summaryrefslogtreecommitdiff
path: root/thirdparty/lws
diff options
context:
space:
mode:
Diffstat (limited to 'thirdparty/lws')
-rw-r--r--thirdparty/lws/client/client.c20
-rw-r--r--thirdparty/lws/client/ssl-client.c14
-rw-r--r--thirdparty/lws/context.c2
-rw-r--r--thirdparty/lws/libwebsockets.c11
-rw-r--r--thirdparty/lws/libwebsockets.h7
-rw-r--r--thirdparty/lws/lws_config.h36
-rw-r--r--thirdparty/lws/mbedtls_verify.diff74
-rw-r--r--thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h1
-rw-r--r--thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h4
-rw-r--r--thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c31
-rw-r--r--thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c79
-rw-r--r--thirdparty/lws/minilex.c272
-rw-r--r--thirdparty/lws/misc/lejp.c2
-rw-r--r--thirdparty/lws/misc/sha-1.c2
-rw-r--r--thirdparty/lws/output.c10
-rw-r--r--thirdparty/lws/pollfd.c7
-rw-r--r--thirdparty/lws/private-libwebsockets.h5
-rw-r--r--thirdparty/lws/server/ssl-server.c2
-rw-r--r--thirdparty/lws/service.c17
-rw-r--r--thirdparty/lws/ssl.c15
20 files changed, 257 insertions, 354 deletions
diff --git a/thirdparty/lws/client/client.c b/thirdparty/lws/client/client.c
index 20450aa923..ded4e4bf0b 100644
--- a/thirdparty/lws/client/client.c
+++ b/thirdparty/lws/client/client.c
@@ -258,9 +258,10 @@ start_ws_handshake:
#ifdef LWS_OPENSSL_SUPPORT
/* we can retry this... just cook the SSL BIO the first time */
- if (wsi->use_ssl && !wsi->ssl) {
- if (lws_ssl_client_bio_create(wsi))
- return -1;
+ if (wsi->use_ssl && !wsi->ssl &&
+ lws_ssl_client_bio_create(wsi) < 0) {
+ cce = "bio_create failed";
+ goto bail3;
}
if (wsi->use_ssl) {
@@ -727,9 +728,10 @@ lws_client_interpret_server_handshake(struct lws *wsi)
return 0;
}
- if (lws_hdr_total_length(wsi, WSI_TOKEN_ACCEPT) == 0) {
- lwsl_info("no ACCEPT\n");
- cce = "HS: ACCEPT missing";
+ if (p && !strncmp(p, "401", 3)) {
+ lwsl_warn(
+ "lws_client_handshake: got bad HTTP response '%s'\n", p);
+ cce = "HS: ws upgrade unauthorized";
goto bail3;
}
@@ -740,6 +742,12 @@ lws_client_interpret_server_handshake(struct lws *wsi)
goto bail3;
}
+ if (lws_hdr_total_length(wsi, WSI_TOKEN_ACCEPT) == 0) {
+ lwsl_info("no ACCEPT\n");
+ cce = "HS: ACCEPT missing";
+ goto bail3;
+ }
+
p = lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE);
if (!p) {
lwsl_info("no UPGRADE\n");
diff --git a/thirdparty/lws/client/ssl-client.c b/thirdparty/lws/client/ssl-client.c
index b69fd2da30..962c6e3cb5 100644
--- a/thirdparty/lws/client/ssl-client.c
+++ b/thirdparty/lws/client/ssl-client.c
@@ -176,11 +176,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
#endif
#else
#if defined(LWS_WITH_MBEDTLS)
- if (wsi->vhost->x509_client_CA)
- SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
- else
- SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
-
+ SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
#else
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(wsi->ssl, hostname);
@@ -284,9 +280,13 @@ some_wait:
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
- lwsl_err("ssl hs1 error, X509_V_ERR = %d: %s\n",
- n, ERR_error_string(n, sb));
+ lwsl_err("ssl hs1 error, X509_V_ERR = %d: errno %d: %s\n",
+ n, errno, ERR_error_string(n, sb));
lws_ssl_elaborate_error();
+#if defined(LWS_WITH_MBEDTLS)
+ if (n == SSL_ERROR_SYSCALL)
+ return -1;
+#endif
}
n = -1;
diff --git a/thirdparty/lws/context.c b/thirdparty/lws/context.c
index f67476b1e3..9f221f50f1 100644
--- a/thirdparty/lws/context.c
+++ b/thirdparty/lws/context.c
@@ -1621,7 +1621,7 @@ lws_context_destroy2(struct lws_context *context)
lws_check_deferred_free(context, 1);
#if LWS_MAX_SMP > 1
- pthread_mutex_destroy(&context->lock, NULL);
+ pthread_mutex_destroy(&context->lock);
#endif
lws_free(context);
diff --git a/thirdparty/lws/libwebsockets.c b/thirdparty/lws/libwebsockets.c
index 50f975d21e..8fe0854041 100644
--- a/thirdparty/lws/libwebsockets.c
+++ b/thirdparty/lws/libwebsockets.c
