1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Commit graph

113 commits

Author SHA1 Message Date
Pavel Otchertsov
d18aa1ee0b examples: fix sizeof lws_tls_cert_info_results in test_jwt_RS256 2021-10-05 07:40:17 +01:00
Andy Green
ee15b82b6e cmake: unbreak LWS_WITH_SYS_STATE disabled build 2021-10-05 07:40:17 +01:00
Andy Green
3e54c84a18 ss: mass update LE root to isrg part 2 2021-10-05 06:48:03 +01:00
Andy Green
c38567960a dsh: remove foreign support
We're going to refactor dsh to not have foreign support, let's remove it in
one step.
2021-10-04 12:59:27 +01:00
Andy Green
a8a443e645 wolfssl: update gencrypto 2021-09-08 09:42:11 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
dcaa0013b4 lecp: add CBOR stream parser LECP like JSON LEJP
This provides very memory-efficient CBOR stream parsing
and writing.

The parser  converts pieces of CBOR into callbacks that define
the structure and collate string and blobs into buffer chunks
for extensible and easy access.

It is fragementation-safe and does not need all the CBOR in
the same place at one time, chunks of CBOR are parsed and
discarded as provided.

It does not allocate and just needs a few hundred bytes of
stack for even huge CBOR objects.  Huge strings and blobs
are handled without needing memory to hold them atomically.

Includes ./minimal-examples/api-tests/api-test-lecp that
unit tests it against 82 official example CBORs and
26 additional test vectors from COSE (just checking the CBOR
parsing).

The writing apis allow printf style semantics with a variety
of CBOR-aware %-formats.  The apis write into a context that
manages output buffer usage, if the output buffer fills,
then the apis return with an AGAIN code that lets you issue
and reset the output buffer and repeat the api all to issue
more output.  The subsequent calls can occur much later or
from a different function context, so this is perfect for
WRITEABLE-mediated output from the network parts of lws.

See ./READMEs/README.cbor-lecp.md
2021-08-21 17:44:40 +01:00
Yichen Gu
b31c5d6ffe http: cookies: support cookie jar in and out 2021-08-21 17:44:40 +01:00
Andy Green
b67d192100 lws_map 2021-08-21 17:44:40 +01:00
Andy Green
e644bb4a6e cpd: pass up lws_ss_request_tx ret 2021-08-16 08:07:32 +01:00
Andy Green
fac7c5bf9c seq: fix 2021-07-23 04:22:15 +01:00
Andy Green
4b089788bc tls: mbedtls-3
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.

Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey.  Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.

> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
2021-07-13 13:22:50 +01:00
Andy Green
fabe78d222 Wextra
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.

This can successfully build everything in Sai without warnings / errors.
2021-07-04 10:29:54 +01:00
Andy Green
b25079c4b4 lws_cache_ttl 2021-06-22 15:55:29 +01:00
Andy Green
9fe4b37650 wilcard: change api to use length for check
The wilcard part was always length driven... but the check part relied on
being NUL terminated.  Change that to also use a length specifier and not
need any NUL.

To migrate old uses, just add a fourth param as strlen(check).
2021-06-07 14:57:57 +01:00
Andy Green
37160c797e dsh: api-test: dont use lws_dsh_describe in Release 2021-04-05 10:55:04 +01:00
Andy Green
51490ae6e6 Fault injection
add lws_xos: xoshiro256 PRNG
2021-04-05 10:55:04 +01:00
Andreas Weigel
319a00c067 jwt: sign via info
Offer a more extensible way to form and sign JWTs
2021-03-25 08:40:52 +00:00
Andy Green
1000a52df3 logs: prioritize WITH_NO_LOGS even in release
Really not having any logs makes it difficult to know what is really
happening, but if that's you're thing this will align debug and release
modes to just have ERR and USER if you give WITH_NO_LOGS
2021-03-15 12:56:15 +00:00
Andy Green
9d13b97e37 client: DNS failure should retry while waiting for connect timeout
If the DNS lookup fails, we just sit out the remaining connect time.

The adapts it to reuse the wsi->sul_connect_timeout to schedule DNS lookup
retries until we're out of time.

Eventually we want to try other things as well, this is aligned with that.

Found with fault injection.
2021-03-11 06:58:59 +00:00
Andy Green
3f4623bb36 lws_metrics
There are a few build options that are trying to keep and report
various statistics

 - DETAILED_LATENCY
 - SERVER_STATUS
 - WITH_STATS

remove all those and establish a generic rplacement, lws_metrics.

lws_metrics makes its stats available via an lws_system ops function
pointer that the user code can set.

