1/* 2 * lws-minimal-secure-streams 3 * 4 * Written in 2010-2021 by Andy Green <andy@warmcat.com> 5 * 6 * This file is made available under the Creative Commons CC0 1.0 7 * Universal Public Domain Dedication. 8 * 9 * 10 * This demonstrates a minimal http client using secure streams api. 11 * 12 * It visits https://warmcat.com/ and receives the html page there. 13 * 14 * This example is built two different ways from the same source... one includes 15 * the policy everything needed to fulfil the stream directly. The other -client 16 * variant has no policy itself and some other minor init changes, and connects 17 * to the -proxy example to actually get the connection done. 18 * 19 * In the -client build case, the example does not even init the tls libraries 20 * since the proxy part will take care of all that. 21 */ 22 23#include <libwebsockets.h> 24#include <string.h> 25#include <signal.h> 26 27// #define FORCE_OS_TRUST_STORE 28 29/* 30 * uncomment to force network traffic through 127.0.0.1:1080 31 * 32 * On your local machine, you can run a SOCKS5 proxy like this 33 * 34 * $ ssh -N -D 0.0.0.0:1080 localhost -v 35 * 36 * If enabled, this also fetches a remote policy that also 37 * specifies that all traffic should go through the remote 38 * proxy. 39 */ 40// #define VIA_LOCALHOST_SOCKS 41 42static int interrupted, bad = 1, force_cpd_fail_portal, 43 force_cpd_fail_no_internet, test_respmap, test_ots, test_local; 44static unsigned int timeout_ms = 3000; 45static lws_state_notify_link_t nl; 46 47/* 48 * If the -proxy app is fulfilling our connection, then we don't need to have 49 * the policy in the client. 50 * 51 * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over 52 * a Unix Domain Socket. To test that, you need to separately run the 53 * ./lws-minimal-secure-streams-proxy test app on the same machine. 54 */ 55 56#if !defined(LWS_SS_USE_SSPC) 57static const char * const default_ss_policy = 58 "{" 59 "\"release\":" "\"01234567\"," 60 "\"product\":" "\"myproduct\"," 61 "\"schema-version\":" "1," 62#if defined(VIA_LOCALHOST_SOCKS) 63 "\"via-socks5\":" "\"127.0.0.1:1080\"," 64#endif 65 66 "\"retry\": [" /* named backoff / retry strategies */ 67 "{\"default\": {" 68 "\"backoff\": [" "1000," 69 "2000," 70 "3000," 71 "5000," 72 "10000" 73 "]," 74 "\"conceal\":" "5," 75 "\"jitterpc\":" "20," 76 "\"svalidping\":" "30," 77 "\"svalidhup\":" "35" 78 "}}" 79 "]," 80 "\"certs\": [" /* named individual certificates in BASE64 DER */ 81 /* 82 * Let's Encrypt certs for warmcat.com / libwebsockets.org 83 * 84 * We fetch the real policy from there using SS and switch to 85 * using that. 86 */ 87#if !defined(FORCE_OS_TRUST_STORE) 88 "{\"isrg_root_x1\": \"" 89 "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw" 90 "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh" 91 "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4" 92 "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu" 93 "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY" 94 "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc" 95 "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+" 96 "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U" 