@@ -482,8 +482,9 @@ lws_close_free_wsi(struct lws *wsi, enum lws_close_status reason)
wsi->mode == LWSCM_WSCL_ISSUE_HANDSHAKE)
goto just_kill_connection;
- if (wsi->mode == LWSCM_HTTP_SERVING ||
- wsi->mode == LWSCM_HTTP2_SERVING) {
+ if (!wsi->told_user_closed &&
+ (wsi->mode == LWSCM_HTTP_SERVING ||
+ wsi->mode == LWSCM_HTTP2_SERVING)) {
if (wsi->user_space)
wsi->vhost->protocols->callback(wsi,
LWS_CALLBACK_HTTP_DROP_PROTOCOL,
@@ -583,7 +584,7 @@ just_kill_connection:
lws_remove_child_from_any_parent(wsi);
n = 0;
- if (wsi->user_space) {
+ if (!wsi->told_user_closed && wsi->user_space) {
lwsl_debug("%s: %p: DROP_PROTOCOL %s\n", __func__, wsi,
wsi->protocol->name);
wsi->protocol->callback(wsi,
@@ -656,8 +657,10 @@ just_kill_connection:
__func__, wsi, (int)(long)wsi->desc.sockfd,
wsi->state);
if (!wsi->socket_is_permanently_unusable &&
- lws_sockfd_valid(wsi->desc.sockfd))
+ lws_sockfd_valid(wsi->desc.sockfd)) {
+ wsi->socket_is_permanently_unusable = 1;
n = shutdown(wsi->desc.sockfd, SHUT_WR);
+ }
}
if (n)
lwsl_debug("closing: shutdown (state %d) ret %d\n",
diff --git a/thirdparty/lws/libwebsockets.h b/thirdparty/lws/libwebsockets.h
index ef996c5d78..460c732602 100644
--- a/thirdparty/lws/libwebsockets.h
+++ b/thirdparty/lws/libwebsockets.h
@@ -1073,7 +1073,7 @@ enum lws_callback_reasons {
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS = 22,
/**< if configured for
* including OpenSSL support, this callback allows your user code
- * to load extra certifcates into the server which allow it to
+ * to load extra certificates into the server which allow it to
* verify the validity of certificates returned by clients. user
* is the server's OpenSSL SSL_CTX* */
LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION = 23,
@@ -4013,9 +4013,6 @@ lws_set_timeout(struct lws *wsi, enum pending_timeout reason, int secs);
#if !defined(LWS_SIZEOFPTR)
#define LWS_SIZEOFPTR (sizeof (void *))
#endif
-#if !defined(u_int64_t)
-#define u_int64_t unsigned long long
-#endif
#if defined(__x86_64__)
#define _LWS_PAD_SIZE 16 /* Intel recommended for best performance */
@@ -4808,7 +4805,7 @@ LWS_VISIBLE LWS_EXTERN unsigned long
lws_now_secs(void);
/**
- * lws_get_context - Allow geting lws_context from a Websocket connection
+ * lws_get_context - Allow getting lws_context from a Websocket connection
* instance
*
* With this function, users can access context in the callback function.
diff --git a/thirdparty/lws/lws_config.h b/thirdparty/lws/lws_config.h
index 3a918747b1..6005d94ec6 100644
--- a/thirdparty/lws/lws_config.h
+++ b/thirdparty/lws/lws_config.h
@@ -1,5 +1,10 @@
/* lws_config.h Generated from lws_config.h.in */
-#include "lws_config_private.h"
+
+/* GODOT ADDITION */
+#ifndef DEBUG_ENABLED
+#define LWS_WITH_NO_LOGS
+#endif
+/* END GODOT ADDITION */
#ifndef NDEBUG
#ifndef _DEBUG
@@ -25,54 +30,45 @@
/* #undef LWS_WITH_PLUGINS */
/* #undef LWS_WITH_NO_LOGS */
-#ifndef DEBUG_ENABLED
-#define LWS_WITH_NO_LOGS
-#endif
/* The Libwebsocket version */
-#define LWS_LIBRARY_VERSION "2.4.1"
+#define LWS_LIBRARY_VERSION "2.4.2"
#define LWS_LIBRARY_VERSION_MAJOR 2
#define LWS_LIBRARY_VERSION_MINOR 4
-#define LWS_LIBRARY_VERSION_PATCH 1
+#define LWS_LIBRARY_VERSION_PATCH 2
/* LWS_LIBRARY_VERSION_NUMBER looks like 1005001 for e.g. version 1.5.1 */
#define LWS_LIBRARY_VERSION_NUMBER (LWS_LIBRARY_VERSION_MAJOR*1000000)+(LWS_LIBRARY_VERSION_MINOR*1000)+LWS_LIBRARY_VERSION_PATCH
/* The current git commit hash that we're building from */
-#define LWS_BUILD_HASH "55f97b7806e07db2d4c8a158172cd309d0faf450"
+#define LWS_BUILD_HASH "8964ce9db75a98e463dfafd2e89f2bc8a95ec6ed"
/* Build with OpenSSL support */
#define LWS_OPENSSL_SUPPORT
/* The client should load and trust CA root certs it finds in the OS */
-#define LWS_SSL_CLIENT_USE_OS_CA_CERTS
+/* #undef LWS_SSL_CLIENT_USE_OS_CA_CERTS */
/* Sets the path where the client certs should be installed. */
-#define LWS_OPENSSL_CLIENT_CERTS "../share"
