1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Commit graph

316 commits

Author SHA1 Message Date
Andy Green
2d48f559f0 mbedtls: some versions need x509 overallocation 2022-05-17 15:37:16 +01:00
Fabrice Fontaine
6e997a9e70 tls: cmake: add wolfssl pkg-config support
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95

This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2022-05-17 15:37:16 +01:00
orefkov
cad13a8864 acme: update for v2
https://github.com/warmcat/libwebsockets/issues/2609

AG: api logging updates
2022-05-17 15:37:16 +01:00
Andy Green
49af3742c6 mbedtls: v3.1 reverts privacy of mbedtls_net_context fd
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it.  Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
2022-05-17 15:09:20 +01:00
Poppy
ca3f639edd tls: libressl: refactor set_options to work with macro implementations
Libressl uses macros for set_options(), causing compilation failure.
Refactor the related code to work well with macro definitions for
these apis.

https://github.com/warmcat/libwebsockets/issues/2554
2022-02-09 20:12:31 +00:00
Andy Green
3f19d94040 jit-trust: adapt for esp-idf pre v3 mbedtls
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.

Make sure mbedtls tls validation is noisy and fast.

Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline.  Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
2022-02-09 20:12:31 +00:00
Andy Green
939a512413 mbedtls: improve api detection
mbedtls cmake api detection was not able to work on esp-idf well.

Improve diagnostics and reaction if we ever see that again.
2022-02-01 14:09:19 +00:00
Rosen Penev
1f9925b443 genec: show correct nid when not allowed
As noticed by gcc11 warning

https://github.com/warmcat/libwebsockets/pull/2551
2022-02-01 14:04:33 +00:00
Andy Green
f99bf7748c logs: openssl session: improve detection of INFO enabled
https://github.com/warmcat/libwebsockets/issues/2540
2022-01-27 14:31:10 +00:00
Andy Green
10a34fc43b coverity fixes 2022-01-16 13:32:09 +00:00
Ferenc Gerlits
d90361b771 cmake: fix compilation with OpenSSL subproject
https://github.com/warmcat/libwebsockets/pull/2535
2022-01-13 16:06:46 +00:00
Andy Green
6e9c25d1f7 mbedtls-x509: coverity: remove needless check
ip can't be NULL, it's set to the address of another object.
2021-11-08 11:05:28 +00:00
Andy Green
57c5a0da55 jit-trust: SAN_RFC822_NAME needs other_name union member
->san is a union, in this case we set the type to indicate we use
SAN_OTHER_NAME member, but set the unstructured_name union member, that is
smaller.

This doesn't cause any problem, since the union has space for it.  But
Coverity noticed, it is wrong, so fix it.
2021-11-08 11:05:28 +00:00
Andy Green
240cd55ef6 jit-trust: show coverity we handle NULL attribute source
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.

So explicitly check it, even though it is a NOP.
2021-11-08 11:05:28 +00:00
Andy Green
7882a6dc13 jit-trust: clean after failed mbedtls_x509_get_name
mbedtls_x509_get_name() does not clean up properly after itself in the case
of OOM on multi-segment name.  We have to add extra handling and cleaning.
2021-11-08 11:05:24 +00:00
Andy Green
4935fe9e1e openssl: remove lws_ssl_get_error_string as cruft
It's not exported, it seems nothing wants it any more
2021-11-02 07:23:28 +00:00
Andy Green
b912958a67 cmake: bring tls include requirement out as PUBLIC
There's no problem for library build, also with LWS_WITH_MINIMAL_EXAMPLES,
but after install at least on OSX, there are problems finding the installed
lws include dir (concealed on most platforms by the path being in the
default search list for the toolchain), and the references in the lws
includes to the tls includes meaning that explicit paths for that must be
available at consuming cmakes.

This patch enhances the cmake config installed by lws to deal with adding
the lws include paths to CMAKE_REQUIRED_INCLUDES and include_directories,
so it can be found before the target is introduced.

The tls include is passed back up the CMakeLists layers and the lws targets
marked with target_include_directories(PUBLIC) with them, so they are
understood as needed by consumers.

More boilerplate is moved out of the example consuming cmakes.

After this, on machines with previous installs of older lws, you may have to
clean out the cmake install path, that is usually something like

  /usr/local/lib/cmake/libwebsockets/*

before make installing lws and putting the latest content in there.
2021-10-28 10:47:12 +01:00
Felipe Gasper
ff5257e193 logs: migrate more to log context 2021-10-15 14:15:06 +01:00
Orefkov Aleksander
00b922041b mbedtls: set length even when LWS_HAVE_mbedtls_ssl_get_alpn_protocol 2021-10-12 09:46:32 +01:00
Orefkov Aleksander
c226da3e10 cmake: wrong miniz include dir + mbed link on windows 2021-10-12 09:46:28 +01:00
Tero Turtiainen
3b90c89bab tls: clear unused warning on WITHOUT_SERVER
I’ve got an error when compiling libwebsockets on Mac with -DLWS_WITHOUT_SERVER=ON:

libwebsockets/lib/tls/tls.c:98:22: error: unused variable 'cx' [-Werror,-Wunused-variable]
2021-10-06 09:22:50 +01:00
Kenneth Mastro
3d7d180eb8 wolfssl: adapt SNI for recent changes
It seems WOLFSSL_SNI_HOST_NAME is an enum in later wolfssl, use
the wolfssl define HAVE_SNI as well
2021-10-06 06:27:07 +01:00
caobug
90eb83a307 tls: ensure using ssl before doing tls_shutdown 2021-10-05 07:40:17 +01:00
Andy Green
19ba1998fa tls: evolve handshake serialization into simultaneous_ssl_handshake_restriction
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.

The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.

