
Andy Green
d5618f6059 Wconversion: workarounds for CentOS7 2021-01-22 12:25:03 +00:00
Andy Green
50d032c0f5 openssl: client ctx: track tcrs in vh object 2021-01-19 14:13:41 +00:00
Andy Green
e5b191be35 h2: post buflist: track rx_content_length
On h2 server POST, there's a race to see if the POST body is going to be
received coalesced with the headers.

The problem is on h2, we can't action the stream http request or body until
the stream is writeable, since we may start issuing the response right away;
there's already DEFERRING_ACTION state to manage this.  And indeed, the
coalesced, not-immediately-actionable POST body is buflisted properly.

However when we come to action the POST using buflisted data, we don't follow
the same pattern as dealing with the incoming data immediately.

This patch aligns the pattern dumping the buflist content to track
expected rx_content_length and handle BODY_COMPLETION if we got to
the end of it, along with removal from the pt list of wsi with pending
buflists if we used it up.
2021-01-18 19:49:02 +00:00
Andy Green
c403b129ad mbedtls: change cert load semantics to append
Adapt the wrapper for SSL_CTX_add_client_CA_ASN1 to reuse
any existing x.509 chain and just add to it.  Previously it
was replacing it.
2021-01-13 20:05:59 +00:00
Andy Green
a8d6ac8923 netbsdBE: enable ctest and fix test cert generation
NetBSD test server cert gen lacked a CN, add it for localhost

Enable Sai -j6 from -j4 for netbsdBE... it's slow but it is SMP

Add build in sai for secure-streams-proxy scenario
2021-01-05 10:56:38 +00:00
Andy Green
ce3b99cd8f clean: reduce logging and add some conditional debug helpers 2021-01-05 10:56:38 +00:00
Andy Green
c9731c5f17 type comparisons: fixes
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00
Andy Green
0ceba15d9c lws_lifecycle
This adds some new objects and helpers for keeping and logging
info on grouped allocations, a group is, eg, SS handles or client
wsis.

Allocated objects get a context-unique "tag" string intended to replace
%p / wsi pointers etc.  Pointers quickly become confusing when
allocations are freed and reused, the tag string won't repeat
until you produce 2^64 objects in a context.

In addition the tag string documents the object group, with prefixes
like "wsi-" or "vh-" and contain object-specific additional
information like the vhost name, address / port  or the role of the wsi.
At creation time the lws code can use a format string and args
to add whatever group-specific info makes sense, eg, a wsi bound
to a secure stream can also append the guid of the secure stream,
it's copied into the new object tag and so is still available
cleanly after the stream is destroyed if the wsi outlives it.
2021-01-04 05:26:50 +00:00
Andy Green
eb5f437578 h2: post: add states to wait for body 2020-12-24 16:14:36 +00:00
Andy Green
9b42fc6aae NetBSD: also need two-arg setpgid
Enable sai
2020-12-07 11:31:53 +00:00
Andy Green
8b82560014 cmake: netbsd: no libdl 2020-12-06 19:39:35 +00:00
Andy Green
44e860642b docs: switch to use main 2020-10-19 16:35:03 +01:00
Andy Green
62e566b9de client: move staged connect pieces into core-net
They have been in lib/roles/http for historical reasons, and all
ended up in client-handshake.c that doesn't describe what they
actually do any more.  Separate out the staged client connect
related stage functions into

  lib/core-net/client/client2.c: lws_client_connect_2_dnsreq()
  lib/core-net/client/client3.c: lws_client_connect_3_connect()
  lib/core-net/client/client4.c: lws_client_connect_4_established()

Move a couple of other functions from there that don't belong out to
tls-client.c and client-http.c, which is related to http and remains
in the http role dir.
2020-09-21 12:47:11 +01:00