From 638558a4dbc9a09e6c293bacd41e1d5e005fb8c0 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Mon, 15 Jan 2024 09:17:32 +0000 Subject: [PATCH 1/9] openssl: only use pc libs if no find_package --- lib/tls/CMakeLists.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt index 230b0d29a..7751cc7ba 100644 --- a/lib/tls/CMakeLists.txt +++ b/lib/tls/CMakeLists.txt @@ -271,7 +271,9 @@ if (LWS_WITH_SSL) find_package(PkgConfig QUIET) pkg_check_modules(PC_OPENSSL openssl QUIET) find_package(OpenSSL REQUIRED) - list(APPEND OPENSSL_LIBRARIES ${PC_OPENSSL_LINK_LIBRARIES}) + if (NOT OPENSSL_FOUND AND PC_OPENSSL_FOUND) + list(APPEND OPENSSL_LIBRARIES ${PC_OPENSSL_LINK_LIBRARIES}) + endif() set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARIES} PARENT_SCOPE) endif() set(OPENSSL_INCLUDE_DIRS "${OPENSSL_INCLUDE_DIR}") From c57733cb004e11803006739a4090200c3e100d85 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Mon, 15 Jan 2024 09:15:30 +0000 Subject: [PATCH 2/9] systemd-sockact: set port to 0 on unix domain --- lib/plat/unix/unix-systemd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/plat/unix/unix-systemd.c b/lib/plat/unix/unix-systemd.c index 405ae0e09..842346914 100644 --- a/lib/plat/unix/unix-systemd.c +++ b/lib/plat/unix/unix-systemd.c @@ -43,8 +43,10 @@ lws_systemd_inherited_fd(unsigned int index, info->vh_listen_sockfd = (int)(SD_LISTEN_FDS_START + index); - if (sd_is_socket_unix(info->vh_listen_sockfd, 0, 0, NULL, 0)) + if (sd_is_socket_unix(info->vh_listen_sockfd, 0, 0, NULL, 0)) { info->options |= LWS_SERVER_OPTION_UNIX_SOCK; + info->port = 0; + } if (sd_is_socket_inet(info->vh_listen_sockfd, AF_UNSPEC, 0, 1, 0)) { struct sockaddr_storage addr; From 9393dd3934831a264ee5431b3d3455c00d243915 Mon Sep 17 00:00:00 2001 From: Dustin Lundquist Date: Mon, 15 Jan 2024 06:12:58 +0000 Subject: [PATCH 3/9] ev: remove any watchers on close --- lib/event-libs/libev/libev.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/event-libs/libev/libev.c b/lib/event-libs/libev/libev.c index 4bdede78d..3f3f2a7f0 100644 --- a/lib/event-libs/libev/libev.c +++ b/lib/event-libs/libev/libev.c @@ -94,6 +94,7 @@ lws_accept_cb(struct ev_loop *loop, struct ev_io *watcher, int revents) struct lws_context_per_thread *pt; struct lws_pollfd eventfd; struct lws *wsi; + int tsi = 0; if (revents & EV_ERROR) return; @@ -112,10 +113,12 @@ lws_accept_cb(struct ev_loop *loop, struct ev_io *watcher, int revents) } wsi = wsi_from_fd(context, watcher->fd); - pt = &context->pt[(int)wsi->tsi]; + if (wsi) + tsi = (int)wsi->tsi; + pt = &context->pt[tsi]; ptpr = pt_to_priv_ev(pt); - lws_service_fd_tsi(context, &eventfd, (int)wsi->tsi); + lws_service_fd_tsi(context, &eventfd, tsi); ev_idle_start(ptpr->io_loop, &ptpr->idle); } @@ -413,6 +416,14 @@ elops_destroy_wsi_ev(struct lws *wsi) ev_io_stop(ptpr->io_loop, &w->w_write.watcher); } +static int +elops_wsi_logical_close_ev(struct lws *wsi) +{ + elops_destroy_wsi_ev(wsi); + + return 0; +} + static const struct lws_event_loop_ops event_loop_ops_ev = { /* name */ "libev", /* init_context */ elops_init_context_ev, @@ -420,7 +431,7 @@ static const struct lws_event_loop_ops event_loop_ops_ev = { /* destroy_context2 */ elops_destroy_context2_ev, /* init_vhost_listen_wsi */ elops_init_vhost_listen_wsi_ev, /* init_pt */ elops_init_pt_ev, - /* wsi_logical_close */ NULL, + /* wsi_logical_close */ elops_wsi_logical_close_ev, /* check_client_connect_ok */ NULL, /* close_handle_manually */ NULL, /* accept */ elops_accept_ev, From 837db622eb52f719982305473d09b665212900ad Mon Sep 17 00:00:00 2001 From: Andy Green Date: Mon, 15 Jan 2024 15:32:56 +0000 Subject: [PATCH 4/9] clean: avoid maybe-uninitialized https://github.com/warmcat/libwebsockets/issues/3049 --- lib/core-net/wol.c | 3 ++- lib/core/logs.c | 6 ++--- lib/roles/http/client/client-http.c | 41 +++++++++-------------------- lib/roles/http/date.c | 2 +- lib/roles/http/server/server.c | 2 +- lib/system/smd/smd.c | 9 +++---- lib/tls/tls-network.c | 4 +-- 7 files changed, 26 insertions(+), 41 deletions(-) diff --git a/lib/core-net/wol.c b/lib/core-net/wol.c index 8edada906..eb6f6c6f6 100644 --- a/lib/core-net/wol.c +++ b/lib/core-net/wol.c @@ -79,7 +79,8 @@ lws_wol(struct lws_context *ctx, const char *ip_or_NULL, uint8_t *mac_6_bytes) ret = 0; bail: - close(fd); + if (fd >= 0) /* coverity */ + close(fd); return ret; } diff --git a/lib/core/logs.c b/lib/core/logs.c index 269f30988..bbda17a12 100644 --- a/lib/core/logs.c +++ b/lib/core/logs.c @@ -179,11 +179,11 @@ __lws_lc_untag(struct lws_context *context, lws_lifecycle_t *lc) //grp = lws_container_of(lc->list.owner, lws_lifecycle_group_t, owner); - lws_humanize(buf, sizeof(buf), +#if defined(LWS_LOG_TAG_LIFECYCLE) + if (lws_humanize(buf, sizeof(buf), (uint64_t)lws_now_usecs() - lc->us_creation, - humanize_schema_us); + humanize_schema_us) > 0) -#if defined(LWS_LOG_TAG_LIFECYCLE) lwsl_cx_notice(context, " -- %s (%d) %s", lc->gutag, (int)lc->list.owner->count - 1, buf); #endif diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index 57397fce9..a205e781e 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -591,7 +591,7 @@ static const char *digest_toks[] = { "response", // 1 << 5 "opaque", // 1 << 6 "qop", // 1 << 7 - "algorithm" // 1 << 8 + "algorithm", // 1 << 8 "nc", // 1 << 9 "cnonce", // 1 << 10 "domain", // 1 << 11 @@ -604,7 +604,7 @@ enum lws_check_basic_auth_results lws_http_digest_auth(struct lws* wsi) { uint8_t nonce[256], response[LWS_GENHASH_LARGEST], qop[32]; - int seen = 0, n, pend = -1, skipping = 0; + int seen = 0, n, pend = -1; char *tmp_digest = NULL; struct lws_tokenize ts; char resp_username[32]; @@ -677,8 +677,6 @@ lws_http_digest_auth(struct lws* wsi) break; case LWS_TOKZE_TOKEN_NAME_EQUALS: - if (skipping) - break; if ((seen & (1 << 15)) == (1 << 15) || pend != -1) /* no auth type token or disordered */ return LCBA_END_TRANSACTION; @@ -704,8 +702,6 @@ lws_http_digest_auth(struct lws* wsi) break; case LWS_TOKZE_QUOTED_STRING: - if (skipping) - break; if (pend < 0) return LCBA_END_TRANSACTION; @@ -757,8 +753,6 @@ lws_http_digest_auth(struct lws* wsi) case LWS_TOKZE_DELIMITER: if (*ts.token == ',') { - if (skipping) - break; if (pend != PEND_DELIM) return LCBA_END_TRANSACTION; @@ -766,11 +760,6 @@ lws_http_digest_auth(struct lws* wsi) break; } if (*ts.token == ';') { - if (skipping) { - /* try again with this one */ - skipping = 0; - break; - } /* it's the end */ e = LWS_TOKZE_ENDED; break; @@ -1062,27 +1051,23 @@ lws_client_interpret_server_handshake(struct lws *wsi) n = atoi(p); #if defined(LWS_WITH_HTTP_DIGEST_AUTH) - if (n == 401 && lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_WWW_AUTHENTICATE)) { - if (!