AG: unlike openssl, mbedtls does not load the system trust store.
So this change will make client tls operations that work OK on openssl fail on
mbedtls unless you provide the correct CA cert.
This allows lws to distinguish between untrusted CAs, hostname
mismatches, expired certificates.
NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and
will also skip hostname verification. This is somewhat a limitiation of
the current lws verification process.
AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument
and add a note specific to mbedtls in the test client. Adapt the test
client to note the CA requirement if built with mbedTLS. Adapt the
minimal test clients to have the CAs available and use them if mbedTLS.
1) Introduce LWS_WITH_GCOV to build with gcc / clang coverage instrumentation.
$ cd build
$ make clean && rm -f `find . -name "*.gcno" -o -name "*.gcda"` && make -j16 && sudo make install && sudo /usr/local/bin/libwebsockets-test-server -s
...
$ gcov `find . -name *.c.gcno | grep -v test-apps` -b | sed "/\.h.\$/,/^$/d"
The above are available in two helper scripts
- scripts/build-gcov.sh
- scripts/gcov.sh
2)
CMake defaults changed:
- LWS_WITH_ZIP_FOPS: OFF
- LWS_WITH_RANGES: OFF
- LWS_WITHOUT_EXTENSIONS: ON
- LWS_WITH_ZLIB: OFF
New CMake controls that default-OFF:
- LWS_WITH_GENHASH
- LWS_WITH_GENRSA
these are implied by LWS_WITH_JWS (which is implied by LWS_WITH_ACME)
3) rename ./lib/tls/XXX/server.c and client.c to XXX-server.c / XXX-client.c.
This is because gcov dumps its results using the .c filename part only,
the copies overwrite each other if there are different .c files in the tree
with the same filename part.
4) Add onetime test-client mode and test to ./test-apps/attack.sh
5) Add gcov howto in READMEs/README.build.md using attack.sh
HTTP/2 support is now able to serve the test server, complete with
websockets, from a single vhost.
- This works the same with both OpenSSL and mbedTLS.
- POST is now wired up and works (also for file upload).
- CGI is wired up and works.
- Redirect is adapted and works
- lwsws works.
- URI urldecode, sanitation and argument parsing wired up for :path
valgrind clean (aside from openssl-style false uninit data usage in mbedtls send occasionally)
h2spec reports:
$ h2spec -h 127.0.0.1 -p 7681 -t -k -o 1
...
145 tests, 145 passed, 0 skipped, 0 failed"
Incorporates:
- "https://github.com/warmcat/libwebsockets/pull/1039
Fixes issue with -Werror=unused-variable flag
- 2c843a1395
ssl: fix infinite loop on client cert verification failure
Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>"
Caused and fixes Coverity 184887 - 184892
Almost all the CMake options begin with LWS_WITH_..., but many of the
symbols passed to lws are LWS_USE_... , this causes neededless confusion,
compounded by the fact that a few CMake options also begin with
LWS_USE_.
This patch globally converts all LWS_USE_... to LWS_WITH_..., so there
is only one prefix to remember in both CMake and the code.
The affected public CMake options are
LWS_USE_BORINGSSL -> LWS_WITH_BORINGSSL
LWS_USE_CYASSL -> LWS_WITH_CYASSL
LWS_USE_WOLFSSL -> LWS_WITH_WOLFSSL
LWS_USE_MBEDTLS -> LWS_WITH_MBEDTLS
LWS_USE_BUNDLED_ZLIB -> LWS_WITH_BUNDLED_ZLIB
