1/*
2 * lws-minimal-secure-streams-metadata
3 *
4 * Written in 2010-2020 by Andy Green <andy@warmcat.com>
5 *
6 * This file is made available under the Creative Commons CC0 1.0
7 * Universal Public Domain Dedication.
8 *
9 *
10 * This demonstrates a minimal http client using secure streams api.
11 *
12 * It visits https://warmcat.com/ and receives the html page there.
13 *
14 * This example is built two different ways from the same source... one includes
15 * the policy everything needed to fulfil the stream directly.  The other -client
16 * variant has no policy itself and some other minor init changes, and connects
17 * to the -proxy example to actually get the connection done.
18 *
19 * In the -client build case, the example does not even init the tls libraries
20 * since the proxy part will take care of all that.
21 */
22
23#include <libwebsockets.h>
24#include <string.h>
25#include <signal.h>
26
27/*
28 * uncomment to force network traffic through 127.0.0.1:1080
29 *
30 * On your local machine, you can run a SOCKS5 proxy like this
31 *
32 * $ ssh -N -D 0.0.0.0:1080 localhost -v
33 *
34 * If enabled, this also fetches a remote policy that also
35 * specifies that all traffic should go through the remote
36 * proxy.
37 */
38// #define VIA_LOCALHOST_SOCKS
39
40static int interrupted, bad = 1, force_cpd_fail_portal,
41	   force_cpd_fail_no_internet;
42static lws_state_notify_link_t nl;
43static const char *server_name_or_url = "warmcat.com";
44
45/*
46 * If the -proxy app is fulfilling our connection, then we don't need to have
47 * the policy in the client.
48 *
49 * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
50 * a Unix Domain Socket.  To test that, you need to separately run the
51 * ./lws-minimal-secure-streams-proxy test app on the same machine.
52 */
53
54#if !defined(LWS_SS_USE_SSPC)
55static const char * const default_ss_policy =
56	"{"
57	  "\"release\":"			"\"01234567\","
58	  "\"product\":"			"\"myproduct\","
59	  "\"schema-version\":"			"1,"
60#if defined(VIA_LOCALHOST_SOCKS)
61	  "\"via-socks5\":"                     "\"127.0.0.1:1080\","
62#endif
63
64	  "\"retry\": ["	/* named backoff / retry strategies */
65		"{\"default\": {"
66			"\"backoff\": ["	 "1000,"
67						 "2000,"
68						 "3000,"
69						 "5000,"
70						"10000"
71				"],"
72			"\"conceal\":"		"5,"
73			"\"jitterpc\":"		"20,"
74			"\"svalidping\":"	"30,"
75			"\"svalidhup\":"	"35"
76		"}}"
77	  "],"
78	  "\"certs\": [" /* named individual certificates in BASE64 DER */
79		/*
80		 * Let's Encrypt certs for warmcat.com / libwebsockets.org
81		 *
82		 * We fetch the real policy from there using SS and switch to
83		 * using that.
84		 */
85		"{\"isrg_root_x1\": \""
86"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw"
87"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
88"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4"
89"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu"
90"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY"
91"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc"
92"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+"
93"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U"
94"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW"
95"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH"
96"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC"
97"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv"
98"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn"
99"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn"
100"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw"
101"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI"
102"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV"
103"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq"
104"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL"
105"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ"
106"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK"
107"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5"
108"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur"
109"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC"
110"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc"
111"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq"
112"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA"
113"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d"
114"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc="
115	  "\"}"
116	  "],"
117	  "\"trust_stores\": [" /* named cert chains */
118		"{"
119			"\"name\": \"le_via_isrg\","
120			"\"stack\": ["
121				"\"isrg_root_x1\""
122			"]"
123		"}"
124	  "],"
125	  "\"s\": ["
126		"{\"mintest\": {"
127			"\"endpoint\":"		"\"${servername}\","
128			"\"port\":"		"443,"
129			"\"protocol\":"		"\"h1\","
130			"\"http_method\":"	"\"GET\","
131			"\"http_url\":"		"\"\","
132			"\"tls\":"		"true,"
133			"\"opportunistic\":"	"true,"
134			"\"retry\":"		"\"default\","
135			"\"tls_trust_store\":"	"\"le_via_isrg\","
136			"\"metadata\": ["
137				"{\"servername\": \"\"}"
138			"]"
139		"}}"
140	"]}"
141;
142
143#endif
144
145typedef struct myss {
146	struct lws_ss_handle 		*ss;
147	void				*opaque_data;
148	/* ... application specific state ... */
149	lws_sorted_usec_list_t		sul;
150} myss_t;
151
152/* secure streams payload interface */
153
154static lws_ss_state_return_t
155myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
156{
157//	myss_t *m = (myss_t *)userobj;
158
159	lwsl_user("%s: len %d, flags: %d\n", __func__, (int)len, flags);
160	lwsl_hexdump_info(buf, len);
161
162	/*
163	 * If we received the whole message, for our example it means
164	 * we are done.