+/* #undef LWS_OPENSSL_CLIENT_CERTS "../share" */
/* Turn off websocket extensions */
/* #undef LWS_NO_EXTENSIONS */
/* Enable libev io loop */
/* #undef LWS_WITH_LIBEV */
-#undef LWS_WITH_LIBEV
/* Enable libuv io loop */
/* #undef LWS_WITH_LIBUV */
-#undef LWS_WITH_LIBUV
/* Enable libevent io loop */
/* #undef LWS_WITH_LIBEVENT */
-#undef LWS_WITH_LIBEVENT
/* Build with support for ipv6 */
/* #undef LWS_WITH_IPV6 */
/* Build with support for UNIX domain socket */
/* #undef LWS_WITH_UNIX_SOCK */
-#ifdef WINDOWS_ENABLED
-#undef LWS_USE_UNIX_SOCK
-#endif
/* Build with support for HTTP2 */
/* #undef LWS_WITH_HTTP2 */
@@ -100,7 +96,7 @@
/* SSL server using ECDH certificate */
/* #undef LWS_SSL_SERVER_WITH_ECDH_CERT */
-#define LWS_HAVE_SSL_CTX_set1_param
+/* #undef LWS_HAVE_SSL_CTX_set1_param */
#define LWS_HAVE_X509_VERIFY_PARAM_set1_host
/* #undef LWS_HAVE_RSA_SET0_KEY */
@@ -110,7 +106,7 @@
/* #undef LWS_WITH_CGI */
/* whether the Openssl is recent enough, and / or built with, ecdh */
-#define LWS_HAVE_OPENSSL_ECDH_H
+/* #undef LWS_HAVE_OPENSSL_ECDH_H */
/* HTTP Proxy support */
/* #undef LWS_WITH_HTTP_PROXY */
@@ -157,9 +153,9 @@
/* OpenSSL various APIs */
-/* #undef LWS_HAVE_TLS_CLIENT_METHOD */
-#define LWS_HAVE_TLSV1_2_CLIENT_METHOD
-#define LWS_HAVE_SSL_SET_INFO_CALLBACK
+#define LWS_HAVE_TLS_CLIENT_METHOD
+/* #undef LWS_HAVE_TLSV1_2_CLIENT_METHOD */
+/* #undef LWS_HAVE_SSL_SET_INFO_CALLBACK */
#define LWS_HAS_INTPTR_T
diff --git a/thirdparty/lws/mbedtls_verify.diff b/thirdparty/lws/mbedtls_verify.diff
new file mode 100644
index 0000000000..d320645d67
--- /dev/null
+++ b/thirdparty/lws/mbedtls_verify.diff
@@ -0,0 +1,74 @@
+diff --git a/thirdparty/lws/client/ssl-client.c b/thirdparty/lws/client/ssl-client.c
+index 6626e0844..962c6e3cb 100644
+--- a/thirdparty/lws/client/ssl-client.c
++++ b/thirdparty/lws/client/ssl-client.c
+@@ -176,11 +176,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
+ #endif
+ #else
+ #if defined(LWS_WITH_MBEDTLS)
+- if (wsi->vhost->x509_client_CA)
+- SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
+- else
+- SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
+-
++ SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
+ #else
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ SSL_set_tlsext_host_name(wsi->ssl, hostname);
+diff --git a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
+index 63504919c..4e3d61109 100644
+--- a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
++++ b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
+@@ -218,7 +218,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
+ struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
+
+ if (ssl->verify_mode == SSL_VERIFY_PEER)
+- mode = MBEDTLS_SSL_VERIFY_REQUIRED;
++ mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+ else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+ mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+ else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+@@ -712,11 +712,39 @@ long ssl_pm_get_verify_result(const SSL *ssl)
+ struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+ ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
+- if (ret) {
+- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret);
++
++ if (!ret)
++ return X509_V_OK;
++
++ if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ||
++ (ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED))
++ // Allows us to use LCCSCF_ALLOW_SELFSIGNED to skip verification
++ verify_result = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
++
++ else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
++ verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
++
++ else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) ||
++ (ret & MBEDTLS_X509_BADCRL_BAD_KEY))
++ verify_result = X509_V_ERR_CA_KEY_TOO_SMALL;
++
++ else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) ||
++ (ret & MBEDTLS_X509_BADCRL_BAD_MD))
++ verify_result = X509_V_ERR_CA_MD_TOO_WEAK;