Openmetrics export is supported, for, eg, prometheus scraping.
2021-03-08 21:47:28 +00:00
Andy Green
8a087043c6 smd: account for new interested peers joining while queue exists 2021-02-20 13:54:35 +00:00
Andy Green
599691d233 dhcp: clean 2021-02-17 11:39:15 +00:00
Andy Green
24c0814fd3 async dns: correctly deal with cb killing wsi 2021-02-09 16:56:09 +00:00
Andy Green
3192b3cab9 adns-api-test-l
Add -l option on lws-api-test-async-dns that makes it sit there trying to
lookup warmcat.com every 5s until ^C.  This is useful to test behaviour
over loss of connectivity and regaining it.
2021-02-03 07:21:45 +00:00
Andy Green
e2f18957c1 lws_strcmp_wildcard
Add helper to do a strcmp() but against the first argument that may
contain zero or more * wildcards
2021-01-16 20:52:48 +00:00
Andy Green
82c858ee2e humanize: remove padding and clean up 2021-01-16 07:33:59 +00:00
Andy Green
06662a64fa LE-root-cert-update
warmcat.com and libwebsockets.org use Let's Encrypt certificates... LE
have changed their CA signing arrangements and after 2021-01-12 (the
point I renewed the LE server certs and received one signed using the
new arrangements) it's required to trust new root certs for the examples
to connect to warmcat.com and libwebsockets.org.

https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

This updates the in-tree CA copies, the remote policies on warmcat.com
have also been updated.

Just goes to show for real client infrastructure, you need to run your own
CA (that doesn't have to be trusted by anything outside the clients)
where you can control the CA lifetime.
2021-01-13 04:32:13 +00:00
Andy Green
abc60c755a smd: add more scenarios to tests
Let's have 4 x forked clients all intercommunicate via the SS proxy,
and add it to ctest.
2021-01-05 10:56:38 +00:00
Andy Green
c9731c5f17 type comparisons: fixes
This is a huge patch that should be a global NOP.

For unix type platforms it enables -Wconversion to issue warnings (-> error)
for all automatic casts that seem less than ideal but are normally concealed
by the toolchain.

This is things like passing an int to a size_t argument.  Once enabled, I
went through all args on my default build (which build most things) and
tried to make the removed default cast explicit.

With that approach it neither change nor bloat the code, since it compiles
to whatever it was doing before, just with the casts made explicit... in a
few cases I changed some length args from int to size_t but largely left
the causes alone.

From now on, new code that is relying on less than ideal casting
will complain and nudge me to improve it by warnings.
2021-01-05 10:56:38 +00:00
Andy Green
815b9074fc lws-struct: json and sqlite on 32-bit OS
Test that we can handle int -1 correctly on sqlite and
greater than 32-bit unsigned on json with ull
2021-01-05 10:56:26 +00:00
Andy Green
ad11a09a79 lws_smd: make api test fail immediately 2021-01-04 05:40:12 +00:00
Andy Green
a13b34db1c smd: add warning for queue depth 2021-01-04 05:40:12 +00:00
Andy Green
1d8be99cff cmake: latest cmake shows dep warnings for scripts < 2.8.12 2020-12-06 19:44:54 +00:00
Andy Green
2bcae2b3b6 context: refactor destroy flow 2020-11-28 10:58:38 +00:00
Andy Green
5f7da4a530 struct_json: adapt api test for 32-bit int on windows 2020-10-06 21:21:19 +01:00
Andy Green
ef8bfb2488 windows: build fixes 2020-09-30 06:42:09 +01:00
Andy Green
49e92ba089 http: add RFC7231 date and time helpers and retry-after handling
Teach lws how to deal with date: and retry-after:

Add quick selftest into apt-test-lws_tokenize

Expand lws_retry_sul_schedule_retry_wsi() to check for retry_after and
increase the backoff if a larger one found.

Finally, change SS h1 protocol to handle 503 + retry-after: as a
failure, and apply any increased backoff from retry-after
automatically.
2020-09-19 14:11:56 +01:00
Andy Green
c6c7ab2b44 event libs: default to building as dynamically loaded plugins
Event lib support as it has been isn't scaling well, at the low level
libevent and libev headers have a namespace conflict so they can't
both be built into the same image, and at the distro level, binding
all the event libs to libwebsockets.so makes a bloaty situation for
packaging, lws will drag in all the event libs every time.

This patch implements the plan discussed here

https://github.com/warmcat/libwebsockets/issues/1980

and refactors the event lib support so they are built into isolated
plugins and bound at runtime according to what the application says
it wants to use.  The event lib plugins can be packaged individually
so that only the needed sets of support are installed (perhaps none
of them if the user code is OK with the default poll() loop).  And
dependent user code can mark the specific event loop plugin package
as required so pieces are added as needed.

