1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

447 commits

Author SHA1 Message Date
Pavel Otchertsov
d18aa1ee0b examples: fix sizeof lws_tls_cert_info_results in test_jwt_RS256 2021-10-05 07:40:17 +01:00
Andy Green
ee15b82b6e cmake: unbreak LWS_WITH_SYS_STATE disabled build 2021-10-05 07:40:17 +01:00
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Andy Green
0fda90c40a ws-server-threads-smp: modernize 2021-10-05 07:40:03 +01:00
Andy Green
b6004e08c9 mqtt: allow indicating client_id is not on heap
Not sure why we don't leave any freeing to the caller, but since we don't
allow indicating that the provided client id should not be freed.
2021-10-05 07:09:47 +01:00
Andy Green
733f0c10f0 mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
2021-10-05 07:09:13 +01:00
Andy Green
3e54c84a18 ss: mass update LE root to isrg part 2 2021-10-05 06:48:03 +01:00
Andy Green
c38567960a dsh: remove foreign support
We're going to refactor dsh to not have foreign support, let's remove it in
one step.
2021-10-04 12:59:27 +01:00
Andy Green
d075d4f9ca ctest: increase timeouts on tests using warmcat 2021-09-09 15:27:41 +01:00
Andy Green
a8a443e645 wolfssl: update gencrypto 2021-09-08 09:42:11 +01:00
Andy Green
06e881aad6 esp32c3
Add
2021-08-31 05:45:40 +01:00
Andy Green
81a3ca3e84 ss: port binance example 2021-08-31 05:45:40 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
dcaa0013b4 lecp: add CBOR stream parser LECP like JSON LEJP
This provides very memory-efficient CBOR stream parsing
and writing.

The parser  converts pieces of CBOR into callbacks that define
the structure and collate string and blobs into buffer chunks
for extensible and easy access.

It is fragementation-safe and does not need all the CBOR in
the same place at one time, chunks of CBOR are parsed and
discarded as provided.

It does not allocate and just needs a few hundred bytes of
stack for even huge CBOR objects.  Huge strings and blobs
are handled without needing memory to hold them atomically.

Includes ./minimal-examples/api-tests/api-test-lecp that
unit tests it against 82 official example CBORs and
26 additional test vectors from COSE (just checking the CBOR
parsing).

The writing apis allow printf style semantics with a variety
of CBOR-aware %-formats.  The apis write into a context that
manages output buffer usage, if the output buffer fills,
then the apis return with an AGAIN code that lets you issue
and reset the output buffer and repeat the api all to issue
more output.  The subsequent calls can occur much later or
from a different function context, so this is perfect for
WRITEABLE-mediated output from the network parts of lws.

See ./READMEs/README.cbor-lecp.md
2021-08-21 17:44:40 +01:00
Yichen Gu
b31c5d6ffe http: cookies: support cookie jar in and out 2021-08-21 17:44:40 +01:00
Andy Green
b67d192100 lws_map 2021-08-21 17:44:40 +01:00
Andy Green
f6911cdab8 minimal: perf: add --test404[red] switches
--test404 sends us instead to httpbin.org/status/404
 --test404red goes to warmcat.com/noexist.html which is handled as a
              redirect to a 404 page (served with a 200...), streamtype
              allows redirects to be followed
 --test404redref same as above but streamtype disallows redirect follow

These should all produce CONMON results for the first response, be it 404
or 302 and whether the 302 was followed or not, and whether the client
goes via the proxy or not.
2021-08-19 10:02:16 +01:00
Andy Green
31bbeb520d minimal: eventlib-custom: handle fds removal in service
https://github.com/warmcat/libwebsockets/issues/2388
2021-08-19 05:31:15 +01:00
Andy Green
708903cb47 minimal: eventlib: custom: add client demonstration 2021-08-19 05:31:15 +01:00
Zhao Lou
2951a92ed8 conmon: fix missing quote in JSON 2021-08-19 05:28:27 +01:00
Andy Green
243c21deac ss: add fault injections in creation
Add 9 fault injection cases in SS creation flow, and 5 of those
instantiate in the minimal examples ctests.  The other 4 relate
to static policy and server, I tested the server ones by hand.