++
++ else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) ||
++ (ret & MBEDTLS_X509_BADCRL_FUTURE))
++ verify_result = X509_V_ERR_CERT_NOT_YET_VALID;
++
++ else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) ||
++ (ret & MBEDTLS_X509_BADCRL_EXPIRED))
++ verify_result = X509_V_ERR_CERT_HAS_EXPIRED;
++
++ else
+ verify_result = X509_V_ERR_UNSPECIFIED;
+- } else
+- verify_result = X509_V_OK;
++
++ SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
++ "mbedtls_ssl_get_verify_result() return 0x%x", ret);
+
+ return verify_result;
+ }
diff --git a/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h b/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h
index 45198bc978..2ca438c422 100644
--- a/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h
+++ b/thirdparty/lws/mbedtls_wrapper/include/internal/ssl_types.h
@@ -215,6 +215,7 @@ struct ssl_st
int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
int rwstate;
+ int interrupted_remaining_write;
long verify_result;
diff --git a/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h b/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h
index fd461e9819..eca68f20d1 100644
--- a/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h
+++ b/thirdparty/lws/mbedtls_wrapper/include/platform/ssl_port.h
@@ -25,11 +25,13 @@
*/
#include "string.h"
-#ifdef __APPLE__
+/* GODOT ADDITION */
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__)
#include <stdlib.h>
#else
#include "malloc.h"
#endif
+/* END GODOT ADDITION */
void *ssl_mem_zalloc(size_t size);
diff --git a/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c b/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c
index 187fc9f005..d8fdd06fad 100644
--- a/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c
+++ b/thirdparty/lws/mbedtls_wrapper/library/ssl_lib.c
@@ -142,9 +142,9 @@ int SSL_get_error(const SSL *ssl, int ret_code)
ret = SSL_ERROR_NONE;
else if (ret_code < 0)
{
- if (SSL_want_read(ssl))
+ if (ssl->err == SSL_ERROR_WANT_READ || SSL_want_read(ssl))
ret = SSL_ERROR_WANT_READ;
- else if (SSL_want_write(ssl))
+ else if (ssl->err == SSL_ERROR_WANT_WRITE || SSL_want_write(ssl))
ret = SSL_ERROR_WANT_WRITE;
else
ret = SSL_ERROR_SYSCALL; //unknown
@@ -457,7 +457,7 @@ int SSL_read(SSL *ssl, void *buffer, int len)
int SSL_write(SSL *ssl, const void *buffer, int len)
{
int ret;
- int send_bytes;
+ int send_bytes, bytes;
const unsigned char *pbuf;
SSL_ASSERT1(ssl);
@@ -470,25 +470,36 @@ int SSL_write(SSL *ssl, const void *buffer, int len)
pbuf = (const unsigned char *)buffer;
do {
- int bytes;
-
if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
bytes = SSL_SEND_DATA_MAX_LENGTH;
else
bytes = send_bytes;
+ if (ssl->interrupted_remaining_write) {
+ bytes = ssl->interrupted_remaining_write;
+ ssl->interrupted_remaining_write = 0;
+ }
+
ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
+ //printf("%s: ssl_pm said %d for %d requested (cum %d)\n", __func__, ret, bytes, len -send_bytes);
+ /* the return is a NEGATIVE OpenSSL error code, or the length sent */
if (ret > 0) {
pbuf += ret;
send_bytes -= ret;
- }
- } while (ret > 0 && send_bytes);
+ } else
+ ssl->interrupted_remaining_write = bytes;
+ } while (ret > 0 && send_bytes && ret == bytes);
if (ret >= 0) {
ret = len - send_bytes;
- ssl->rwstate = SSL_NOTHING;
- } else
- ret = -1;
+ if (!ret)
+ ssl->rwstate = SSL_NOTHING;
+ } else {
+ if (send_bytes == len)
+ ret = -1;
+ else
+ ret = len - send_bytes;
+ }
return ret;
}
diff --git a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
index 536733fbab..4e3d611095 100644
--- a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
+++ b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
@@ -218,7 +218,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
- mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
@@ -360,17 +360,52 @@ int ssl_pm_read(SSL *ssl, void *buffer, int len)
return ret;
}
+/*
+ * This returns -1, or the length sent.