(wsi->stash && wsi->stash->cis[CIS_USERNAME] && - wsi->stash->cis[CIS_PASSWORD])) { - lwsl_err( - "Digest auth requested by server but no credentials provided " - "by user\n"); - return LCBA_FAILED_AUTH; - } - - if (0 != lws_http_digest_auth(wsi)) { - if (wsi) - goto bail3; - return 1; - } + if (n == 401 && lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_WWW_AUTHENTICATE)) { + if (!(wsi->stash && wsi->stash->cis[CIS_USERNAME] && + wsi->stash->cis[CIS_PASSWORD])) { + lwsl_err("Digest auth requested by server but no credentials provided by user\n"); + + return LCBA_FAILED_AUTH; + } + + if (lws_http_digest_auth(wsi)) + goto bail3; opaque = wsi->a.opaque_user_data; lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS, "digest_auth_step2"); wsi->a.opaque_user_data = opaque; return -1; - } + } ah = wsi->http.ah; #endif diff --git a/lib/roles/http/date.c b/lib/roles/http/date.c index 6ac42ba9c..327ca601b 100644 --- a/lib/roles/http/date.c +++ b/lib/roles/http/date.c @@ -150,7 +150,7 @@ lws_http_date_parse_unix(const char *b, size_t len, time_t *t) #endif #endif - return (int)*t == -1 ? -1 : 0; + return (int)(*t == -1 ? -1 : 0); } #if defined(LWS_WITH_CLIENT) diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c index ff5b1255e..e976e89d5 100644 --- a/lib/roles/http/server/server.c +++ b/lib/roles/http/server/server.c @@ -93,7 +93,7 @@ _lws_vhost_init_server_af(struct vh_sock_args *a) int n, opt = 1, limit = 1, san = 2; lws_sockfd_type sockfd; struct lws *wsi; - int m = 0, is; + int m = 0, is = 0; #if defined(LWS_WITH_IPV6) int value = 1; #endif diff --git a/lib/system/smd/smd.c b/lib/system/smd/smd.c index f412b6181..be6fbb4c6 100644 --- a/lib/system/smd/smd.c +++ b/lib/system/smd/smd.c @@ -533,17 +533,16 @@ _lws_smd_msg_deliver_peer(struct lws_context *ctx, lws_smd_peer_t *pr) msg = lws_container_of(pr->tail, lws_smd_msg_t, list); - - lwsl_cx_info(ctx, "deliver cl 0x%x, len %d, refc %d, to peer %p", + lwsl_cx_info(ctx, "deliver cl 0x%x, len %d, to peer %p", (unsigned int)msg->_class, (int)msg->length, - (int)msg->refcount, pr); + pr); pr->cb(pr->opaque, msg->_class, msg->timestamp, ((uint8_t *)&msg[1]) + LWS_SMD_SS_RX_HEADER_LEN_EFF, (size_t)msg->length); - +#if !defined(__COVERITY__) assert(msg->refcount); - +#endif /* * If there is one, move forward to the next queued * message that meets the filters of this peer diff --git a/lib/tls/tls-network.c b/lib/tls/tls-network.c index 4d6ab95e7..4a1e14391 100644 --- a/lib/tls/tls-network.c +++ b/lib/tls/tls-network.c @@ -90,8 +90,8 @@ lws_tls_check_cert_lifetime(struct lws_vhost *v) return 1; life = (ir.time - now) / (24 * 3600); - lwsl_vhost_notice(v, " vhost %s: cert expiry: %dd", v->name, - (int)life); + lwsl_vhost_notice(v, " vhost %s: cert expiry: %lldd", v->name, + (long long)life); } else lwsl_vhost_info(v, " vhost %s: no cert", v->name); From 