DEV: update paks

Author: Michael O'Brien

paks/certs/README.md

@@ -15,4 +15,4 @@ Test certificates.
 
 ## Get Pak
 
-[https://embedthis.com/pak/](https://embedthis.com/pak/)
+[https://www.embedthis.com/pak/](https://www.embedthis.com/pak/)

paks/certs/pak.json

@@ -2,7 +2,7 @@
     "name": "certs",
     "title": "Test Certificates",
     "description": "Test Certificates",
-    "version": "0.1.6",
+    "version": "1.0.0",
     "keywords": [
         "me",
         "ssl",

paks/http/dist/http.c

@@ -507,6 +507,14 @@ static int parseArgs(int argc, char **argv)
             }
             setWorkers++;
 
+        } else if (smatch(argp, "-x")) {
+            //  Undocumented and unsupported (-D --nofollow -s)
+            mprSetDebugMode(1);
+            app->retries = 0;
+            app->timeout = HTTP_UNLIMITED;
+            app->nofollow++;
+            app->showHeaders++;
+
         } else if (smatch(argp, "--zero")) {
             app->zeroOnErrors++;
 

paks/http/dist/http.h

@@ -99,6 +99,9 @@ struct HttpWebSocket;
 #ifndef ME_HTTP_DELAY
     #define ME_HTTP_DELAY          (2000)               /**< 2 second delay per request - while delay enforced */
 #endif
+#ifndef ME_DIGEST_NONCE_DURATION
+    #define ME_DIGEST_NONCE_DURATION 60                  /**< Lifespan for Digest auth request nonce */
+#endif
 #ifndef ME_MAX_URI
     #define ME_MAX_URI             512                  /**< Reasonable URI size */
 #endif

paks/http/dist/httpLib.c

@@ -6988,7 +6988,7 @@ PUBLIC int httpDigestParse(HttpConn *conn, cchar **username, cchar **password)
             httpTrace(conn, "auth.digest.error", "error", "msg:'Access denied, Bad qop'");
             return MPR_ERR_BAD_STATE;
 
-        } else if ((when + (5 * 60)) < time(0)) {
+        } else if ((when + ME_DIGEST_NONCE_DURATION) < time(0)) {
             httpTrace(conn, "auth.digest.error", "error", "msg:'Access denied, Nonce is stale'");
             return MPR_ERR_BAD_STATE;
         }
@@ -12278,23 +12278,26 @@ static void outgoingRangeService(HttpQueue *q)
         }
     }
     for (packet = httpGetPacket(q); packet; packet = httpGetPacket(q)) {
-        if (packet->flags & HTTP_PACKET_DATA) {
-            if (!applyRange(q, packet)) {
-                return;
-            }
-        } else {
-            /*
-                Send headers and end packet downstream
-             */
-            if (packet->flags & HTTP_PACKET_END && tx->rangeBoundary) {
-                httpPutPacketToNext(q, createFinalRangePacket(conn));
-            }
-            if (!httpWillNextQueueAcceptPacket(q, packet)) {
-                httpPutBackPacket(q, packet);
-                return;
+        if (tx->outputRanges) {
+            if (packet->flags & HTTP_PACKET_DATA) {
+                if (!applyRange(q, packet)) {
+                    return;
+                }
+                continue;
+            } else {
+                /*
+                    Send headers and end packet downstream
+                 */
+                if (packet->flags & HTTP_PACKET_END && tx->rangeBoundary) {
+                    httpPutPacketToNext(q, createFinalRangePacket(conn));
+                }
             }
-            httpPutPacketToNext(q, packet);
         }
+        if (!httpWillNextQueueAcceptPacket(q, packet)) {
+            httpPutBackPacket(q, packet);
+            return;
+        }
+        httpPutPacketToNext(q, packet);
     }
 }
 