+ * If -1, then you need to find out if the error was
+ * fatal or recoverable using SSL_get_error()
+ */
int ssl_pm_send(SSL *ssl, const void *buffer, int len)
{
int ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
+ /*
+ * We can get a positive number, which may be less than len... that
+ * much was sent successfully and you can call again to send more.
+ *
+ * We can get a negative mbedtls error code... if WANT_WRITE or WANT_READ,
+ * it's nonfatal and means it should be retried as-is. If something else,
+ * it's fatal actually.
+ *
+ * If this function returns something other than a positive value or
+ * MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context becomes unusable, and
+ * you should either free it or call mbedtls_ssl_session_reset() on it
+ * before re-using it for a new connection; the current connection must
+ * be closed.
+ *
+ * When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be
+ * called later with the same arguments, until it returns a positive value.
+ */
+
if (ret < 0) {
- if (ret == MBEDTLS_ERR_NET_CONN_RESET)
+ SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
+ switch (ret) {
+ case MBEDTLS_ERR_NET_CONN_RESET:
ssl->err = SSL_ERROR_SYSCALL;
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
- ret = -1;
+ break;
+ case MBEDTLS_ERR_SSL_WANT_WRITE:
+ ssl->err = SSL_ERROR_WANT_WRITE;
+ break;
+ case MBEDTLS_ERR_SSL_WANT_READ:
+ ssl->err = SSL_ERROR_WANT_READ;
+ break;
+ default:
+ break;
+ }
+
+ ret = -1;
}
return ret;
@@ -677,11 +712,39 @@ long ssl_pm_get_verify_result(const SSL *ssl)
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
- if (ret) {
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret);
+
+ if (!ret)
+ return X509_V_OK;
+
+ if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ||
+ (ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED))
+ // Allows us to use LCCSCF_ALLOW_SELFSIGNED to skip verification
+ verify_result = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+
+ else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+ verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
+
+ else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) ||
+ (ret & MBEDTLS_X509_BADCRL_BAD_KEY))
+ verify_result = X509_V_ERR_CA_KEY_TOO_SMALL;
+
+ else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) ||
+ (ret & MBEDTLS_X509_BADCRL_BAD_MD))
+ verify_result = X509_V_ERR_CA_MD_TOO_WEAK;
+
+ else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) ||
+ (ret & MBEDTLS_X509_BADCRL_FUTURE))
+ verify_result = X509_V_ERR_CERT_NOT_YET_VALID;
+
+ else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) ||
+ (ret & MBEDTLS_X509_BADCRL_EXPIRED))
+ verify_result = X509_V_ERR_CERT_HAS_EXPIRED;
+
+ else
verify_result = X509_V_ERR_UNSPECIFIED;
- } else
- verify_result = X509_V_OK;
+
+ SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
+ "mbedtls_ssl_get_verify_result() return 0x%x", ret);
return verify_result;
}
diff --git a/thirdparty/lws/minilex.c b/thirdparty/lws/minilex.c
deleted file mode 100644
index 3cb1e33696..0000000000
--- a/thirdparty/lws/minilex.c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * minilex.c
- *
- * High efficiency lexical state parser
- *
- * Copyright (C)2011-2014 Andy Green <andy@warmcat.com>
- *
- * Licensed under LGPL2
- *
- * Usage: gcc minilex.c -o minilex && ./minilex > lextable.h
- *
- * Run it twice to test parsing on the generated table on stderr
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "lextable-strings.h"
-
-/*
- * b7 = 0 = 1-byte seq
- * 0x08 = fail
- * 2-byte seq
- * 0x00 - 0x07, then terminal as given in 2nd byte
- 3-byte seq
- * no match: go fwd 3 byte, match: jump fwd by amt in +1/+2 bytes
- * = 1 = 1-byte seq
- * no match: die, match go fwd 1 byte
- */
-
-unsigned char lextable[] = {
- #include "lextable.h"
-};
-
