15 hours agolws_dll_foreach_safe master
Andy Green [Mon, 18 Mar 2019 08:12:45 +0000 (16:12 +0800)]

24 hours agoopenssl: reuse client SSL_CTX where possible
Andy Green [Sun, 17 Mar 2019 02:03:22 +0000 (10:03 +0800)]
openssl: reuse client SSL_CTX where possible

If you have multiple vhosts with client contexts enabled, under
OpenSSL each one brings in the system cert bundle.

On, there are many vhosts and the waste adds up
to about 9MB of heap.

This patch makes a sha256 from the client context configuration, and
if a suitable client context already exists on another vhost, bumps
a refcount and reuses the client context.

In the case client contexts are configured differently, a new one
is created (and is available for reuse as well).

24 hours agoserver-status: show correct statm value
Andy Green [Sun, 17 Mar 2019 05:58:28 +0000 (13:58 +0800)]
server-status: show correct statm value

2 days agominimal-http-server-proxy
Andy Green [Sat, 16 Mar 2019 08:19:00 +0000 (16:19 +0800)]

2 days agoopenssl: try to reduce memory usage
Andy Green [Sat, 16 Mar 2019 02:17:28 +0000 (10:17 +0800)]
openssl: try to reduce memory usage

2 days agombedtls: handle vhost without valid cert gracefully
Andy Green [Sat, 16 Mar 2019 01:54:52 +0000 (09:54 +0800)]
mbedtls: handle vhost without valid cert gracefully

2 days agoglibc: if malloc_trim() exists, call it periodically
Andy Green [Sat, 16 Mar 2019 00:10:47 +0000 (08:10 +0800)]
glibc: if malloc_trim() exists, call it periodically

3 days agoappveyor: add JOSE target
Andy Green [Fri, 15 Mar 2019 07:28:30 +0000 (15:28 +0800)]
appveyor: add JOSE target

4 days agowindows: prepare for udp
Andy Green [Sat, 9 Mar 2019 21:12:58 +0000 (05:12 +0800)]
windows: prepare for udp

4 days agojwk: remove unistd.h include
Andy Green [Thu, 14 Mar 2019 13:22:17 +0000 (21:22 +0800)]
jwk: remove unistd.h include

4 days agolws_dir: wrap dir scanning backend and convert lejp-conf
Andy Green [Thu, 14 Mar 2019 00:24:40 +0000 (08:24 +0800)]
lws_dir: wrap dir scanning backend and convert lejp-conf

We use POSIX dir scanning apis normally, but for windows, we require libuv
to do it for us.

Formalize that into a wrapper lws_dir() that hides the backend code.

Make it configurable, ON by default and forced on with lejp-conf that
depends on it.

4 days agombedtls: Fix reads getting stuck when the socket has disconnected
Santeri Hernejärvi [Thu, 14 Mar 2019 11:05:35 +0000 (12:05 +0100)]
mbedtls: Fix reads getting stuck when the socket has disconnected

We've seen this behaviour when iOS resumes from sleep:

dbg> 0x11cd03750: ssl err dbg> lws_ssl_capable_read: WANT_READ
dbg> SSL Capable more service
dbg> 0x11cd03750: SSL_read says -1
dbg> 0x11cd03750: ssl err 2 errno 57
dbg> lws_ssl_capable_read: WANT_READ
dbg> 0x11cd0375dbg> SSL Capable more service
dbg> 0x11cd03750: SSL_read says -1
dbg> 0x11cd03750: ssl err 2 errno 57
dbg> lws_ssl_capable_read: WANT_READ

4 days agodbus: selftests should use more unique mirror session name
Andy Green [Thu, 14 Mar 2019 00:52:51 +0000 (08:52 +0800)]
dbus: selftests should use more unique mirror session name

5 days agodbus: signal.h needed explicitly on some platforms
Brian Lee [Wed, 13 Mar 2019 14:29:18 +0000 (14:29 +0000)]
dbus: signal.h needed explicitly on some platforms

6 days agovhost: fix allocated protocol list freeing at destroy time
Andy Green [Tue, 12 Mar 2019 01:20:58 +0000 (09:20 +0800)]
vhost: fix allocated protocol list freeing at destroy time

6 days agolwsac_use_zeroed: lwsac helper equivalent to zalloc
Andy Green [Tue, 12 Mar 2019 00:05:09 +0000 (08:05 +0800)]
lwsac_use_zeroed: lwsac helper equivalent to zalloc

6 days agolejp: integrate error strings and api to core lejp
Andy Green [Mon, 11 Mar 2019 23:54:27 +0000 (07:54 +0800)]
lejp: integrate error strings and api to core lejp

lejp-conf isn't the only user that needs to generate human-readable
JSON parsing error stacks.