36ff3b8d738a94d7c1d1b56ee9d41eb591088d2c Mon Sep 17 00:00:00 2001 From: Andy Green Date: Tue, 16 Jan 2024 07:33:38 +0000 Subject: [PATCH 5/9] tls: if no ssl then skip ss-blob example --- .../secure-streams/minimal-secure-streams-blob/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt b/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt index d61982641..33827ae96 100644 --- a/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt +++ b/minimal-examples-lowlevel/secure-streams/minimal-secure-streams-blob/CMakeLists.txt @@ -15,6 +15,7 @@ require_lws_config(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY 0 requirements) require_lws_config(LWS_WITH_SYS_STATE 1 requirements) require_lws_config(LWS_WITH_GENCRYPTO 1 requirements) require_lws_config(USE_WOLFSSL 0 requirements) +require_lws_config(LWS_WITH_SSL 1 requirements) if (requirements) add_executable(${SAMP} minimal-secure-streams.c) From 1239a2b1211ecfe3712ab1e84683de95b466604f Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 17 Jan 2024 08:54:48 +0000 Subject: [PATCH 6/9] http-digest: coverity: dead code --- lib/roles/http/client/client-http.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index a205e781e..b5a03b129 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -776,9 +776,6 @@ lws_http_digest_auth(struct lws* wsi) } while (e > 0); - if (e != LWS_TOKZE_ENDED) - return LCBA_END_TRANSACTION; - /* we got all the parts we care about? Realm + Nonce... */ if ((seen & 0xc) != 0xc) { From 378ad62adf2c89284c0bd472552de17138fc21c0 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Fri, 16 Feb 2024 15:43:48 +0000 Subject: [PATCH 7/9] digest: only if we have tls lib to do hashing --- include/libwebsockets/lws-genhash.h | 4 ++++ lib/roles/http/client/client-http.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/libwebsockets/lws-genhash.h b/include/libwebsockets/lws-genhash.h index f27c3b914..a78a94aa7 100644 --- a/include/libwebsockets/lws-genhash.h +++ b/include/libwebsockets/lws-genhash.h @@ -51,6 +51,8 @@ enum lws_genhmac_types { #define LWS_GENHASH_LARGEST 64 +#if defined(LWS_WITH_TLS) && defined(LWS_WITH_GENCRYPTO) + struct lws_genhash_ctx { uint8_t type; #if defined(LWS_WITH_MBEDTLS) @@ -186,4 +188,6 @@ lws_genhmac_update(struct lws_genhmac_ctx *ctx, const void *in, size_t len); */ LWS_VISIBLE LWS_EXTERN int lws_genhmac_destroy(struct lws_genhmac_ctx *ctx, void *result); + +#endif ///@} diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index b5a03b129..30974dd3d 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -580,7 +580,7 @@ lws_http_client_http_response(struct lws *wsi) #endif -#if defined(LWS_WITH_HTTP_DIGEST_AUTH) +#if defined(LWS_WITH_HTTP_DIGEST_AUTH) && defined(LWS_WITH_TLS) static const char *digest_toks[] = { "Digest", // 1 << 0 @@ -1047,7 +1047,7 @@ lws_client_interpret_server_handshake(struct lws *wsi) #endif n = atoi(p); -#if defined(LWS_WITH_HTTP_DIGEST_AUTH) +#if defined(LWS_WITH_HTTP_DIGEST_AUTH) && defined(LWS_WITH_TLS) if (n == 401 && lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_WWW_AUTHENTICATE)) { if (!