1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

294 commits

Author SHA1 Message Date
caobug
90eb83a307 tls: ensure using ssl before doing tls_shutdown 2021-10-05 07:40:17 +01:00
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Andy Green
733f0c10f0 mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
2021-10-05 07:09:13 +01:00
Andy Green
a8a443e645 wolfssl: update gencrypto 2021-09-08 09:42:11 +01:00
Andy Green
0c94138fd3 tls: handle WANT_WRITE via POLLOUT to POLLIN 2021-09-02 16:43:18 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
d1f3762a05 types: handle ssize_t is int 2021-08-09 17:31:16 +01:00
Yucong Sun
faf091d8cd windows: tls: make sure we are telling correct errno 2021-07-20 10:34:03 +01:00
Yucong Sun
81e54df04d cmake: tls: check correct api for availability 2021-07-20 10:34:03 +01:00
Andy Green
4b089788bc tls: mbedtls-3
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.

Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey.  Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.

> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
2021-07-13 13:22:50 +01:00
Nikias Bassen
ed7215f373 cmake: mbedtls: extra CMAKE_REQUIRED_INCLUDES
Make sure MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES are set in parent CMakeLists

Also set MBEDTLS_INCLUDE_DIRS in CMAKE_REQUIRED_INCLUDES so the CHECK_C_SOURCE_COMPILES
checks actually evaluate properly.
2021-07-13 08:27:27 +01:00
Andy Green
1ae1fccbec mbedtls: sessions: clean session on bail path 2021-07-13 08:27:20 +01:00
calvin2021y
6e3a6d9990 openssl: manage _GNU_SOURCE better 2021-07-08 06:22:47 +01:00
Bing Zhao
c604b9cb21 tls: add option to serialize ssl handshake
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.

On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
  in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
  in 100 interations, average 68.7k
2021-07-08 06:22:47 +01:00
Bing Zhao
74799161b1 tls: fix inbalanced tls restrict borrow/return calls
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.

Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
2021-07-08 06:22:47 +01:00
Andy Green
fabe78d222 Wextra
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.

This can successfully build everything in Sai without warnings / errors.
2021-07-04 10:29:54 +01:00
Andy Green
5d8cf03221 logs: log contexts 2021-07-01 05:20:53 +01:00
Andy Green
8e76634ed3 logs: introduce log_cx 2021-07-01 05:20:53 +01:00
Andy Green
d5475807b0 tls restriction: check before doing bio 2021-06-26 14:59:50 +01:00
Andy Green
0dd8a4a503 tls-sessions: remove no stash warning
If there's no stash, we didn't get as far as having a session, so just fail
quietly
2021-06-24 06:31:39 +01:00
Andy Green
cf2dbdc6a0 vhost: create multiple listen sockets per AF
On some platforms AF_INET and AF_INET6 must be listened for on separate
sockets.  Adapt the vhost server creation code to use the new support for
multiple listen sockets per vhost to create up to two listen sockets for
AF_INET and AF_INET6.

It refactors how the decision about the AF is made and propagated so
there's only one place for it.
2021-06-22 16:25:50 +01:00
Andy Green
6163c96727 vhost: allow multiple listen sockets
Some platforms need two sockets with AF_INET and AF_INET6 to listen to both
protocols.

This patch changes the single listen socket each vhost could previously
handle to become an lws_dll2 and adapts the related code to handle them as
a linked-list rather than as a singleton.

The next patch adapts the listen / server code to create multiple listen
wsi for vhosts listening on multiple ip protocols.
2021-06-22 15:55:47 +01:00
Andy Green
272dba8307 http: redo redirects to follow close flow
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.

This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.

h2->h2 redirects work properly after this.