@@ -15307,7 +15310,9 @@ static char *expandRequestTokens(HttpConn *conn, char *str)
         if ((key = stok(&tok[2], ".:}", &value)) == 0) {
             continue;
         }
-        if ((stok(value, "}", &cp)) == 0) {
+        if ((stok(value, "}", &p)) != 0) {
+            cp = p;
+        } else {
             continue;
         }
         if (smatch(key, "header")) {
@@ -15422,7 +15427,7 @@ static char *expandRequestTokens(HttpConn *conn, char *str)
     }
     assert(cp);
     if (tok) {
-        if (tok > cp) {
+        if (cp && tok > cp) {
             mprPutBlockToBuf(buf, tok, tok - cp);
         }
     } else {
@@ -16406,7 +16411,7 @@ static bool parseResponseLine(HttpConn *conn, HttpPacket *packet)
     tx = conn->tx;
 
     protocol = getToken(conn, NULL, TOKEN_WORD);
-    if (protocol == NULL || protocol == '\0') {
+    if (protocol == NULL || *protocol == '\0') {
         httpBadRequestError(conn, HTTP_ABORT | HTTP_CODE_NOT_ACCEPTABLE, "Unsupported HTTP protocol");
         return 0;
     }
@@ -16808,7 +16813,7 @@ static bool parseHeaders(HttpConn *conn, HttpPacket *packet)
     if (conn->http10 && !keepAliveHeader) {
         conn->keepAliveCount = 0;
     }
-    if (httpClientConn(conn) && conn->mustClose && rx->length < 0) {
+    if (httpClientConn(conn) && conn->mustClose && rx->length < 0 && rx->status != 204) {
         /*
             Google does responses with a body and without a Content-Lenght like this:
                 Connection: close

paks/mpr-mbedtls/mpr-mbedtls.c

@@ -68,6 +68,7 @@ static void     merror(int rc, cchar *fmt, ...);
 static int      parseCert(mbedtls_x509_crt *cert, cchar *file, char **errorMsg);
 static int      parseCrl(mbedtls_x509_crl *crl, cchar *path, char **errorMsg);
 static int      parseKey(mbedtls_pk_context *key, cchar *path, char **errorMsg);
+static int      preloadMbed(MprSsl *ssl, int flags);
 static ssize    readMbed(MprSocket *sp, void *buf, ssize len);
 static char     *replaceHyphen(char *cipher, char from, char to);
 PUBLIC int      sniCallback(void *unused, mbedtls_ssl_context *ctx, cuchar *hostname, size_t len);
@@ -92,6 +93,7 @@ PUBLIC int mprSslInit(void *unused, MprModule *module)
     mbedProvider->upgradeSocket = upgradeMbed;
     mbedProvider->closeSocket = closeMbed;
     mbedProvider->disconnectSocket = disconnectMbed;
+    mbedProvider->preload = preloadMbed;
     mbedProvider->readSocket = readMbed;
     mbedProvider->writeSocket = writeMbed;
     mbedProvider->socketState = getMbedState;
@@ -405,30 +407,37 @@ static int handshakeMbed(MprSocket *sp)
             mbedtls_strerror(-rc, ebuf, sizeof(ebuf));
             sp->errorMsg = sfmt("%s: error -0x%x", ebuf, -rc);
         }
-        sp->flags |= MPR_SOCKET_EOF;
+        sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_ERROR;
         errno = EPROTO;
         return MPR_ERR_CANT_READ;
     }
     if ((vrc = mbedtls_ssl_get_verify_result(&mb->ctx)) != 0) {
         if (vrc & MBEDTLS_X509_BADCERT_MISSING) {
             sp->errorMsg = sclone("Certificate missing");
+            sp->flags |= MPR_SOCKET_CERT_ERROR;
 
         } if (vrc & MBEDTLS_X509_BADCERT_EXPIRED) {
             sp->errorMsg = sclone("Certificate expired");
+            sp->flags |= MPR_SOCKET_CERT_ERROR;
 
         } else if (vrc & MBEDTLS_X509_BADCERT_REVOKED) {
             sp->errorMsg = sclone("Certificate revoked");
+            sp->flags |= MPR_SOCKET_CERT_ERROR;
 
         } else if (vrc & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
             sp->errorMsg = sclone("Certificate common name mismatch");
+            sp->flags |= MPR_SOCKET_CERT_ERROR;
 
         } else if (vrc & MBEDTLS_X509_BADCERT_KEY_USAGE || vrc & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
             sp->errorMsg = sclone("Unauthorized key use in certificate");
+            sp->flags |= MPR_SOCKET_CERT_ERROR;
 