(wsi->stash && wsi->stash->cis[CIS_USERNAME] && wsi->stash->cis[CIS_PASSWORD])) { From 4f3ce6458b1198f6e775f91c19f5c8c8d252e194 Mon Sep 17 00:00:00 2001 From: "AD001\\z0048zxj" Date: Fri, 9 Feb 2024 14:56:10 +0530 Subject: [PATCH 8/9] openssl: support SSLKEYLOGFILE server secret logging --- lib/core/private-lib-core.h | 7 +++++++ lib/tls/openssl/openssl-client.c | 2 +- lib/tls/openssl/openssl-server.c | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/core/private-lib-core.h b/lib/core/private-lib-core.h index f894f2deb..a138e4430 100644 --- a/lib/core/private-lib-core.h +++ b/lib/core/private-lib-core.h @@ -1185,6 +1185,13 @@ lws_transport_mux_next_free(lws_transport_mux_t *tm, lws_mux_ch_idx_t *result); void sul_ping_cb(lws_sorted_usec_list_t *sul); +/* Added Declaration of this function to make common for openssl-server */ +#if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ + defined(LWS_WITH_TLS) +void +lws_klog_dump(const SSL *ssl, const char *line); +#endif + #if !defined(PRIu64) #define PRIu64 "llu" #endif diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index da72ecba2..003a870e5 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -711,7 +711,7 @@ lws_tls_client_vhost_extra_cert_mem(struct lws_vhost *vh, #if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ defined(LWS_WITH_TLS) && defined(LWS_WITH_CLIENT) -static void +void lws_klog_dump(const SSL *ssl, const char *line) { struct lws *wsi = SSL_get_ex_data(ssl, diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c index 1fc819293..083e0d8da 100644 --- a/lib/tls/openssl/openssl-server.c +++ b/lib/tls/openssl/openssl-server.c @@ -529,6 +529,11 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, error, s); return 1; } + /* Added for sniffing packets on hub side */ +#if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \ + defined(LWS_WITH_TLS) + SSL_CTX_set_keylog_callback(vhost->tls.ssl_ctx, lws_klog_dump); +#endif SSL_CTX_set_ex_data(vhost->tls.ssl_ctx, openssl_SSL_CTX_private_data_index, From b71a6621b0b14bfc8fcbe804b036a9543af5e910 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Sat, 17 Feb 2024 12:33:18 +0000 Subject: [PATCH 9/9] h2: file upload: avoid feeling too much POST https://github.com/warmcat/libwebsockets/issues/3070 --- lib/roles/h2/http2.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c index c7b481552..8f4aa9e25 100644 --- a/lib/roles/h2/http2.c +++ b/lib/roles/h2/http2.c @@ -2208,13 +2208,15 @@ lws_h2_parser(struct lws *wsi, unsigned char *in, lws_filepos_t _inlen, WSI_TOKEN_HTTP_CONTENT_LENGTH) && h2n->swsi->http.rx_content_length && h2n->swsi->http.rx_content_remain < - h2n->length && /* last */ + h2n->length - h2n->inside && /* last */ h2n->inside < h2n->length) { - lwsl_warn("%s: %lu %lu %lu %lu\n", __func__, + lwsl_warn("%s: rx.cl: %lu, rx.content_remain: %lu, buf left: %lu, " + "h2->inside: %lu, h2->length: %lu\n", __func__, + (unsigned long)h2n->swsi->http.rx_content_length, (unsigned long)h2n->swsi->http.rx_content_remain, - (unsigned long)(lws_ptr_diff_size_t(iend, in) + 1), - (unsigned long)h2n->inside, (unsigned long)h2n->length); + (unsigned long)(lws_ptr_diff_size_t(iend, in) + 1), + (unsigned long)h2n->inside, (unsigned long)h2n->length); /* unread data in frame */ lws_h2_goaway(wsi,