165	 */
166	if (flags & LWSSS_FLAG_EOM) {
167		bad = 0;
168		interrupted = 1;
169	}
170
171	return 0;
172}
173
174static lws_ss_state_return_t
175myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
176	int *flags)
177{
178	//myss_t *m = (myss_t *)userobj;
179
180	return 0;
181}
182
183static lws_ss_state_return_t
184myss_state(void *userobj, void *sh, lws_ss_constate_t state,
185	   lws_ss_tx_ordinal_t ack)
186{
187	myss_t *m = (myss_t *)userobj;
188
189	lwsl_user("%s: %s, ord 0x%x\n", __func__, lws_ss_state_name((int)state),
190		  (unsigned int)ack);
191
192	switch (state) {
193	case LWSSSCS_CREATING:
194		lwsl_notice("%s: CREATING: setting servername metadata to %s\n",
195				__func__, server_name_or_url);
196		if (lws_ss_set_metadata(m->ss, "servername", server_name_or_url,
197					strlen(server_name_or_url)))
198			return LWSSSSRET_DISCONNECT_ME;
199		return lws_ss_client_connect(m->ss);
200
201	case LWSSSCS_ALL_RETRIES_FAILED:
202		/* if we're out of retries, we want to close the app and FAIL */
203		interrupted = 1;
204		break;
205	case LWSSSCS_QOS_ACK_REMOTE:
206		lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
207		break;
208	default:
209		break;
210	}
211
212	return 0;
213}
214
215static int
216app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
217		    int current, int target)
218{
219	struct lws_context *context = lws_system_context_from_system_mgr(mgr);
220
221	/*
222	 * For the things we care about, let's notice if we are trying to get
223	 * past them when we haven't solved them yet, and make the system
224	 * state wait while we trigger the dependent action.
225	 */
226	switch (target) {
227
228	case LWS_SYSTATE_OPERATIONAL:
229		if (current == LWS_SYSTATE_OPERATIONAL) {
230			lws_ss_info_t ssi;
231
232			/* We're making an outgoing secure stream ourselves */
233
234			memset(&ssi, 0, sizeof(ssi));
235			ssi.handle_offset = offsetof(myss_t, ss);
236			ssi.opaque_user_data_offset = offsetof(myss_t,
237							       opaque_data);
238			ssi.rx = myss_rx;
239			ssi.tx = myss_tx;
240			ssi.state = myss_state;
241			ssi.user_alloc = sizeof(myss_t);
242			ssi.streamtype = "mintest";
243
244			if (lws_ss_create(context, 0, &ssi, NULL, NULL,
245					  NULL, NULL)) {
246				lwsl_err("%s: failed to create secure stream\n",
247					 __func__);
248				return -1;
249			}
250		}
251		break;
252	}
253
254	return 0;
255}
256
257static lws_state_notify_link_t * const app_notifier_list[] = {
258	&nl, NULL
259};
260
261static void
262sigint_handler(int sig)
263{
264	interrupted = 1;
265}
266
267int main(int argc, const char **argv)
268{
269	struct lws_context_creation_info info;
270	struct lws_context *context;
271	const char *p;
272	int n = 0;
273
274	signal(SIGINT, sigint_handler);
275
276	memset(&info, 0, sizeof info);
277	lws_cmdline_option_handle_builtin(argc, argv, &info);
278
279	lwsl_user("LWS secure streams test client [-d<verb>]\n");
280
281	/* these options are mutually exclusive if given */
282
283	if (lws_cmdline_option(argc, argv, "--force-portal"))
284		force_cpd_fail_portal = 1;
285
286	if (lws_cmdline_option(argc, argv, "--force-no-internet"))
287		force_cpd_fail_no_internet = 1;
288
289	info.fd_limit_per_thread = 1 + 6 + 1;
290	info.port = CONTEXT_PORT_NO_LISTEN;
291
292#if defined(LWS_SS_USE_SSPC)
293	info.protocols = lws_sspc_protocols;
294
295	/* connect to ssproxy via UDS by default, else via
296	 * tcp connection to this port */
297	if ((p = lws_cmdline_option(argc, argv, "-p")))
298		info.ss_proxy_port = (uint16_t)atoi(p);
299
300	/* UDS "proxy.ss.lws" in abstract namespace, else this socket
301	 * path; when -p given this can specify the network interface
302	 * to bind to */
303	if ((p = lws_cmdline_option(argc, argv, "-i")))
304		info.ss_proxy_bind = p;
305
306	/* if -p given, -a specifies the proxy address to connect to */
307	if ((p = lws_cmdline_option(argc, argv, "-a")))
308		info.ss_proxy_address = p;
309#else
310	info.pss_policies_json = default_ss_policy;
311	info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
312		       LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
313#endif
314
315	if ((p = lws_cmdline_option(argc, argv, "-u")))
316		server_name_or_url = p;
317
318	/* integrate us with lws system state management when context created */
319
320	nl.name = "app";
321	nl.notify_cb = app_system_state_nf;
322	info.register_notifier_list = app_notifier_list;
323
324	/* create the context */
325
326	context = lws_create_context(&info);
327	if (!context) {
328		lwsl_err("lws init failed\n");
329		return 1;
330	}
331
332
333	/* the event loop */
334
335	while (n >= 0 && !interrupted)
336		n = lws_service(context, 0);
337
338	lws_context_destroy(context);
339
340	lwsl_user("Completed: %s\n", bad ? "failed" : "OK");
341
342	return bad;
343}
344