Build it in with lejp and introduce an error code -> string api

6 days agominimal-http-client-custom-headers
Andy Green [Sun, 10 Mar 2019 21:54:08 +0000 (05:54 +0800)]

6 days agoold openssl: dont build with membuffer apis
Andy Green [Fri, 8 Mar 2019 07:26:33 +0000 (15:26 +0800)]
old openssl: dont build with membuffer apis

6 days agovhost info: add memory buffer cert support
Andy Green [Thu, 14 Feb 2019 06:35:24 +0000 (14:35 +0800)]
vhost info: add memory buffer cert support

8 days agovhost: add pprotocols to vhost info
Andy Green [Sat, 9 Mar 2019 21:34:02 +0000 (05:34 +0800)]
vhost: add pprotocols to vhost info

info.protocols works okay, but it has an annoying problem... you have to know
the type for each protocol's pss at the top level of the code, so you can set
the struct lws_protocols user_data size for it.

Lws already rewrites the protocol tables for a vhost in the case of runtime
protocol plugins... this adapts that already-existing code slightly to give
a new optional way to declare the protocol array.

Everything works as before by default, but now info.protocols may be NULL and
info.pprotocols defined instead (if that's also NULL, as it will be if you
just ignore it after memsetting to 0, then it continues to fall back to the
dummy protocol handler as before).

info.pprotocols is a NULL-termined array of pointers to lws_protocol
structs.  This can be composed at the top level of your code without knowing
anything except the name of the externally-defined lws_protocol struct(s).

The minimal example http-server-dynamic is changed to use the new scheme as
an example.

8 days agooptee: supporting sockaddr* variants and cleanup
Akira Tsukamoto [Fri, 8 Mar 2019 15:16:19 +0000 (00:16 +0900)]
optee: supporting sockaddr* variants and cleanup

Without this patch, the build will break with gcc 8.2 as bellow.
optee_os/lib/libwebsockets/libwebsockets/lib/core-net/network.c: In function ‘lws_socket_bind’:
optee_os/lib/libwebsockets/libwebsockets/lib/core-net/network.c:347:4: error: ‘memcpy’ forming offset [5, 16] is out of the bounds [0, 4] of object ‘sin’ with type ‘struct sockaddr_storage’ [-Werror=array-bounds]
    memcpy(&sain, &sin, sizeof(sain));
/home/akirat/dev/otrp/aist-tb/optee_os/lib/libwebsockets/libwebsockets/lib/core-net/network.c:224:26: note: ‘sin’ declared here
  struct sockaddr_storage sin;
cc1: all warnings being treated as errors

Signed-off-by: Akira Tsukamoto <>
8 days agomingw: windows: make minimal examples build
Andy Green [Fri, 8 Mar 2019 03:43:33 +0000 (11:43 +0800)]
mingw: windows: make minimal examples build

8 days agobzero: replace all with memset
Andy Green [Fri, 8 Mar 2019 02:50:55 +0000 (10:50 +0800)]
bzero: replace all with memset

lws_explicit_bzero() is available if the goal is to have volatile zeroing.

8 days agoipv6: force ipv4 if iface bind uses ipv4 address
Andy Green [Fri, 8 Mar 2019 00:58:56 +0000 (08:58 +0800)]
ipv6: force ipv4 if iface bind uses ipv4 address

8 days agoxenial: fix missing stdio.h errors in minimal examples
Andy Green [Thu, 7 Mar 2019 10:31:59 +0000 (18:31 +0800)]
xenial: fix missing stdio.h errors in minimal examples

8 days agominimal-ws-client-echo: add -i iface option to allow control of client iface bind
Andy Green [Thu, 7 Mar 2019 03:59:20 +0000 (11:59 +0800)]
minimal-ws-client-echo: add -i iface option to allow control of client iface bind

8 days agoipv6: support [ipv6]:port in client proxy
Andy Green [Thu, 7 Mar 2019 02:36:57 +0000 (10:36 +0800)]
ipv6: support [ipv6]:port in client proxy

8 days agoadopt: force incoming fd to nonblocking
Andy Green [Thu, 7 Mar 2019 01:49:52 +0000 (09:49 +0800)]
adopt: force incoming fd to nonblocking

Incoming fds muct be nonblocking for any event loop... add a platform
api to do that and call it during adopt.

