->san is a union, in this case we set the type to indicate we use
SAN_OTHER_NAME member, but set the unstructured_name union member, that is
smaller.
This doesn't cause any problem, since the union has space for it. But
Coverity noticed, it is wrong, so fix it.
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.
So explicitly check it, even though it is a NOP.
There's no problem for library build, also with LWS_WITH_MINIMAL_EXAMPLES,
but after install at least on OSX, there are problems finding the installed
lws include dir (concealed on most platforms by the path being in the
default search list for the toolchain), and the references in the lws
includes to the tls includes meaning that explicit paths for that must be
available at consuming cmakes.
This patch enhances the cmake config installed by lws to deal with adding
the lws include paths to CMAKE_REQUIRED_INCLUDES and include_directories,
so it can be found before the target is introduced.
The tls include is passed back up the CMakeLists layers and the lws targets
marked with target_include_directories(PUBLIC) with them, so they are
understood as needed by consumers.
More boilerplate is moved out of the example consuming cmakes.
After this, on machines with previous installs of older lws, you may have to
clean out the cmake install path, that is usually something like
/usr/local/lib/cmake/libwebsockets/*
before make installing lws and putting the latest content in there.
I’ve got an error when compiling libwebsockets on Mac with -DLWS_WITHOUT_SERVER=ON:
libwebsockets/lib/tls/tls.c:98:22: error: unused variable 'cx' [-Werror,-Wunused-variable]
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.
The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.
The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.
Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey. Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.
> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
Make sure MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES are set in parent CMakeLists
Also set MBEDTLS_INCLUDE_DIRS in CMAKE_REQUIRED_INCLUDES so the CHECK_C_SOURCE_COMPILES
checks actually evaluate properly.
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.
On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
in 100 interations, average 68.7k
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.
Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.
This can successfully build everything in Sai without warnings / errors.
On some platforms AF_INET and AF_INET6 must be listened for on separate
sockets. Adapt the vhost server creation code to use the new support for
multiple listen sockets per vhost to create up to two listen sockets for
AF_INET and AF_INET6.
It refactors how the decision about the AF is made and propagated so
there's only one place for it.
Some platforms need two sockets with AF_INET and AF_INET6 to listen to both
protocols.
This patch changes the single listen socket each vhost could previously
handle to become an lws_dll2 and adapts the related code to handle them as
a linked-list rather than as a singleton.
The next patch adapts the listen / server code to create multiple listen
wsi for vhosts listening on multiple ip protocols.
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.
This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.
h2->h2 redirects work properly after this.
The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
Add support for dynamically determining the CAs needed to validate server
certificates. This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.
Works for both openssl and mbedtls.
See READMEs/README.jit-trust.md for the documentation
You likely want the next patch for http redirect enhancements as well.
We have access to a simplified report of the problem name for tls
validation inside the validation cb, let's bring it out and
use it for OpenSSL CCE reporting.
Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.
This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