These tests confirm the recent change to unpick create using
lws_ss_destroy.
2021-08-16 08:07:35 +01:00
Andy Green
e644bb4a6e cpd: pass up lws_ss_request_tx ret 2021-08-16 08:07:32 +01:00
Andy Green
f3d5b9b99a service: assert on thread shenanigans 2021-08-13 05:25:01 +01:00
Jed Lu
62b915c879 ss: increase set_metadata length type to size_t 2021-08-09 17:31:16 +01:00
Andy Green
fac7c5bf9c seq: fix 2021-07-23 04:22:15 +01:00
Andy Green
4b089788bc tls: mbedtls-3
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.

Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey.  Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.

> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
2021-07-13 13:22:50 +01:00
Andy Green
4c4b2c5dcf libevent: use event_enable_debug_mode 2021-07-13 08:27:18 +01:00
Bing Zhao
c604b9cb21 tls: add option to serialize ssl handshake
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.

On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
  in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
  in 100 interations, average 68.7k
2021-07-08 06:22:47 +01:00
Andy Green
fabe78d222 Wextra
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.

This can successfully build everything in Sai without warnings / errors.
2021-07-04 10:29:54 +01:00
Andy Green
5432e8ae7b sspc: add concurrency stress
Add a way to perform sspc tests with increased concurrency and sequential
tests
2021-07-04 10:29:52 +01:00
Andy Green
8e76634ed3 logs: introduce log_cx 2021-07-01 05:20:53 +01:00
Andy Green
604968a31d minimal: hcmulti: modernize startup to use OPERATIONAL 2021-06-27 08:42:28 +01:00
Jed Lu
c2e10db5f2 ss-policy2c-update 2021-06-26 12:31:44 +01:00
Andy Green
1c72e9eee6 minimal: ws client spam: modernize with pvo and cancel service after interrupted 2021-06-24 16:55:25 +01:00
Andy Green
272dba8307 http: redo redirects to follow close flow
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.

This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.

h2->h2 redirects work properly after this.

The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
2021-06-22 15:55:29 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
983edafdb4 mbedtls: add AKID and SKID support 2021-06-22 15:55:29 +01:00
Andy Green
b25079c4b4 lws_cache_ttl 2021-06-22 15:55:29 +01:00
Andy Green
c09d69e291 minimal: htt-client: send user agent and accept
Some servers will 4xx us if they don't see these headers
2021-06-22 15:54:13 +01:00
Andy Green
3ef0b0268d ctest: do not reuse ctest-ssp path 2021-06-22 15:54:05 +01:00
Jed Lu
2abf4115a8 ss: direct protocol string 2021-06-11 14:44:10 +01:00
Jed Lu
e82778e07a ss: static policy for sigv4 2021-06-11 14:25:12 +01:00
Andy Green
9fe4b37650 wilcard: change api to use length for check
The wilcard part was always length driven... but the check part relied on
being NUL terminated.  Change that to also use a length specifier and not
need any NUL.

To migrate old uses, just add a fourth param as strlen(check).
2021-06-07 14:57:57 +01:00
Andy Green
509d0528a9 examples: embedded: keep loop running on WROVER 2021-06-07 08:17:51 +01:00
Andy Green
7baf400017 evlib: allow custom evlib ops
Adapt the event lib support slighly so we can pass an event lib "plugin"
header in at context creation time, and direct all event loop handling to
go via that.

This can then be lightly adapted to interface to an existing custom event
loop cleanly, without the problems of EXTERNAL_POLL.

The external loop must consult with us about the max wait timeout as shown
in the added minimal-http-server-eventlib-custom example.

The example shows a complete implementation working with a custom poll()
loop cleanly while only needing 5 ops in the custom event lib handler.
2021-06-07 08:17:49 +01:00
Andy Green
0517a2a629 ss: split out blob into own minimal example
The --blob option requires GENCRYPTO that's not on by default, to handle
the hash checks... that's going to cause a lot of confusion because it
means the simplest ss example won't build by default then.

Let's remove the blob support (and GENCRYPTO dependency) from the simplest
example and make a new minimal-secure-streams-blob example that has --blob
support and the GENCRYPTO dependency as well.
2021-05-28 10:10:15 +01:00
Andy Green
ad3aa5339e TCP_FASTOPEN 2021-05-25 08:13:13 +01:00
Or Lupovitz
16328b1918 mbedtls: server: enforce client cert check when vhost requires 2021-05-23 14:58:07 +01:00
Catalin Raceanu
cf867faa46 tls: client: session cache synthetic cb 2021-04-29 20:03:41 +01:00
Yichen Gu
5fdd9c99b1 ss: policy2c: type error on respmap 2021-04-21 19:30:42 +01:00