8 days agocmake cross: non-bash doesn't deal with quoted options correctly
Andy Green [Mon, 4 Mar 2019 12:43:58 +0000 (20:43 +0800)]
cmake cross: non-bash doesn't deal with quoted options correctly

Although it works find on Fedora / bash, the extra quotes are snipped
on Ubuntu / dash.  Removing the quotes works OK on both.

8 days agocmake: override build system release optimization policy
Andy Green [Wed, 27 Feb 2019 23:05:12 +0000 (07:05 +0800)]
cmake: override build system release optimization policy

The cmake config on the build system actually decides the release build optimization policy.
On Fedora, it's -O2.  On Ubuntu, it's -O3.

Anything given in CMakeLists.txt is overridden by the build system policy since it goes at
the end of the compiler commandline.

When you are building cross, the build system's opinion of your cross binary optimization
level is irrelevant, and at worst destructive.  Some versions of gcc contain broken optimizations
that are applied only at -O3.

This patch removes any doomed attempt to set -O in CMakeLists.txt, which has
no effect since the build system policy is still added at the end, but
removes confusion; and adds code to all the cross build files to forcibly
override release optimization level to -O2, removing the build system's
opinion of how your cross build should look.

8 days agoah: custom headers for h1
Andy Green [Tue, 26 Feb 2019 09:18:24 +0000 (17:18 +0800)]
ah: custom headers for h1

Until now lws only parses headers it knows at build-time from its
prebuilt lexical analyzer.

This adds an on-by-default cmake option and a couple of apis
to also store and query "custom", ie, unknown-to-lws headers.

A minimal example is also provided.

At the moment it only works on h1, h2 support needs improvements
to the hpack implementation.

Since it bloats ah memory usage compared to without it if custom
headers are present, the related code and ah footprint can be
disabled with the cmake option LWS_WITH_CUSTOM_HEADERS, but it's
on by default normally.  ESP32 platform disables it.

8 days agolibuv: account for pipe close only once
Andy Green [Fri, 1 Mar 2019 11:42:42 +0000 (19:42 +0800)]
libuv: account for pipe close only once

8 days agoipv6: migrate header includes to private.h
Andy Green [Thu, 28 Feb 2019 01:44:28 +0000 (09:44 +0800)]
ipv6: migrate header includes to private.h

8 days agouv: ensure watcher exists before operating on it
Andy Green [Sat, 23 Feb 2019 22:16:57 +0000 (06:16 +0800)]
uv: ensure watcher exists before operating on it

This seen in the wild...

==20578== Invalid read of size 1
==20578==    at 0x4D2E018: uv_poll_stop (poll.c:112)
==20578==    by 0x48BC159: elops_io_uv (libuv.c:684)
==20578==    by 0x4872F55: __remove_wsi_socket_from_fds (pollfd.c:326)
==20578==    by 0x486EF1B: __lws_close_free_wsi (close.c:425)
==20578==    by 0x486F3E2: lws_close_free_wsi (close.c:518)
==20578==    by 0x487564C: lws_service_fd_tsi (service.c:1033)
==20578==    by 0x48BAEA9: lws_io_cb (libuv.c:117)
==20578==    by 0x4D3606F: uv__io_poll (linux-core.c:379)
==20578==    by 0x4D27714: uv_run (core.c:361)
==20578==    by 0x48BC347: elops_run_pt_uv (libuv.c:735)
==20578==    by 0x4875746: lws_service (service.c:1080)
==20578==    by 0x401A51: main (main.c:309)
==20578==  Address 0x58 is not stack'd, malloc'd or (recently) free'd

8 days agosmp: take pt lock in poll foreign thread detection
Andy Green [Sat, 23 Feb 2019 07:24:57 +0000 (15:24 +0800)]
smp: take pt lock in poll foreign thread detection

8 days agolibuv.c: set m to 0 by default
Adam Duskett [Fri, 22 Feb 2019 20:47:41 +0000 (15:47 -0500)]
libuv.c: set m to 0 by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Setting m to 0 by default will prevent "error: ‘m’ may be used uninitialized in this function"
while compiling with the option -DLWS_WITH_LIBUV=ON.