         } else if (vrc & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
             sp->errorMsg = sclone("Certificate not trusted");
             if (!sp->ssl->verifyIssuer) {
                 vrc = 0;
+            } else {
+                sp->flags |= MPR_SOCKET_CERT_ERROR;
             }
 
         } else if (vrc & MBEDTLS_X509_BADCERT_SKIP_VERIFY) {
@@ -440,15 +449,18 @@ static int handshakeMbed(MprSocket *sp)
         } else {
             if (mb->ctx.client_auth && !sp->ssl->certFile) {
                 sp->errorMsg = sclone("Server requires a client certificate");
+                sp->flags |= MPR_SOCKET_CERT_ERROR;
 
             } else if (rc == MBEDTLS_ERR_NET_CONN_RESET) {
                 sp->errorMsg = sclone("Peer disconnected");
+                sp->flags |= MPR_SOCKET_ERROR;
 
             } else {
                 char ebuf[256];
                 mbedtls_x509_crt_verify_info(ebuf, sizeof(ebuf), "", vrc);
                 strim(ebuf, "\n", 0);
                 sp->errorMsg = sfmt("Cannot handshake: %s, error -0x%x", ebuf, -rc);
+                sp->flags |= MPR_SOCKET_ERROR;
             }
         }
     }
@@ -505,7 +517,7 @@ static int getPeerCertInfo(MprSocket *sp)
         if (mprGetLogLevel() >= 6) {
             char buf[4096];
             mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", peer);
-            mprLog("info mbedtls", 6, "Peer certificate\n%s", buf);
+            mprLog("info mbedtls", mbedLogLevel, "Peer certificate\n%s", buf);
         }
     }
     sp->cipher = replaceHyphen(sclone(mbedtls_ssl_get_ciphersuite(ctx)), '-', '_');
@@ -529,6 +541,11 @@ static int getPeerCertInfo(MprSocket *sp)
     return 0;
 }
 
+static int preloadMbed(MprSsl *ssl, int flags)
+{
+    mprLog("error mpr ssl openssl", 4, "Preload not yet supported with MbedTLS");
+    return 0;
+}
 
 /*
     Return the number of bytes read. Return -1 on errors and EOF. Distinguish EOF via mprIsSocketEof.
@@ -604,7 +621,7 @@ static ssize writeMbed(MprSocket *sp, cvoid *buf, ssize len)
     rc = 0;
     do {
         rc = mbedtls_ssl_write(&mb->ctx, (uchar*) buf, (int) len);
-        mprDebug("debug mpr ssl mbedtls", 6, "mbedtls write: write returned %d (0x%04x), len %zd", rc, rc, len);
+        mprDebug("debug mpr ssl mbedtls", mbedLogLevel, "mbedtls write: write returned %d (0x%04x), len %zd", rc, rc, len);
         if (rc <= 0) {
             if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) {
                 break;
@@ -826,11 +843,11 @@ static int *getCipherSuite(MprSsl *ssl)
         static int once = 0;
         if (!once++) {
             cp = (ciphers && *ciphers) ? result : mbedtls_ssl_list_ciphersuites();
-            mprLog("info mbedtls", 6, "\nCiphers:");
+            mprLog("info mbedtls", mbedLogLevel, "\nCiphers:");
             for (; *cp; cp++) {
                 scopy(buf, sizeof(buf), mbedtls_ssl_get_ciphersuite_name(*cp));
                 replaceHyphen(buf, '-', '_');
-                mprLog("info mbedtls", 6, "0x%04X %s", *cp, buf);
+                mprLog("info mbedtls", mbedLogLevel, "0x%04X %s", *cp, buf);
             }
         }
     }

paks/mpr-mbedtls/mpr-mbedtls.me

@@ -25,6 +25,14 @@ Me.load({
             conflicts:    [ 'openssl', 'matrixssl', 'nanossl' ]
             depends:      [ 'libmpr-mbedtls', 'libmbedtls' ],
             location:     '${SRC}/mpr-mbedtls',
+            '-compiler': [
+                '-Wall',
+                '-Wshorten-64-to-32',
+                '-W3',
+            ],
+            '+defines': [
+                '-D_FILE_OFFSET_BITS=64'
+            ]
         },
 