The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
2021-06-22 15:55:29 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
983edafdb4 mbedtls: add AKID and SKID support 2021-06-22 15:55:29 +01:00
kekxv
c61ce6f07f cmake: tls: use CHECK_SYMBOL_EXISTS 2021-06-15 15:17:34 +01:00
Or Lupovitz
16328b1918 mbedtls: server: enforce client cert check when vhost requires 2021-05-23 14:58:07 +01:00
Andy Green
8ebe1d9323 mbedtls: prepare for v3 changes 2021-05-23 10:55:52 +01:00
ycyang1229
e76ee9cb91 mbedtls: privkey from file: fix off-by-one 2021-05-20 11:28:47 +01:00
Yichen Gu
febca16a0b lwip: handle ECONNABORTED on tls read 2021-05-17 11:34:28 +01:00
Catalin Raceanu
cf867faa46 tls: client: session cache synthetic cb 2021-04-29 20:03:41 +01:00
Yucong Sun
abada11fe1 cmake: Allow OPENSSL_INCLUDE_DIR to be empty
on some system the include dir is empty, and the detection will miss a lot of functions and fail to compile.
2021-04-29 05:29:58 +01:00
Catalin
373b50d7d1 tls-sessions: Use OpenSSL API to test if a session was reused 2021-04-27 15:42:53 +01:00
Catalin
d2a40a119e tls-sessions: Assign loaded TLS session to its intended pointer 2021-04-27 14:45:17 +01:00
Catalin
80ca71d598 Remove incorrect session ref count increment 2021-04-27 14:45:14 +01:00
Andy Green
1a6c2a634e client: tls: simplify validation fail reporting at CCE
We have access to a simplified report of the problem name for tls
validation inside the validation cb, let's bring it out and
use it for OpenSSL CCE reporting.
2021-04-15 19:10:54 +01:00
Andy Green
aa6b3f418e mbedtls: allow central trust store preload
Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.

This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
2021-04-15 19:10:54 +01:00
Mykola Stryebkov
eeed0c07d0 smp: openssl: disallow trying to clean up mutexes twice 2021-04-08 13:02:57 +01:00
Mykola Stryebkov
0d06d4bad2 windows: work well with vcpkg pthreads 2021-04-05 10:55:04 +01:00
Catalin
33f5bf2e2d tls sessions: openssl: ttl based internal expiry 2021-04-05 10:54:55 +01:00
Andy Green
9483df3b17 openssl: check for X509_VERIFY_PARAM_set1_host also using CHECK_SYMBOL_EXISTS 2021-04-04 17:20:07 +01:00
Andy Green
7451702722 tls-sessions: serialization 2021-04-04 05:45:53 +01:00
Andy Green
e2f1dd1c82 mbedtls: session cache and resume 2021-04-04 05:44:08 +01:00
Catalin
d5753b6298 tls: openssl-only: client-only: session caching 2021-04-04 05:34:11 +01:00
Andy Green
06509e287d lws_conmon: connection monitoring and stats generation
This provides a build option LWS_WITH_CONMON that lets user code recover
detailed connection stats on client connections with the LCCSCF_CONMON
flag.

In addition to latencies for dns, socket connection, tls and first protocol
response where possible, it also provides the user code an unfiltered list
of DNS responses that the client received, and the peer it actually
succeded to connect to.
2021-03-17 07:31:49 +00:00
Andreas Weigel
12d535f839 x509: support DER recovery 2021-03-13 08:06:17 +00:00
Curi0
dbc89c88ec windows: openssl: load certificates from certificate store 2021-03-12 09:25:51 +00:00
Andy Green
3f4623bb36 lws_metrics
There are a few build options that are trying to keep and report
various statistics

 - DETAILED_LATENCY
 - SERVER_STATUS
 - WITH_STATS

remove all those and establish a generic rplacement, lws_metrics.

lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.

Openmetrics export is supported, for, eg, prometheus scraping.
2021-03-08 21:47:28 +00:00
Andy Green
6d0f2500b0 windows: doesnt have #warning 2021-03-05 20:08:49 +00:00
Andy Green
9af105ebf8 sai: xenial 2021-02-28 19:05:25 +00:00