97 "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW" 98 "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH" 99 "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC" 100 "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv" 101 "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn" 102 "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn" 103 "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw" 104 "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI" 105 "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV" 106 "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq" 107 "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL" 108 "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ" 109 "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK" 110 "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5" 111 "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur" 112 "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC" 113 "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc" 114 "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq" 115 "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA" 116 "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d" 117 "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" 118 "\"}" 119#endif 120 "]," 121 "\"trust_stores\": [" /* named cert chains */ 122#if !defined(FORCE_OS_TRUST_STORE) 123 "{" 124 "\"name\": \"le_via_isrg\"," 125 "\"stack\": [" 126 "\"isrg_root_x1\"" 127 "]" 128 "}" 129#endif 130 "]," 131 "\"s\": [" 132#if !defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 133 /* 134 * "fetch_policy" decides from where the real policy 135 * will be fetched, if present. Otherwise the initial 136 * policy is treated as the whole, hardcoded, policy. 137 */ 138 "{\"fetch_policy\": {" 139 "\"endpoint\":" "\"warmcat.com\"," 140 "\"port\":" "443," 141 "\"protocol\":" "\"h1\"," 142 "\"http_method\":" "\"GET\"," 143#if defined(VIA_LOCALHOST_SOCKS) 144 "\"http_url\":" "\"policy/minimal-proxy-socks.json\"," 145#else 146 "\"http_url\":" "\"policy/minimal-proxy-v4.2-v2.json\"," 147#endif 148 "\"tls\":" "true," 149 "\"opportunistic\":" "true," 150#if !defined(FORCE_OS_TRUST_STORE) 151 "\"tls_trust_store\":" "\"le_via_isrg\"," 152#endif 153 "\"retry\":" "\"default\"" 154#else 155 "{\"mintest\": {" 156 "\"endpoint\": \"warmcat.com\"," 157 "\"port\": 443," 158 "\"protocol\": \"h1\"," 159 "\"http_method\": \"GET\"," 160 "\"http_url\": \"index.html?uptag=${uptag}\"," 161 "\"metadata\": [{" 162 " \"uptag\": \"X-Upload-Tag:\"" 163 "}, {" 164 " \"xctype\": \"X-Content-Type:\"" 165 "}]," 166 "\"tls\": true," 167 "\"opportunistic\": true," 168 "\"retry\": \"default\"," 169 "\"timeout_ms\": 2000," 170 "\"direct_proto_str\": true," 171 "\"tls_trust_store\": \"le_via_dst\"" 172 "}}," 173 "{\"mintest_local\": {" 174 "\"endpoint\": \"localhost\"," 175 "\"port\": 8000," 176 "\"protocol\": \"h1\"," 177 "\"http_method\": \"GET\"," 178 "\"tls\": false," 179 "\"opportunistic\": true," 180 "\"retry\": \"default\"," 181 "\"timeout_ms\": 2000," 182 "\"direct_proto_str\": true" 183#endif 184 "}},{" 185 /* 186 * "captive_portal_detect" describes 187 * what to do in order to check if the path to 188 * the Internet is being interrupted by a 189 * captive portal. If there's a larger policy 190 * fetched from elsewhere, it should also include 191 * this since it needs to be done at least after 192 * every DHCP acquisition 193 */ 194 "\"captive_portal_detect\": {" 195 "\"endpoint\": \"connectivitycheck.android.com\"," 196 "\"http_url\": \"generate_204\"," 197 "\"port\": 80," 198 "\"protocol\": \"h1\"," 199 "\"http_method\": \"GET\"," 200 "\"opportunistic\": true," 201 "\"http_expect\": 204," 202 "\"http_fail_redirect\": true" 203 "}}" 204 "]}" 205; 206 207#endif 208 209typedef struct myss { 210 struct lws_ss_handle *ss; 211 void *opaque_data; 212 /* ... application specific state ... */ 213 lws_sorted_usec_list_t sul; 214 size_t amt; 215 216 struct lws_genhash_ctx hash_ctx; 217} myss_t; 218 219#if !defined(LWS_SS_USE_SSPC) 220 221static const char *canned_root_token_payload = 222 "grant_type=refresh_token" 223 "&refresh_token=Atzr|IwEBIJedGXjDqsU_vMxykqOMg" 224 "SHfYe3CPcedueWEMWSDMaDnEmiW8RlR1Kns7Cb4B-TOSnqp7ifVsY4BMY2B8tpHfO39XP" 225 "zfu9HapGjTR458IyHX44FE71pWJkGZ79uVBpljP4sazJuk8XS3Oe_yLnm_DIO6fU1nU3Y" 226 "0flYmsOiOAQE_gRk_pdlmEtHnpMA-9rLw3mkY5L89Ty9kUygBsiFaYatouROhbsTn8-jW" 227 "k1zZLUDpT6ICtBXSnrCIg0pUbZevPFhTwdXd6eX-u4rq0W-XaDvPWFO7au-iPb4Zk5eZE" 228 "iX6sissYrtNmuEXc2uHu7MnQO1hHCaTdIO2CANVumf-PHSD8xseamyh04sLV5JgFzY45S" 229 "KvKMajiUZuLkMokOx86rjC2Hdkx5DO7G-dbG1ufBDG-N79pFMSs7Ck5pc283IdLoJkCQc" 230 "AGvTX8o8I29QqkcGou-9TKhOJmpX8As94T61ok0UqqEKPJ7RhfQHHYdCtsdwxgvfVr9qI" 231 "xL_hDCcTho8opCVX-6QhJHl6SQFlTw13" 232 "&client_id=" 233 "amzn1.application-oa2-client.4823334c434b4190a2b5a42c07938a2d"; 234 235#endif 236 237/* secure streams payload interface */ 238 239static lws_ss_state_return_t 240myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags) 241{ 242 243 if (flags & LWSSS_FLAG_PERF_JSON) 244 return LWSSSSRET_OK; 245 246#if !defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 247 myss_t *m = (myss_t *)userobj; 248 const char *md_srv = "not set", *md_test = "not set"; 249 size_t md_srv_len = 7, md_test_len = 7; 250 251 lws_ss_get_metadata(m->ss, "srv", (const void **)&md_srv, &md_srv_len); 252 lws_ss_get_metadata(m->ss, "test", (const void **)&md_test, &md_test_len); 253 lwsl_user("%s: len %d, flags: %d, srv: %.*s, test: %.*s\n", __func__, 254 (int)len, flags, (int)md_srv_len, md_srv, 255 (int)md_test_len, md_test); 256 257 lwsl_hexdump_info(buf, len); 258#endif 259 260 /* 261 * If we received the whole message, for our example it means 262 * we are done. 263 */ 264 if (flags & LWSSS_FLAG_EOM) { 265 bad = 0; 266 interrupted = 1; 267 } 268 269 return LWSSSSRET_OK; 270} 271 272static lws_ss_state_return_t 273myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len, 274 int *flags) 275{ 276 //myss_t *m = (myss_t *)userobj; 277 278 /* in this example, we don't send stuff */ 279 280 return LWSSSSRET_TX_DONT_SEND; 281} 282 283#if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 284static const char * long_token_str = "{xxx:AWlKJMMISWJBQpAFqU0UqKNsnSY5usx2YtjOZJUQALNtapRxu/9VJqMk5IFVhxrNvMTj+RCGN6B5OlUK80lbbC8fAmQi7SoFB8DHN9UCRHkENriC62FjMNiBVfgkjMWx+60GioZy4bI2kCcyisd2CujQuSVllUmQFXhVq291cJhFfcKR4c3CUCuhouUfK2e1BY5InDMnzUXozOh+vhjJSeBIfp4HRUAgMpV7FXlHy8D5tgbmPbHs9X81MEsHTcERd3pG10B5fu1PzH+dJbr5F2WTK+VFWZI99B89ijEZWsPg447IK3F+0HHGseZfpRjKw2bY94id/TmncTxS0cqchDJlYg+Jt33U4HkUPqLdRiGIfJb6wSATx4S9ZKUumeJAgXpC6ytlUeqPpxzgnD7Tle5CDVb+eVzRk2FJfjiZdjbYxXhWYntPusLP/PGrorkqLw0ZKw+OJ+fhbkwF+0SCUelWEc8WPtfxCDAIdEQ7X5P4vUlBNEfuHprgHbZry680syFetY2q3ZtCmWemLHhqdDGu4lFgcQPCbb9b8eOE8oAbUQPm9AeV84RXSLevBG44JST/W2JuYguOk8SFlsRkfHb3dvxfB15Lg+mtH0tGRoumSMT0CFJL4ClTiKdpJo1LPgEd2/f13GcukEWirjqDRxpepJYWaVAMbxbaPBNfRHw9S8Fn8qU9/9eAxmbEqOopep5I/Zd99CT2PdE0Qyami1p05/BEc5dgvjg3SNDmAc/8kWC0AcvoSfApXI1TaVzbNh68b79h6IaIvXXorY5274u0lVB357JIRiYo29QbJgNn4bDbIr5ScM8GnFHQdKy29/TZoq4zbGMPX2X2t41vXRVeoZteu7vNWsMQD6eIomVq9qFWnoEEaR30woGF+8ZSIEu9JH5LKVZVFx46lipnjE8CDt5qrYCjwiGIswdLLMmIltxRmDt4aefTFpre7lhgUChv7ndJARvsn8rvtg2Hg1qKyfCAHa/LBblM29cRjLFqp7tWLJO7N27SWiqEhai6pmSmSYzqoPL+rnLS69rkdIuUwkA==}{yyy:jG8akvr66AXK+W1KSUyGIN3Yk4WNRLSIZHWTu8rsvQAuKwv9a/ZxrxIa+R1xW7cwmPSgINcJ4Jo7kGK9n7aDnsSDt3uMSHsu2iNg+UtIaJcO0XO6fPaLmOPLpOIU5AfG9HnbWUjeniNRrUGN8+26JH/9EB1h/X++Ow61CCHm8mKrgR1lXsKuNyqDYIrjoI3KCCVKZkdWygyFAXQ6l0sr+pUyNpv6H5w1xlC8dtI88091b/njuRlHsnoCa1zRtgqH0L4igLNu0zzOkH/ATsVS3Pyn4nsoRiGVFgzJZ0e2jT2McmDTxNeEHcafQSxeN7pztDFHT3ukUU9QFFtFDdzlug==}{vvv:VGbzgaVrLrJ+92ACJ0TEtQ==}{eeee:QURQVG9rZW6FbmNyeXB0aW6uS2v5}{sssss:mG+}"; 285#endif 286 287static lws_ss_state_return_t 288myss_state(void *userobj, void *sh, lws_ss_constate_t state, 289 lws_ss_tx_ordinal_t ack) 290{ 291 myss_t *m = (myss_t *)userobj; 292#if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 293 const char *md_test = "not set"; 294 size_t md_test_len = 7; 295 int i; 296 static const char * imd_test_keys[8] = { 297 "server:", 298 "content-security-policy:", 299 "strict-transport-security:", 300 "test-custom-header:", 301 "x-xss-protection:", 302 "x-content-type-options:", 303 "x-frame-options:", 304 "x-non-exist:", 305 }; 306#endif 307 308 lwsl_user("%s: %s (%d), ord 0x%x\n", __func__, 309 lws_ss_state_name((int)state), state, (unsigned int)ack); 310 311 switch (state) { 312 case LWSSSCS_CREATING: 313 return lws_ss_client_connect(m->ss); 314 315 case LWSSSCS_CONNECTING: 316 lws_ss_start_timeout(m->ss, timeout_ms); 317 318 if (lws_ss_set_metadata(m->ss, "uptag", "myuptag123", 10)) 319 /* can fail, eg due to OOM, retry later if so */ 320 return LWSSSSRET_DISCONNECT_ME; 321#if !defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 322 if (lws_ss_set_metadata(m->ss, "ctype", "myctype", 7)) 323 /* can fail, eg due to OOM, retry later if so */ 324 return LWSSSSRET_DISCONNECT_ME; 325#else 326 if (lws_ss_set_metadata(m->ss, "X-Test-Type1:", "myctype1", 8)) 327 /* can fail, eg due to OOM, retry later if so */ 328 return LWSSSSRET_DISCONNECT_ME; 329 if (lws_ss_set_metadata(m->ss, "X-Test-Type2:", "myctype2", 8)) 330 /* can fail, eg due to OOM, retry later if so */ 331 return LWSSSSRET_DISCONNECT_ME; 332 if (lws_ss_set_metadata(m->ss, "Content-Type:", "myctype", 7)) 333 /* can fail, eg due to OOM, retry later if so */ 334 return LWSSSSRET_DISCONNECT_ME; 