         'libmpr-mbedtls': {

paks/mpr-openssl/mpr-openssl.c

@@ -261,6 +261,7 @@ static void     manageOpenConfig(OpenConfig *cfg, int flags);
 static void     manageOpenProvider(MprSocketProvider *provider, int flags);
 static void     manageOpenSocket(OpenSocket *ssp, int flags);
 static cchar    *mapCipherNames(cchar *ciphers);
+static int      preloadOss(MprSsl *ssl, int flags);
 static ssize    readOss(MprSocket *sp, void *buf, ssize len);
 static void     setSecured(MprSocket *sp);
 static int      setCertFile(SSL_CTX *ctx, cchar *certFile);
@@ -302,6 +303,7 @@ PUBLIC int mprSslInit(void *unused, MprModule *module)
         return MPR_ERR_MEMORY;
     }
     openProvider->name = sclone("openssl");
+    openProvider->preload = preloadOss;
     openProvider->upgradeSocket = upgradeOss;
     openProvider->closeSocket = closeOss;
     openProvider->disconnectSocket = disconnectOss;
@@ -892,6 +894,26 @@ static void closeOss(MprSocket *sp, bool gracefully)
 }
 
 
+static int preloadOss(MprSsl *ssl, int flags)
+{
+    char    *errorMsg;
+
+    assert(ssl);
+
+    if (ssl == 0) {
+        ssl = mprCreateSsl(flags & MPR_SOCKET_SERVER);
+    }
+    lock(ssl);
+    if (configOss(ssl, flags, &errorMsg) < 0) {
+        mprLog("error mpr ssl openssl", 4, "Cannot configure SSL %s", errorMsg);
+        unlock(ssl);
+        return MPR_ERR_CANT_INITIALIZE;
+    }
+    unlock(ssl);
+    return 0;
+}
+
+
 /*
     Upgrade a standard socket to use SSL/TLS. Used by both clients and servers to upgrade a socket for SSL.
     If a client, this may block while connecting.
@@ -1015,19 +1037,20 @@ static ssize readOss(MprSocket *sp, void *buf, ssize len)
     retries = 5;
     for (i = 0; i < retries; i++) {
         rc = SSL_read(osp->handle, buf, (int) len);
-        if (rc < 0) {
+        if (rc <= 0) {
             error = SSL_get_error(osp->handle, rc);
             if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_CONNECT || error == SSL_ERROR_WANT_ACCEPT) {
                 continue;
             }
             mprLog("info mpr ssl openssl", 5, "SSL_read %s", getOssError(sp));
+            sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_ERROR;
         }
         break;
     }
     if (osp->cfg->maxHandshakes && osp->handshakes > osp->cfg->maxHandshakes) {
         mprLog("error mpr ssl openssl", 4, "TLS renegotiation attack");
         rc = -1;
-        sp->flags |= MPR_SOCKET_EOF;
+        sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_ERROR;
         return MPR_ERR_BAD_STATE;
     }
     if (rc <= 0) {
@@ -1040,17 +1063,18 @@ static ssize readOss(MprSocket *sp, void *buf, ssize len)
             sp->flags |= MPR_SOCKET_EOF;
             rc = -1;
         } else if (error == SSL_ERROR_SYSCALL) {
-            sp->flags |= MPR_SOCKET_EOF;
+            sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_ERROR;
             rc = -1;
         } else if (error != SSL_ERROR_ZERO_RETURN) {
             /* SSL_ERROR_SSL */
             mprLog("info mpr ssl openssl", 4, "%s", getOssError(sp));
             rc = -1;
-            sp->flags |= MPR_SOCKET_EOF;
+            sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_ERROR;
         }
     } else {
         if (!(sp->flags & MPR_SOCKET_SERVER) && !sp->secured) {
             if (checkPeerCertName(sp) < 0) {
+                sp->flags |= MPR_SOCKET_EOF | MPR_SOCKET_CERT_ERROR;
                 return MPR_ERR_BAD_STATE;
             }
         }