-#define PARALLEL 30
-
-struct state {
- char c[PARALLEL];
- int state[PARALLEL];
- int count;
- int bytepos;
-
- int real_pos;
-};
-
-struct state state[1000];
-int next = 1;
-
-#define FAIL_CHAR 0x08
-
-int lextable_decode(int pos, char c)
-{
- while (1) {
- if (lextable[pos] & (1 << 7)) { /* 1-byte, fail on mismatch */
- if ((lextable[pos] & 0x7f) != c)
- return -1;
- /* fall thru */
- pos++;
- if (lextable[pos] == FAIL_CHAR)
- return -1;
- return pos;
- } else { /* b7 = 0, end or 3-byte */
- if (lextable[pos] < FAIL_CHAR) /* terminal marker */
- return pos;
-
- if (lextable[pos] == c) /* goto */
- return pos + (lextable[pos + 1]) +
- (lextable[pos + 2] << 8);
- /* fall thru goto */
- pos += 3;
- /* continue */
- }
- }
-}
-
-int main(void)
-{
- int n = 0;
- int m = 0;
- int prev;
- char c;
- int walk;
- int saw;
- int y;
- int j;
- int pos = 0;
-
- while (n < sizeof(set) / sizeof(set[0])) {
-
- m = 0;
- walk = 0;
- prev = 0;
-
- if (set[n][0] == '\0') {
- n++;
- continue;
- }
-
- while (set[n][m]) {
-
- saw = 0;
- for (y = 0; y < state[walk].count; y++)
- if (state[walk].c[y] == set[n][m]) {
- /* exists -- go forward */
- walk = state[walk].state[y];
- saw = 1;
- break;
- }
-
- if (saw)
- goto again;
-
- /* something we didn't see before */
-
- state[walk].c[state[walk].count] = set[n][m];
-
- state[walk].state[state[walk].count] = next;
- state[walk].count++;
- walk = next++;
-again:
- m++;
- }
-
- state[walk].c[0] = n++;
- state[walk].state[0] = 0; /* terminal marker */
- state[walk].count = 1;
- }
-
- walk = 0;
- for (n = 0; n < next; n++) {
- state[n].bytepos = walk;
- walk += (2 * state[n].count);
- }
-
- /* compute everyone's position first */
-
- pos = 0;
- walk = 0;
- for (n = 0; n < next; n++) {
-
- state[n].real_pos = pos;
-
- for (m = 0; m < state[n].count; m++) {
-
- if (state[n].state[m] == 0)
- pos += 2; /* terminal marker */
- else { /* c is a character */
- if ((state[state[n].state[m]].bytepos -
- walk) == 2)
- pos++;
- else {
- pos += 3;
- if (m == state[n].count - 1)
- pos++; /* fail */
- }
- }
- walk += 2;
- }
- }
-
- walk = 0;
- pos = 0;
- for (n = 0; n < next; n++) {
- for (m = 0; m < state[n].count; m++) {
-
- if (!m)
- fprintf(stdout, "/* pos %04x: %3d */ ",
- state[n].real_pos, n);
- else
- fprintf(stdout, " ");
-
- y = state[n].c[m];
- saw = state[n].state[m];
-
- if (saw == 0) { // c is a terminal then
-
- if (y > 0x7ff) {
- fprintf(stderr, "terminal too big\n");
- return 2;
- }
-
- fprintf(stdout, " 0x%02X, 0x%02X "
- " "
- "/* - terminal marker %2d - */,\n",
- y >> 8, y & 0xff, y & 0x7f);
- pos += 2;
- walk += 2;
- continue;
- }
-
- /* c is a character */
-
- prev = y &0x7f;
- if (prev < 32 || prev > 126)
- prev = '.';
-
-
- if ((state[saw].bytepos - walk) == 2) {
- fprintf(stdout, " 0x%02X /* '%c' -> */,\n",
- y | 0x80, prev);
- pos++;
- walk += 2;
- continue;
- }
-
- j = state[saw].real_pos - pos;
-
- if (j > 0xffff) {
- fprintf(stderr,
- "Jump > 64K bytes ahead (%d to %d)\n",
- state[n].real_pos, state[saw].real_pos);
- return 1;
- }
- fprintf(stdout, " 0x%02X /* '%c' */, 0x%02X, 0x%02X "
- "/* (to 0x%04X state %3d) */,\n",
- y, prev,
- j & 0xff, j >> 8,
- state[saw].real_pos, saw);
- pos += 3;
-
- if (m == state[n].count - 1) {
- fprintf(stdout,
- " 0x%02X, /* fail */\n",
- FAIL_CHAR);
- pos++; /* fail */
- }
-
- walk += 2;
- }
- }
-
- fprintf(stdout, "/* total size %d bytes */\n", pos);
-
- /*
- * Try to parse every legal input string
- */
-
- for (n = 0; n < sizeof(set) / sizeof(set[0]); n++) {
- walk = 0;
- m = 0;
- y = -1;
-
- if (set[n][0] == '\0')
- continue;
-
- fprintf(stderr, " trying '%s'\n", set[n]);
-
- while (set[n][m]) {
- walk = lextable_decode(walk, set[n][m]);
- if (walk < 0) {
- fprintf(stderr, "failed\n");
- return 3;
- }
-
- if (lextable[walk] < FAIL_CHAR) {
- y = (lextable[walk] << 8) + lextable[walk + 1];