The eventlib-foreign example is also refactored to build the selected
lib support isolated.

A readme is added detailing the changes and how to use them.

https://libwebsockets.org/git/libwebsockets/tree/READMEs/README.event-libs.md
2020-08-31 16:51:37 +01:00
Andy Green
1ebe27e38f cmake: mark all the subprojects as explicitly C
We don't need a C++ compiler but if we don't spell it out, cmake
assumes it C + C++ compiler needed.
2020-08-31 16:51:36 +01:00
Andy Green
4cd381f933 cmake: tls: wolfssl
PARENT_SCOPE needs adjusting in a few places for wolfssl to work, and
we need a second level export of USE_WOLFSSL through lib/CMakeLists.txt

Add noi/f32 Sai build for WOLFSSL + MINIMAL_EXAMPLES
2020-08-10 15:04:10 +01:00
Andy Green
625bade63e ss: static policy: dynamic vhost instantiation
Presently a vh is allocated per trust store at policy parsing-time, this
is no problem on a linux-class device or if you decide you need a dynamic
policy for functionality reasons.

However if you're in a constrained enough situation that the static policy
makes sense, in the case your trust stores do not have 100% duty cycle, ie,
are anyway always in use, the currently-unused vhosts and their x.509 stack
are sitting there taking up heap for no immediate benefit.

This patch modifies behaviour in ..._STATIC_POLICY_ONLY so that vhosts and
associated x.509 tls contexts are not instantiated until a secure stream using
them is created; they are refcounted, and when the last logical secure
stream using a vhost is destroyed, the vhost and its tls context is also
destroyed.

If another ss connection is created that wants to use the trust store, the
vhost and x.509 context is regenerated again as needed.

Currently the refcounting is by ss, it's also possible to move the refcounting
to be by connection.  The choice is between the delay to generate the vh
being visisble at logical ss creation-time, or at connection-time.  It's anyway
not preferable to have ss instantiated and taking up space with no associated
connection or connection attempt underway.

NB you will need to reprocess any static policies after this patch so they
conform to the trust_store changes.
2020-07-21 12:43:32 +01:00
Andy Green
886e93265a struct-lejp: handle no path match
For some patterns of JSON we return to parse at the outermost level and
meet a situation path_match is 0.  In some places we're looking at things
from perspective of path_match - 1... that does not seem to cause trouble on
x86_64 but can on aarch64, which is how it got noticed.

This logically protects those accesses by checking !!path_match.
2020-07-15 16:18:00 +01:00
Andy Green
08b9a31e20 lws_json_simple: allow running into end
If the arg is unquoted, it's normal to run into the
end finding its extent.
2020-07-15 16:18:00 +01:00
Andy Green
77530f8ccb jwt: sign and create jws helper 2020-07-15 16:17:59 +01:00
Andy Green
1ae6ce37d3 lws_dll2: add helper for typed object name from owner list
There's a good pattern that's encouraged by using lws_struct pieces, that
we have an lws_dll2 owner with an array of objects listed in it that exist
in an lwsac.  And because it came from JSON, there is tending to be a
logical name for the objects.

This adds a typed helper and wrapper to scan the owner list looking for
a specific name (of a specified length, not NUL terminated) in a specific
member of the listed objects, which must be a NUL-terminated const char *.
Again this is a good pattern that's encouraged by use of lws_tokenize
to recover the name we're looking for.

So it leads to the helper that can cleanly search for a listed object of the
right name from an owner, and return the typed object pointer or NULL, from a
length-specified string.
2020-07-09 15:30:34 +01:00
Andy Green
4939b87e66 lws_netdev: use lws_settings
Perform the AP selection using lws_settings and a generic scan state machine
2020-07-07 15:23:19 +01:00
Andy Green
8eca7e17f2 lws_smd: system message distribution
- Add low level system message distibution framework
 - Add support for local Secure Streams to participate using _lws_smd streamtype
 - Add apit test and minimal example
 - Add SS proxy support for _lws_smd

See minimal-secure-streams-smd README.md
2020-06-27 07:57:22 +01:00
Andy Green
30f3606b0e context: option to disable system state management 2020-06-27 07:57:22 +01:00
Andy Green
5a937fa830 lws_json_simple_find and lws_nstrstr
String helpers for scanning non-NUL-delimited strings safely,
and very cheap simple string match based JSON parse for cases
that make sense for it... for more complex cases, do a full
JSON parse.
2020-06-20 04:56:30 +01:00