The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
2021-10-05 07:40:17 +01:00
Andy Green
733f0c10f0 mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
2021-10-05 07:09:13 +01:00
Andy Green
a8a443e645 wolfssl: update gencrypto 2021-09-08 09:42:11 +01:00
Andy Green
0c94138fd3 tls: handle WANT_WRITE via POLLOUT to POLLIN 2021-09-02 16:43:18 +01:00
Andy Green
4db2ff872b cose: keys and signing + validation
Support for COSE keys and signing / validation

 - lws_cose_key_t and import / export / generation apis for EC / RSA / SYMMETRIC

 - cose_sign1 ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign1-tests
 - cose_sign  ES256/384/512,RS256/384/512 sign + validate, passes RFC8152 WG tests sign-tests
 - cose_mac0  HS256/HS256_64/384/512      sign + validate, passes RFC8152 WG tests hmac-examples
 - cose_mac   HS256/HS256_64/384/512             validate, passes RFC8152 WG tests hmac-examples

 - lws-crypto-cose-key commandline tool for key / key set dumping and
   creation
 - lws-crypro-cose-sign commandline tool for signing / validation

 - lws-api-test-cose - large number of test vectors and tests from RFC8152
2021-08-31 05:45:35 +01:00
Andy Green
d1f3762a05 types: handle ssize_t is int 2021-08-09 17:31:16 +01:00
Yucong Sun
faf091d8cd windows: tls: make sure we are telling correct errno 2021-07-20 10:34:03 +01:00
Yucong Sun
81e54df04d cmake: tls: check correct api for availability 2021-07-20 10:34:03 +01:00
Andy Green
4b089788bc tls: mbedtls-3
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.

Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey.  Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.

> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
2021-07-13 13:22:50 +01:00
Nikias Bassen
ed7215f373 cmake: mbedtls: extra CMAKE_REQUIRED_INCLUDES
Make sure MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES are set in parent CMakeLists

Also set MBEDTLS_INCLUDE_DIRS in CMAKE_REQUIRED_INCLUDES so the CHECK_C_SOURCE_COMPILES
checks actually evaluate properly.
2021-07-13 08:27:27 +01:00
Andy Green
1ae1fccbec mbedtls: sessions: clean session on bail path 2021-07-13 08:27:20 +01:00
calvin2021y
6e3a6d9990 openssl: manage _GNU_SOURCE better 2021-07-08 06:22:47 +01:00
Bing Zhao
c604b9cb21 tls: add option to serialize ssl handshake
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.

On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
  in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
  in 100 interations, average 68.7k
2021-07-08 06:22:47 +01:00
Bing Zhao
74799161b1 tls: fix inbalanced tls restrict borrow/return calls
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.

Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
2021-07-08 06:22:47 +01:00
Andy Green
fabe78d222 Wextra
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.

This can successfully build everything in Sai without warnings / errors.
2021-07-04 10:29:54 +01:00
Andy Green
5d8cf03221 logs: log contexts 2021-07-01 05:20:53 +01:00
Andy Green
8e76634ed3 logs: introduce log_cx 2021-07-01 05:20:53 +01:00
Andy Green
d5475807b0 tls restriction: check before doing bio 2021-06-26 14:59:50 +01:00
Andy Green
0dd8a4a503 tls-sessions: remove no stash warning
If there's no stash, we didn't get as far as having a session, so just fail
quietly
2021-06-24 06:31:39 +01:00
Andy Green
cf2dbdc6a0 vhost: create multiple listen sockets per AF
On some platforms AF_INET and AF_INET6 must be listened for on separate
sockets.  Adapt the vhost server creation code to use the new support for
multiple listen sockets per vhost to create up to two listen sockets for
AF_INET and AF_INET6.

It refactors how the decision about the AF is made and propagated so
there's only one place for it.
2021-06-22 16:25:50 +01:00
Andy Green
6163c96727 vhost: allow multiple listen sockets
Some platforms need two sockets with AF_INET and AF_INET6 to listen to both
protocols.

This patch changes the single listen socket each vhost could previously
handle to become an lws_dll2 and adapts the related code to handle them as
a linked-list rather than as a singleton.

The next patch adapts the listen / server code to create multiple listen
wsi for vhosts listening on multiple ip protocols.
2021-06-22 15:55:47 +01:00
Andy Green
272dba8307 http: redo redirects to follow close flow
Until now although we can follow redirects, and they can promote the
protocol from h1->h2, we couldn't handle h2 wsi reuse since there are many
states in the wsi affected by being h2.

This wipes the related states in lws_wsi_reset() and follows the generic
wsi close flow before deviating into the redirect really close to the end,
ensuring we cleaned out evidence of our previous life properly.

h2->h2 redirects work properly after this.

The max number of redirects is increased from 3 -> 4 since this was seen in
the wild with www and then geographic-based redirects.
2021-06-22 15:55:29 +01:00
Andy Green
2f9bb7a30a tls: JIT Trust
Add support for dynamically determining the CAs needed to validate server
certificates.  This allows you to avoid instantiating > 120 X.509 trusted
CA certs and have them take up heap the whole time.

Works for both openssl and mbedtls.

See READMEs/README.jit-trust.md for the documentation

You likely want the next patch for http redirect enhancements as well.
2021-06-22 15:55:29 +01:00
Andy Green
983edafdb4 mbedtls: add AKID and SKID support 2021-06-22 15:55:29 +01:00
kekxv
c61ce6f07f cmake: tls: use CHECK_SYMBOL_EXISTS 2021-06-15 15:17:34 +01:00
Or Lupovitz
16328b1918 mbedtls: server: enforce client cert check when vhost requires 2021-05-23 14:58:07 +01:00
Andy Green
8ebe1d9323 mbedtls: prepare for v3 changes 2021-05-23 10:55:52 +01:00