8 days agosmp: adopt: deal with load balancing init window
Andy Green [Fri, 22 Feb 2019 21:41:30 +0000 (05:41 +0800)]
smp: adopt: deal with load balancing init window

With SMP as soon as we add the new sockfd to the fds table, in the
case we load-balanced the fd on to a different pt, service on it
becomes live immediately and concurrently.  This can lead to the
unexpected situation that while we think we're still initing the
new wsi from our thread, it can have lived out its whole life
concurrently from another service thread.

Add a volatile flag to inform the owning pt that if it wants to
service the wsi during this init window, it must wait and retry
next time around the event loop.

8 days agows: setting default protocol index to an illegal index disables default ws binding
Andy Green [Fri, 22 Feb 2019 06:27:21 +0000 (14:27 +0800)]
ws: setting default protocol index to an illegal index disables default ws binding

On lwsws, incoming ws connections to the default vhost
are not rejected by the dummy protocol handler and not
really serviced either, leading to bots connecting to it to
get immortal, idle ws connections with no timeout (since it's an
established ws connection).

Rejecting these connections by default by adding a handler
for ESTABLISHED in the dummy handler will solve it nicely,
but it will break an unknown number of dumb. protocol-less
user implementations that rely on this behaviour by using
break; from their own ESTABLISHED handler and calling
through to the currently NOP dummy handler one.

Add support to assertively disable the default protocol
index used for subprotocol-less ws connections instead.

8 days agoclean: LWS_SSL_ENABLED use vh as the macro arg name to clarify what should be given
Andy Green [Thu, 21 Feb 2019 22:45:25 +0000 (06:45 +0800)]
clean: LWS_SSL_ENABLED use vh as the macro arg name to clarify what should be given

8 days agohttp: log ws upgrades
Andy Green [Tue, 19 Feb 2019 23:47:48 +0000 (07:47 +0800)]
http: log ws upgrades

8 days agosocks5: fix remain dst buffer length when calls lws_strncpy
JoonCheol Park [Mon, 18 Feb 2019 11:59:29 +0000 (15:59 +0400)]
socks5: fix remain dst buffer length when calls lws_strncpy

8 days agoserver-status: add proc statm and switch to vhost protocol timer
Andy Green [Mon, 18 Feb 2019 01:02:33 +0000 (09:02 +0800)]
server-status: add proc statm and switch to vhost protocol timer

8 days agocgi: fix stdin cgiwsi leak when closed early
Andy Green [Sun, 17 Feb 2019 02:46:30 +0000 (10:46 +0800)]
cgi: fix stdin cgiwsi leak when closed early

8 days agoraw-proxy: avoid one char read too far with tokenizer
Andy Green [Sat, 16 Feb 2019 09:28:57 +0000 (17:28 +0800)]
raw-proxy: avoid one char read too far with tokenizer

8 days agosshd: explicitly transfer free responsibility when adopting last_alloc
Andy Green [Sat, 16 Feb 2019 20:29:56 +0000 (04:29 +0800)]
sshd: explicitly transfer free responsibility when adopting last_alloc

8 days agolibevent: idle timer should not be EV_PERSIST
Andy Green [Sat, 16 Feb 2019 09:26:10 +0000 (17:26 +0800)]
libevent: idle timer should not be EV_PERSIST

8 days agoclient: confirm sin_zero actual size for platform
fanc [Fri, 15 Feb 2019 08:42:17 +0000 (16:42 +0800)]
client: confirm sin_zero actual size for platform

in some platform, the size of sa46.sa4.sin_zero is not 8, but 6, so use 8 will cause coredump.

8 days agocodacy: fixes for warnings
Andy Green [Fri, 15 Feb 2019 00:46:30 +0000 (08:46 +0800)]
codacy: fixes for warnings

5 weeks agowindows: treat syscall and errno 0 as WANT_READ
Andy Green [Wed, 6 Feb 2019 22:24:14 +0000 (06:24 +0800)]
windows: treat syscall and errno 0 as WANT_READ

5 weeks agooptee: avoid using gai_strerror in udp
Andy Green [Tue, 5 Feb 2019 13:13:09 +0000 (21:13 +0800)]
optee: avoid using gai_strerror in udp

6 weeks agolws_http_mark_sse
Andy Green [Wed, 30 Jan 2019 12:59:56 +0000 (20:59 +0800)]

