1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

380 commits

Author SHA1 Message Date
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Andy Green
0fda90c40a ws-server-threads-smp: modernize 2021-10-05 07:40:03 +01:00
Andy Green
b6004e08c9 mqtt: allow indicating client_id is not on heap
Not sure why we don't leave any freeing to the caller, but since we don't
allow indicating that the provided client id should not be freed.
2021-10-05 07:09:47 +01:00
Austen Stone
f6954e432c http: custom hdr: add custom name iterator 2021-08-31 05:45:40 +01:00
Andy Green
81a3ca3e84 ss: port binance example 2021-08-31 05:45:40 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
dcaa0013b4 lecp: add CBOR stream parser LECP like JSON LEJP
This provides very memory-efficient CBOR stream parsing
and writing.

The parser  converts pieces of CBOR into callbacks that define
the structure and collate string and blobs into buffer chunks
for extensible and easy access.

It is fragementation-safe and does not need all the CBOR in
the same place at one time, chunks of CBOR are parsed and
discarded as provided.

It does not allocate and just needs a few hundred bytes of
stack for even huge CBOR objects.  Huge strings and blobs
are handled without needing memory to hold them atomically.

Includes ./minimal-examples/api-tests/api-test-lecp that
unit tests it against 82 official example CBORs and
26 additional test vectors from COSE (just checking the CBOR
parsing).

The writing apis allow printf style semantics with a variety
of CBOR-aware %-formats.  The apis write into a context that
manages output buffer usage, if the output buffer fills,
then the apis return with an AGAIN code that lets you issue
and reset the output buffer and repeat the api all to issue
more output.  The subsequent calls can occur much later or
from a different function context, so this is perfect for
WRITEABLE-mediated output from the network parts of lws.

See ./READMEs/README.cbor-lecp.md
2021-08-21 17:44:40 +01:00
Yichen Gu
b31c5d6ffe http: cookies: support cookie jar in and out 2021-08-21 17:44:40 +01:00
Andy Green
b67d192100 lws_map 2021-08-21 17:44:40 +01:00
Andy Green
6ab149b5d3 evlib: remove PREPARE_DELETION as cruft 2021-08-21 17:44:34 +01:00
Andy Green
43f290adbc sspc: add LWSSSCS_UPSTREAM_LINK_RETRY state
Add a transient state that indicates that we are retrying an upstream link
before the sspc creation can proceed.

The state() ack paramemeter shows the number of ms we have been retrying.

This is only issued if proxy mode clients are having difficulty reaching
their proxy, and are retrying.

As a transient state it doesn't affect the ss overall state, which will not
have reached CREATING yet.
2021-08-19 05:31:15 +01:00
Andy Green
37f3244076 conmon: add dns and protocol_specific
This adds an indication of dns disposition to the conmon results,
and for http, if it gets that far a protocol-specific indication
of http response code.
2021-08-19 05:31:04 +01:00
Andy Green
e644bb4a6e cpd: pass up lws_ss_request_tx ret 2021-08-16 08:07:32 +01:00
Andy Green
f3d5b9b99a service: assert on thread shenanigans 2021-08-13 05:25:01 +01:00
Andy Green
4b089788bc tls: mbedtls-3
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.

Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey.  Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.

> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
2021-07-13 13:22:50 +01:00
Andy Green
215ec1daa8 remove LWS_WITH_DEPRECATED_THINGS 2021-07-13 13:22:46 +01:00
Bing Zhao
c604b9cb21 tls: add option to serialize ssl handshake
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.

On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
  in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
  in 100 interations, average 68.7k
2021-07-08 06:22:47 +01:00
Andy Green
36e7e8af78 fault injection: pseudorandom 64-bit range support
This adds an api allowing fault injection path implementations to get hold
of pseudo-random numbers between an externally-provided range.

You can set it using, eg, --fault-injection "f1(10%),f1_delay(123..456)"
while f1 shows how to decide whether to inject the fault and f1_delay
provides a pseudo-random number between the two values for the fault
implementation code to use.
2021-07-04 10:29:54 +01:00
Andy Green
fabe78d222 Wextra
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.