- break;
- }
- m++;
- }
-
- if (y != n) {
- fprintf(stderr, "decode failed %d\n", y);
- return 4;
- }
- }
-
- fprintf(stderr, "All decode OK\n");
-
- return 0;
-}
diff --git a/thirdparty/lws/misc/lejp.c b/thirdparty/lws/misc/lejp.c
index 5407c90f97..38efa8b122 100644
--- a/thirdparty/lws/misc/lejp.c
+++ b/thirdparty/lws/misc/lejp.c
@@ -444,7 +444,7 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len)
goto append_npos;
}
if (c == '.') {
- if (ctx->dcount || (ctx->f & LEJP_SEEN_POINT)) {
+ if (!ctx->dcount || (ctx->f & LEJP_SEEN_POINT)) {
ret = LEJP_REJECT_MP_VAL_NUM_FORMAT;
goto reject;
}
diff --git a/thirdparty/lws/misc/sha-1.c b/thirdparty/lws/misc/sha-1.c
index 9353fbefe4..50205a0100 100644
--- a/thirdparty/lws/misc/sha-1.c
+++ b/thirdparty/lws/misc/sha-1.c
@@ -45,7 +45,7 @@ struct sha1_ctxt {
} h;
union {
unsigned char b8[8];
- u_int64_t b64[1];
+ uint64_t b64[1];
} c;
union {
unsigned char b8[64];
diff --git a/thirdparty/lws/output.c b/thirdparty/lws/output.c
index ed4752490e..375ff3ef99 100644
--- a/thirdparty/lws/output.c
+++ b/thirdparty/lws/output.c
@@ -270,9 +270,12 @@ LWS_VISIBLE int lws_write(struct lws *wsi, unsigned char *buf, size_t len,
if (wsi->state != LWSS_ESTABLISHED &&
((wsi->state != LWSS_RETURNED_CLOSE_ALREADY &&
+ wsi->state != LWSS_WAITING_TO_SEND_CLOSE_NOTIFICATION &&
wsi->state != LWSS_AWAITING_CLOSE_ACK) ||
- wp != LWS_WRITE_CLOSE))
+ wp != LWS_WRITE_CLOSE)) {
+ lwsl_debug("binning\n");
return 0;
+ }
/* if we are continuing a frame that already had its header done */
@@ -507,7 +510,7 @@ send_raw:
(wp & 0x1f) == LWS_WRITE_HTTP_FINAL) &&
wsi->u.http.tx_content_length) {
wsi->u.http.tx_content_remain -= len;
- lwsl_info("%s: content_remain = %llu\n", __func__,
+ lwsl_info("%s: wsi %p: tx_content_remain = %llu\n", __func__, wsi,
(unsigned long long)wsi->u.http.tx_content_remain);
if (!wsi->u.http.tx_content_remain) {
lwsl_info("%s: selecting final write mode\n", __func__);
@@ -639,6 +642,9 @@ LWS_VISIBLE int lws_serve_http_file_fragment(struct lws *wsi)
poss = context->pt_serv_buf_size - n - LWS_H2_FRAME_HEADER_LENGTH;
+ if (poss > wsi->u.http.tx_content_remain)
+ poss = wsi->u.http.tx_content_remain;
+
/*
* if there is a hint about how much we will do well to send at one time,
* restrict ourselves to only trying to send that.
diff --git a/thirdparty/lws/pollfd.c b/thirdparty/lws/pollfd.c
index 4d6704d41c..54a4a86057 100644
--- a/thirdparty/lws/pollfd.c
+++ b/thirdparty/lws/pollfd.c
@@ -537,9 +537,14 @@ LWS_VISIBLE int
lws_callback_on_writable_all_protocol(const struct lws_context *context,
const struct lws_protocols *protocol)
{
- struct lws_vhost *vhost = context->vhost_list;
+ struct lws_vhost *vhost;
int n;
+ if (!context)
+ return 0;
+
+ vhost = context->vhost_list;
+
while (vhost) {
for (n = 0; n < vhost->count_protocols; n++)
if (protocol->callback ==
diff --git a/thirdparty/lws/private-libwebsockets.h b/thirdparty/lws/private-libwebsockets.h
index 4f0b374332..535fa0be57 100644
--- a/thirdparty/lws/private-libwebsockets.h
+++ b/thirdparty/lws/private-libwebsockets.h
@@ -356,9 +356,6 @@ esp8266_tcp_stream_bind(lws_sockfd_type fd, int port, struct lws *wsi);
#ifndef BYTE_ORDER
#define BYTE_ORDER LITTLE_ENDIAN
#endif
-#ifndef u_int64_t
-typedef unsigned __int64 u_int64_t;
-#endif
#undef __P
#ifndef __P
@@ -1633,7 +1630,6 @@ struct lws_h2_netconn {
unsigned int pad_length:1;
unsigned int collected_priority:1;
unsigned int is_first_header_char:1;
- unsigned int seen_nonpseudoheader:1;
unsigned int zero_huff_padding:1;
unsigned int last_action_dyntable_resize:1;
@@ -1922,6 +1918,7 @@ struct lws {
unsigned int hdr_parsing_completed:1;
unsigned int http2_substream:1;
unsigned int upgraded_to_http2:1;
+ unsigned int seen_nonpseudoheader:1;
unsigned int listener:1;
unsigned int user_space_externally_allocated:1;