6 weeks agosse: drop the ah when the sse connection starts
Andy Green [Wed, 30 Jan 2019 06:38:11 +0000 (14:38 +0800)]
sse: drop the ah when the sse connection starts

6 weeks agorsa-aes-gcm: only strip padding when required
Andy Green [Wed, 30 Jan 2019 00:08:16 +0000 (08:08 +0800)]
rsa-aes-gcm: only strip padding when required

6 weeks agojwk: openssl: fix key parameter ordering for older OpenSSL
Andy Green [Tue, 29 Jan 2019 23:19:38 +0000 (07:19 +0800)]
jwk: openssl: fix key parameter ordering for older OpenSSL

6 weeks agocrypto: openssl: use EVP hmac objects directly 2
Andy Green [Tue, 29 Jan 2019 07:28:56 +0000 (15:28 +0800)]
crypto: openssl: use EVP hmac objects directly 2

6 weeks agocrypto: openssl: use EVP hmac objects directly
Andy Green [Tue, 29 Jan 2019 05:11:17 +0000 (13:11 +0800)]
crypto: openssl: use EVP hmac objects directly

6 weeks agocgi: fix stdout close to http close
Andy Green [Tue, 29 Jan 2019 04:25:20 +0000 (12:25 +0800)]
cgi: fix stdout close to http close

On h1, cgi stdout close doesn't prompt the http close, instead it
times out.  Fix that so we also close on h1, and make the close
action itself on http timeout less drastic.

As it was, GnuTLS actually marks the close as a fatal TLS error.

7 weeks agoappveyor: disable bintray
Andy Green [Sun, 27 Jan 2019 23:38:44 +0000 (07:38 +0800)]
appveyor: disable bintray

We gradually filled up the free allocation, and they don't provide any
method to delete the oldest automatically.  You literally have to sit
there deleting one artifact at a time (we create 7 per commit) using
their webui.  I'm not going to do that.

While it's full, appveyor builds will just break.

So disable it.

7 weeks agominimal examples: ws-server-threads-smp
Andy Green [Sun, 27 Jan 2019 23:02:33 +0000 (07:02 +0800)]
minimal examples: ws-server-threads-smp

7 weeks agogencrypto: mbedtls: manual rsa padding removal only needed on old mbedtls in optee
Andy Green [Sun, 27 Jan 2019 11:38:59 +0000 (19:38 +0800)]
gencrypto: mbedtls: manual rsa padding removal only needed on old mbedtls in optee

7 weeks agoopenssl: jwk: rsa: also import p and q
Andy Green [Sun, 27 Jan 2019 11:21:47 +0000 (19:21 +0800)]
openssl: jwk: rsa: also import p and q

7 weeks agox509: crypto tool: add alg
Andy Green [Sun, 27 Jan 2019 08:25:07 +0000 (16:25 +0800)]
x509: crypto tool: add alg

7 weeks agojwk: crypto tool: add --alg commandline arg
Andy Green [Sun, 27 Jan 2019 08:08:34 +0000 (16:08 +0800)]
jwk: crypto tool: add --alg commandline arg

7 weeks agodeaddrop: extend timeout as data comes in
Andy Green [Thu, 24 Jan 2019 02:59:47 +0000 (10:59 +0800)]
deaddrop: extend timeout as data comes in

7 weeks agodaemonize: use pid_t
Andy Green [Wed, 23 Jan 2019 10:06:32 +0000 (18:06 +0800)]
daemonize: use pid_t

After report from Vitaly Shevtsov

7 weeks agows: fix coredump of lws_create_context
t00416110 [Tue, 22 Jan 2019 07:45:34 +0000 (15:45 +0800)]
ws: fix coredump of lws_create_context

Signed-off-by: t00416110 <>
8 weeks agojwe: strip padding after rsa-aes
Andy Green [Mon, 21 Jan 2019 22:26:08 +0000 (06:26 +0800)]
jwe: strip padding after rsa-aes

2 months agooptee: remove build system
Andy Green [Mon, 14 Jan 2019 22:59:48 +0000 (06:59 +0800)]
optee: remove build system

2 months agoLWS_WITH_NETWORK: cmake option for no network code
Andy Green [Sat, 12 Jan 2019 22:58:21 +0000 (06:58 +0800)]
LWS_WITH_NETWORK: cmake option for no network code