This can successfully build everything in Sai without warnings / errors.
2021-07-04 10:29:54 +01:00
Andy Green
8e76634ed3 logs: introduce log_cx 2021-07-01 05:20:53 +01:00
Andy Green
6163c96727 vhost: allow multiple listen sockets
Some platforms need two sockets with AF_INET and AF_INET6 to listen to both
protocols.

This patch changes the single listen socket each vhost could previously
handle to become an lws_dll2 and adapts the related code to handle them as
a linked-list rather than as a singleton.

The next patch adapts the listen / server code to create multiple listen
wsi for vhosts listening on multiple ip protocols.
2021-06-22 15:55:47 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
f8f1749be9 client: add option for allowing redirect tls downgrades 2021-06-22 15:55:29 +01:00
Andy Green
983edafdb4 mbedtls: add AKID and SKID support 2021-06-22 15:55:29 +01:00
Andy Green
b25079c4b4 lws_cache_ttl 2021-06-22 15:55:29 +01:00
Jed Lu
2abf4115a8 ss: direct protocol string 2021-06-11 14:44:10 +01:00
Andy Green
9fe4b37650 wilcard: change api to use length for check
The wilcard part was always length driven... but the check part relied on
being NUL terminated.  Change that to also use a length specifier and not
need any NUL.

To migrate old uses, just add a fourth param as strlen(check).
2021-06-07 14:57:57 +01:00
Andy Green
7baf400017 evlib: allow custom evlib ops
Adapt the event lib support slighly so we can pass an event lib "plugin"
header in at context creation time, and direct all event loop handling to
go via that.

This can then be lightly adapted to interface to an existing custom event
loop cleanly, without the problems of EXTERNAL_POLL.

The external loop must consult with us about the max wait timeout as shown
in the added minimal-http-server-eventlib-custom example.

The example shows a complete implementation working with a custom poll()
loop cleanly while only needing 5 ops in the custom event lib handler.
2021-06-07 08:17:49 +01:00
Chunho Lee
c5484c0232 ss-mqtt: Add support for MQTT UNSUBSCRIBE and DISCONNECT
Send UNSUBSCRIBE and DISCONNECT when LWSSSSRET_DISCONNECT_ME is
returned.
2021-05-27 11:37:44 +01:00
Chunho Lee
85cec16f95 mqtt: Add support for QoS 2
Add support for QoS 2.
2021-05-27 11:36:54 +01:00
Andy Green
ad3aa5339e TCP_FASTOPEN 2021-05-25 08:13:13 +01:00
Andy Green
c58532803e license: fix two old headers from pre-MIT change
These two headers managed to avoid the global switch from
LGPL2.1 -> MIT back in the day, correct them to be aligned
with the rest of lws' own license, ie, MIT.
2021-05-04 18:33:36 +01:00
Andy Green
aa6b3f418e mbedtls: allow central trust store preload
Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.

This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
2021-04-15 19:10:54 +01:00
Andy Green
68d9f3a7f2 ss: wire up EVENT_WAIT_CANCELLED
Currently the lws_cancel_service() api only manifests itself at lws level.
This adds a state LWSSSCS_EVENT_WAIT_CANCELLED that is broadcast to all
SS in the event loop getting the cancel service api call, and allows
SS-level user code to pick up handling events from other threads.

There's a new example minimal-secure-streams-threads which shows the
pattern for other threads to communicate with and trigger the event in the
lws service thread.
2021-04-15 19:10:54 +01:00
Andy Green
4b52d7598c docs: lws_write: decruftify 2021-04-15 17:41:17 +01:00
Andy Green
24abd699f6 http: parser: straighten out %00 legality
https://github.com/warmcat/libwebsockets/issues/2262

This adds a README explaining what can be expected if your URLs contain
%00, and adds a safe helper for urlargs-by-name that is length-based.

Contains fix for extra NUL on some headers

https://github.com/warmcat/libwebsockets/issues/2267
2021-04-10 09:21:33 +01:00
Andy Green
42dc817d8f ss: proxy: get rx flow control working
This fixes the proxy rx flow by adding an lws_dsh helper to hide the
off-by-one in the "kind" array (kind 0 is reserved for tracking the
unallocated dsh blocks).

