Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.
Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
Subject: [PATCH] remove LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY
callback
When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
openssl can be built without threads resulting in the following build
failure:
-- Looking for HMAC_CTX_new
-- Looking for HMAC_CTX_new - not found
[...]
In file included from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets.h:661,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/core/./private-lib-core.h:140,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/plat/unix/unix-misc.c:28:
/home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets/lws-genhash.h:85:18: error: field 'ctx' has incomplete type
85 | HMAC_CTX ctx;
| ^~~
To fix this build failure, don't unconditionally add pthread if openssl
has been found through pkg-config as openssl.pc will contain the
appropriate dependencies (i.e. -lpthread but also -lz or -latomic)
Fixes:
- http://autobuild.buildroot.org/results/2ae9e3249b6fcc9e6c30e7783e264fc6599e61df
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95
This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it. Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.
Make sure mbedtls tls validation is noisy and fast.
Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline. Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
->san is a union, in this case we set the type to indicate we use
SAN_OTHER_NAME member, but set the unstructured_name union member, that is
smaller.
This doesn't cause any problem, since the union has space for it. But
Coverity noticed, it is wrong, so fix it.
Coverity doesn't understand that since we already handled
akid.keyIdentifier.MBEDTLS_PRIVATE(len) being zero, we don't need to
check for akid.keyIdentifier.MBEDTLS_PRIVATE(p) being NULL.
So explicitly check it, even though it is a NOP.
There's no problem for library build, also with LWS_WITH_MINIMAL_EXAMPLES,
but after install at least on OSX, there are problems finding the installed
lws include dir (concealed on most platforms by the path being in the
default search list for the toolchain), and the references in the lws
includes to the tls includes meaning that explicit paths for that must be
available at consuming cmakes.
This patch enhances the cmake config installed by lws to deal with adding
the lws include paths to CMAKE_REQUIRED_INCLUDES and include_directories,
so it can be found before the target is introduced.
The tls include is passed back up the CMakeLists layers and the lws targets
marked with target_include_directories(PUBLIC) with them, so they are
understood as needed by consumers.
More boilerplate is moved out of the example consuming cmakes.
After this, on machines with previous installs of older lws, you may have to
clean out the cmake install path, that is usually something like
/usr/local/lib/cmake/libwebsockets/*
before make installing lws and putting the latest content in there.
I’ve got an error when compiling libwebsockets on Mac with -DLWS_WITHOUT_SERVER=ON:
libwebsockets/lib/tls/tls.c:98:22: error: unused variable 'cx' [-Werror,-Wunused-variable]
This patch adapts the recent change about serializing the number of
simultaneous tls handshakes allowed to 1, so you can set the number in the
context creation info, and the accounting for it is handled by counters
same as the overally tls restriction.
The name of the context info var to control it changes to simultaneous_ssl_handshake_restriction
which is now a count, the default 0 means no limit.
The count rejects tls connection attempts when the tls borrow is attempted,
and separately hands back the hs borrow from the tls borrow when the
connection attempt fails or succeeds.
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
Adapt mbedtls support for compatibility with v3, while maintaining
compatibility with v2.
Notice v3 has removed the ability to encrypt with pubkey and
decrypt with privkey. Openssl still has it, atm with v3 these
fall back to encrypt with privkey and decrypt with pubkey.
> The RSA module no longer supports private-key operations with the
> public key or vice versa. As a consequence, RSA operation functions
> no longer have a mode parameter. If you were calling RSA operations
> with the normal mode (public key for verification or encryption,
> private key for signature or decryption), remove the
> MBEDTLS_MODE_PUBLIC or MBEDTLS_MODE_PRIVATE argument. If you were
> calling RSA operations with the wrong mode, which rarely makes sense
>from a security perspective, this is no longer supported.
Make sure MBEDTLS_INCLUDE_DIRS and MBEDTLS_LIBRARIES are set in parent CMakeLists
Also set MBEDTLS_INCLUDE_DIRS in CMAKE_REQUIRED_INCLUDES so the CHECK_C_SOURCE_COMPILES
checks actually evaluate properly.
This is useful for memory constrained systems such as esp32
to improve heap usage minfree/watermark.
On esp32 with simultaneous_ssl_restriction = 2 (MQTT+H1),
Without this change, sys heap minfree ranges from 59k to 71k
in 100 iterations, average 66.5k.
With this change, sys heap minfree ranges from 64k to 71k
in 100 interations, average 68.7k
lws_tls_restrict_borrow() returns error when tls restriction limit is
reached. However lws_ssl_close() still calls lws_tls_restrict_return()
to decrease simultaneous_ssl. Thus LWS accepts more than allowed ssl
links, making simultaneous_ssl_restriction useless.
Fix it by tracking lws_tls_restrict_borrow() return value and only
calling lws_tls_restrict_return() if lws_tls_restrict_borrow() is
successful.
Add -Wextra (with -Wno-unused-parameter) to unix builds in addition to
-Wall -Werror.
This can successfully build everything in Sai without warnings / errors.