2 months agoclient: typo in client-handshake
Andy Green [Sat, 12 Jan 2019 23:50:38 +0000 (07:50 +0800)]
client: typo in client-handshake

2 months agows: subprotocol parsing: allow dot
cjakeway [Sat, 12 Jan 2019 23:47:22 +0000 (07:47 +0800)]
ws: subprotocol parsing: allow dot

2 months agowindows: socket keepalive valid is ms
Bitomaxsp [Sat, 12 Jan 2019 23:34:07 +0000 (07:34 +0800)]
windows: socket keepalive valid is ms

2 months agoSubject: [PATCH] Fix control messages are inflated
Guillaume Burel [Fri, 11 Jan 2019 14:43:46 +0000 (15:43 +0100)]
Subject: [PATCH] Fix control messages are inflated

RFC7692 states that control messages should not be compressed so there is no
need to inflate these messages.

There can be a bug if a control message is received while processing a
compressed message since lws relies on the RSV bit of the first message to
inflate the rx buffer or not.
Here we also check the opcode to only inflate a message if it is a data message.

Fixes: #1470

2 months agox509-warning-fixes
Andy Green [Fri, 11 Jan 2019 10:19:21 +0000 (18:19 +0800)]

2 months agoqnx: qnx6.5 compatibility
pblemel [Fri, 11 Jan 2019 08:48:53 +0000 (16:48 +0800)]
qnx: qnx6.5 compatibility

2 months agooptee: other plat fixes
Andy Green [Fri, 11 Jan 2019 09:14:04 +0000 (17:14 +0800)]
optee: other plat fixes

2 months agombedtls: finer-grained enable checks and OP-TEE
Andy Green [Fri, 11 Jan 2019 05:14:32 +0000 (13:14 +0800)]
mbedtls: finer-grained enable checks and OP-TEE

2 months agotls: client: also allow vhost client ctx to be initialized with in-memory certs
Andy Green [Fri, 11 Jan 2019 05:13:40 +0000 (13:13 +0800)]
tls: client: also allow vhost client ctx to be initialized with in-memory certs

2 months agoadopt: keep most of adopt.c even with WITHOUT_SERVER
Andy Green [Fri, 11 Jan 2019 05:13:34 +0000 (13:13 +0800)]
adopt: keep most of adopt.c even with WITHOUT_SERVER

2 months agoadaptations
Andy Green [Fri, 11 Jan 2019 05:13:19 +0000 (13:13 +0800)]

2 months agolws-x509: validation functions
Andy Green [Mon, 31 Dec 2018 12:35:54 +0000 (20:35 +0800)]
lws-x509: validation functions

2 months agoecdh-es
Andy Green [Sun, 23 Dec 2018 23:42:03 +0000 (07:42 +0800)]

Mainly JWE support for ecdh-es and initial refactor to support multiple
recipients / signatures.

2 months agojwe
Andy Green [Thu, 13 Dec 2018 12:05:12 +0000 (20:05 +0800)]

2 months agogenec: generic ECDH crypto layer
Andy Green [Wed, 5 Dec 2018 05:11:03 +0000 (13:11 +0800)]
genec: generic ECDH crypto layer

!!! WIP

This implements the "genec" layer wrapping mbedtls + openssl
ECDH support.

API tests are added for the parts that are implemented so far.

Stuff related to ec at all, like keys, are prefixed lws_genec_.
Stuff specific to ECDH are prefixed lws_genecdh_.

2 months agogenrsa: add OAEP and PSS and convert openssl to EVP
Andy Green [Fri, 7 Dec 2018 23:10:09 +0000 (07:10 +0800)]
genrsa: add OAEP and PSS and convert openssl to EVP

Wanting PSS padding on signatures triggers and avalanche of
openssl EVP conversions as the only way to do it with the
openssl public apis.

2 months agogenaes: generic AES layer independent of tls library
Andy Green [Tue, 4 Dec 2018 00:03:58 +0000 (08:03 +0800)]
genaes: generic AES layer independent of tls library

Although RSA can be used directly for signing / JWS
on large chunks of data since it's only operating on
the hash, when JWE support arrives, which allows bulk
encryption, it's going to be mandatory to support
secondary AES ciphers to use on the bulk data.

This adds generic support for all AES modes that OpenSSL
and mbedTLS have in common, works on both mbedTLS and
OpenSSL the same, and adds unit tests for each mode
in api-test-gencrypto, to run in CI.