For testing, it adds a --blob option on minimal-secure-streams[-client]
which uses a streamtype "bulkproxflow" from here

https://warmcat.com/policy/minimal-proxy-v4.2-v2.json

		"bulkproxflow": {
			"endpoint": "warmcat.com",
			"port": 443,
			"protocol": "h1",
			"http_method": "GET",
			"http_url": "blob.bin",
			"proxy_buflen": 32768,
			"proxy_buflen_rxflow_on_above": 24576,
			"proxy_buflen_rxflow_off_below": 8192,
			"tls": true,
			"retry": "default",
			"tls_trust_store": "le_via_dst"
		}

This downloads a 51MB blob of random data with the SHA256sum

ed5720c16830810e5829dfb9b66c96b2e24efc4f93aa5e38c7ff4150d31cfbbf

The minimal-secure-streams --blob example client delays the download by
50ms every 10KiB it sees to force rx flow usage at the proxy.

It downloads the whole thing and checks the SHA256 is as expected.

Logs about rxflow status are available at LLL_INFO log level.
2021-04-07 15:54:26 +01:00
Andy Green
b582dd49fb client: add CONNECTING protocol cb 2021-04-05 10:55:04 +01:00
Andy Green
d291c02a23 ss: sspc: add conmon performance telemetry
This provides a way to get ahold of LWS_WITH_CONMON telemetry from Secure
Streams, it works the same with direct onward connections or via the proxy.

You can mark streamtypes with a "perf": true policy attribute... this
causes the onward connections on those streamtypes to collect information
about the connection performance, and the unsorted DNS results.

Streams with that policy attribute receive extra data in their rx callback,
with the LWSSS_FLAG_PERF_JSON flag set on it, containing JSON describing the
performance of the onward connection taken from CONMON data, in a JSON
representation.  Streams without the "perf" attribute set never receive
this extra rx.

The received JSON is based on the CONMON struct info and looks like

{"peer":"46.105.127.147","dns_us":596,"sockconn_us":31382,"tls_us":28180,"txn_resp_us:23015,"dns":["2001:41d0:2:ee93::1","46.105.127.147"]}

A new minimal example minimal-secure-streams-perf is added that collects
this data on an HTTP GET from warmcat.com, and is built with a -client
version as well if LWS_WITH_SECURE_STREAMS_PROXY_API is set, that operates
via the ss proxy and produces the same result at the client.
2021-04-05 10:55:04 +01:00
Andy Green
51490ae6e6 Fault injection
add lws_xos: xoshiro256 PRNG
2021-04-05 10:55:04 +01:00
Andy Green
7451702722 tls-sessions: serialization 2021-04-04 05:45:53 +01:00
Catalin
d5753b6298 tls: openssl-only: client-only: session caching 2021-04-04 05:34:11 +01:00
Andy Green
e4d381eadd metrics: increase type of us_schedule to uint64_t 2021-04-02 16:50:49 +01:00
Chunho Lee
25ae9facc9 mqtt: topic validation for different mqtt servers
AWS IoT enforces limits topic level and length. If 'aws_iot' is set
on the policy, the topic limits will be enforced for AWS IoT.
2021-03-30 07:38:37 +01:00
Sakthi Kannan
f3531ef673 mqtt: wildcard topic and topic to 256 chars
Adding supports to MQTT wildcard support, topic to 256 chars,
incorrect topic validation.
2021-03-30 07:38:37 +01:00
Andy Green
ae0b52c0df lws_hex_from_byte_array 2021-03-25 08:40:52 +00:00
Andreas Weigel
319a00c067 jwt: sign via info
Offer a more extensible way to form and sign JWTs
2021-03-25 08:40:52 +00:00
Andy Green
0f42f0d9ad uloop 2021-03-17 12:23:34 +00:00
Andy Green
06509e287d lws_conmon: connection monitoring and stats generation
This provides a build option LWS_WITH_CONMON that lets user code recover
detailed connection stats on client connections with the LCCSCF_CONMON
flag.

In addition to latencies for dns, socket connection, tls and first protocol
response where possible, it also provides the user code an unfiltered list
of DNS responses that the client received, and the peer it actually
succeded to connect to.
2021-03-17 07:31:49 +00:00
Andy Green
1000a52df3 logs: prioritize WITH_NO_LOGS even in release
Really not having any logs makes it difficult to know what is really
happening, but if that's you're thing this will align debug and release
modes to just have ERR and USER if you give WITH_NO_LOGS
2021-03-15 12:56:15 +00:00