unsigned int socket_is_permanently_unusable:1;
diff --git a/thirdparty/lws/server/ssl-server.c b/thirdparty/lws/server/ssl-server.c
index a9516f2239..c4362824bf 100644
--- a/thirdparty/lws/server/ssl-server.c
+++ b/thirdparty/lws/server/ssl-server.c
@@ -155,7 +155,7 @@ lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
*/
vh = context->vhost_list;
while (vh) {
- if (!vh->being_destroyed && vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
+ if (!vh->being_destroyed && ssl && vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
diff --git a/thirdparty/lws/service.c b/thirdparty/lws/service.c
index 6748e30bd4..8cf455e2c9 100644
--- a/thirdparty/lws/service.c
+++ b/thirdparty/lws/service.c
@@ -1073,6 +1073,8 @@ lws_service_fd_tsi(struct lws_context *context, struct lws_pollfd *pollfd, int t
c = lws_token_to_string(m);
if (!c)
break;
+ if (!(*c))
+ break;
len = lws_hdr_total_length(wsi, m);
if (!len || len > sizeof(buf) - 1) {
@@ -1090,6 +1092,11 @@ lws_service_fd_tsi(struct lws_context *context, struct lws_pollfd *pollfd, int t
m++;
} while (1);
+ /* explicitly detach the ah */
+
+ lws_header_table_force_to_detachable_state(wsi);
+ lws_header_table_detach(wsi, 0);
+
/* ... and then drop the connection */
if (wsi->desc.sockfd == our_fd)
@@ -1098,7 +1105,7 @@ lws_service_fd_tsi(struct lws_context *context, struct lws_pollfd *pollfd, int t
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
- ah = ah->next;
+ ah = pt->ah_list;
}
#ifdef LWS_WITH_CGI
@@ -1644,6 +1651,14 @@ drain:
break;
}
#endif
+ /*
+ * something went wrong with parsing the handshake, and
+ * we ended up back in the event loop without completing it
+ */
+ case LWSCM_PRE_WS_SERVING_ACCEPT:
+ wsi->socket_is_permanently_unusable = 1;
+ goto close_and_handled;
+
default:
#ifdef LWS_NO_CLIENT
break;
diff --git a/thirdparty/lws/ssl.c b/thirdparty/lws/ssl.c
index 0a647b469c..4ff3088ab3 100644
--- a/thirdparty/lws/ssl.c
+++ b/thirdparty/lws/ssl.c
@@ -20,11 +20,7 @@
*/
#include "private-libwebsockets.h"
-
-/* workaround for mingw */
-#if !defined(ECONNABORTED)
-#define ECONNABORTED 103
-#endif
+#include <errno.h>
int lws_alloc_vfs_file(struct lws_context *context, const char *filename, uint8_t **buf,
lws_filepos_t *amount)
@@ -463,7 +459,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
lwsl_debug("%p: SSL_read says %d\n", wsi, n);
/* manpage: returning 0 means connection shut down */
- if (!n) {
+ if (!n || (n == -1 && errno == ENOTCONN)) {
wsi->socket_is_permanently_unusable = 1;
return LWS_SSL_CAPABLE_ERROR;
@@ -476,12 +472,12 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
m == SSL_ERROR_SYSCALL)
return LWS_SSL_CAPABLE_ERROR;
- if (SSL_want_read(wsi->ssl)) {
+ if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->ssl)) {
lwsl_debug("%s: WANT_READ\n", __func__);
lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
return LWS_SSL_CAPABLE_MORE_SERVICE;
}
- if (SSL_want_write(wsi->ssl)) {
+ if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->ssl)) {
lwsl_debug("%s: WANT_WRITE\n", __func__);
lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
return LWS_SSL_CAPABLE_MORE_SERVICE;
@@ -885,6 +881,7 @@ go_again:
failed:
lws_stats_atomic_bump(wsi->context, pt,
LWSSTATS_C_SSL_CONNECTIONS_FAILED, 1);
+ wsi->socket_is_permanently_unusable = 1;
lwsl_info("SSL_accept failed socket %u: %s\n", wsi->desc.sockfd,
lws_ssl_get_error_string(m, n, buf, sizeof(buf)));
lws_ssl_elaborate_error();
@@ -903,7 +900,7 @@ accepted:
/* adapt our vhost to match the SNI SSL_CTX that was chosen */
vh = context->vhost_list;
while (vh) {
- if (!vh->being_destroyed &&
+ if (!vh->being_destroyed && wsi->ssl &&
vh->ssl_ctx == SSL_get_SSL_CTX(wsi->ssl)) {
lwsl_info("setting wsi to vh %s\n", vh->name);
wsi->vhost = vh;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 20:43:23 +0000