2 months agoJOSE: refactor and prepare for JWE
Andy Green [Tue, 27 Nov 2018 00:36:08 +0000 (08:36 +0800)]
JOSE: refactor and prepare for JWE

Until now the JOSE pieces only had enough support for ACME.
This patch improves the JWK parsing to prepare for more
complete support and for adding JWE, genaes and genec in
later patches.

2 months agodeaddrop: handle @ urldecode in delete
Andy Green [Wed, 26 Dec 2018 22:43:39 +0000 (06:43 +0800)]
deaddrop: handle @ urldecode in delete

2 months agoautobahn: keep doing tests until we get a 500
Andy Green [Tue, 18 Dec 2018 23:09:58 +0000 (07:09 +0800)]
autobahn: keep doing tests until we get a 500

3 months agominimal-ws-client: fix couple of breakages
Andy Green [Mon, 17 Dec 2018 11:09:13 +0000 (19:09 +0800)]
minimal-ws-client: fix couple of breakages

3 months agowindows: proposed fix for CANCELLED
John Kamp [Fri, 7 Dec 2018 13:13:19 +0000 (21:13 +0800)]
windows: proposed fix for CANCELLED

3 months agoopenssl: Allow IP-based SAN in automatic hostname check
=?UTF-8?q?Samuel=20Lor=C3=A9tan?= [Wed, 5 Dec 2018 23:38:23 +0000 (15:38 -0800)]
openssl: Allow IP-based SAN in automatic hostname check

With OpenSSL, `X509_VERIFY_PARAM_set1_host` only checks matching hostnames and alternative names that are domain-based.

This change tries calling `X509_VERIFY_PARAM_set1_ip_asc` first, which attempts to parse the hostname as an IP address (v4 or v6). If this fails, it'll fall back to the current `X509_VERIFY_PARAM_set1_host` behavior.

3 months agorole: raw-proxy
Andy Green [Thu, 29 Nov 2018 00:29:48 +0000 (08:29 +0800)]
role: raw-proxy

3 months agolws_raw_transaction_completed
Andy Green [Fri, 30 Nov 2018 22:45:23 +0000 (06:45 +0800)]

This provides a way to defer closing if the output buflist has
unsent content for the wsi, until the buflist is drained.

It doesn't make any assumption about the content being related
to http, so you can use it on raw.

It follows the semantics of the http transaction completed, ie

     if (lws_raw_transaction_completed(wsi))
return -1

     return 0;

3 months agowsi: opaque_user_data and accessors
Andy Green [Fri, 30 Nov 2018 22:35:20 +0000 (06:35 +0800)]
wsi: opaque_user_data and accessors

Under some circumstances it's useful to tag a wsi with user
data, while still having an lws-allocated and destroyed pss.

3 months agocgi: use transaction_complete when stdout goes away
Andy Green [Fri, 30 Nov 2018 00:41:30 +0000 (08:41 +0800)]
cgi: use transaction_complete when stdout goes away

transaction_complete includes processing for the case we are holding
an output-side buflist, and arranges for it to be sent before the
connection is actually closed.

This stops very slow links not being ablet to use git clone via
cgi mount, because the close races the flushing of the output-side
buflist and in the case the connection is bad, closes before
everything was sent.

3 months agoadopt: allow associated accepted vhost connections to specific role
Andy Green [Thu, 29 Nov 2018 00:47:49 +0000 (08:47 +0800)]
adopt: allow associated accepted vhost connections to specific role

Normalize the vhost options around optionally handling noncompliant
traffic at the listening socket for both non-tls and tls cases.

By default everything is as before.

However it's now possible to tell the vhost to allow noncompliant
connects to fall back to a specific role and protocol, both set
by name in the vhost creation info struct.

The original vhost flags allowing http redirect to https and
direct http serving from https server (which is a security
downgrade if enabled) are cleaned up and tested.

A minimal example minimal-raw-fallback-http-server is added with
switches to confirm operation of all the valid possibilities (see
the readme on that).

3 months agominimal example deaddrop
Andy Green [Sat, 1 Dec 2018 01:20:00 +0000 (09:20 +0800)]
minimal example deaddrop

3 months agoplugin: lws deaddrop
Andy Green [Tue, 27 Nov 2018 23:25:16 +0000 (07:25 +0800)]
plugin: lws deaddrop