335 if (lws_ss_set_metadata(m->ss, "X-ADP-Authentication-Token:", 336 long_token_str, strlen(long_token_str))) 337 /* can fail, eg due to OOM, retry later if so */ 338 return LWSSSSRET_DISCONNECT_ME; 339 340#endif 341 break; 342 343 case LWSSSCS_ALL_RETRIES_FAILED: 344 /* if we're out of retries, we want to close the app and FAIL */ 345 interrupted = 1; 346 bad = 2; 347 break; 348 case LWSSSCS_CONNECTED: 349#if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) 350 lwsl_user("%s: get direct metadata\n", __func__); 351 for (i = 0; i < 8; i++) { 352 md_test = "not set"; 353 lws_ss_get_metadata(m->ss, imd_test_keys[i], (const void **)&md_test, &md_test_len); 354 lwsl_user("%s test key:[%s], got [%s]\n", __func__, imd_test_keys[i], md_test); 355 } 356#endif 357 break; 358 359 case LWSSSCS_QOS_ACK_REMOTE: 360 lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__); 361 break; 362 363 case LWSSSCS_TIMEOUT: 364 lwsl_notice("%s: LWSSSCS_TIMEOUT\n", __func__); 365 /* if we're out of time */ 366 interrupted = 1; 367 bad = 3; 368 break; 369 370 case LWSSSCS_USER_BASE: 371 lwsl_notice("%s: LWSSSCS_USER_BASE\n", __func__); 372 break; 373 374 default: 375 break; 376 } 377 378 return LWSSSSRET_OK; 379} 380 381#if defined(LWS_WITH_SECURE_STREAMS_BUFFER_DUMP) 382static void 383myss_headers_dump(void *userobj, const uint8_t *buf, size_t len, int done) 384{ 385 lwsl_user("%s: %lu done: %s\n", __func__, len, done?"true":"false"); 386 387 lwsl_hexdump_err(buf, len); 388} 389#endif 390static int 391app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link, 392 int current, int target) 393{ 394 struct lws_context *context = lws_system_context_from_system_mgr(mgr); 395#if !defined(LWS_SS_USE_SSPC) 396 397 lws_system_blob_t *ab = lws_system_get_blob(context, 398 LWS_SYSBLOB_TYPE_AUTH, 1 /* AUTH_IDX_ROOT */); 399 size_t size; 400#endif 401 402 /* 403 * For the things we care about, let's notice if we are trying to get 404 * past them when we haven't solved them yet, and make the system 405 * state wait while we trigger the dependent action. 406 */ 407 switch (target) { 408 409#if !defined(LWS_SS_USE_SSPC) 410 411 /* 412 * The proxy takes responsibility for this stuff if we get things 413 * done through that 414 */ 415 416 case LWS_SYSTATE_INITIALIZED: /* overlay on the hardcoded policy */ 417 case LWS_SYSTATE_POLICY_VALID: /* overlay on the loaded policy */ 418 419 if (target != current) 420 break; 421 422 if (force_cpd_fail_portal) 423 424 /* this makes it look like we're behind a captive portal 425 * because the overriden address does a redirect */ 426 427 lws_ss_policy_overlay(context, 428 "{\"s\": [{\"captive_portal_detect\": {" 429 "\"endpoint\": \"google.com\"," 430 "\"http_url\": \"/\"," 431 "\"port\": 80" 432 "}}]}"); 433 434 if (force_cpd_fail_no_internet) 435 436 /* this looks like no internet, because the overridden 437 * port doesn't have anything that will connect to us */ 438 439 lws_ss_policy_overlay(context, 440 "{\"s\": [{\"captive_portal_detect\": {" 441 "\"endpoint\": \"warmcat.com\"," 442 "\"http_url\": \"/\"," 443 "\"port\": 999" 444 "}}]}"); 445 break; 446 447 case LWS_SYSTATE_REGISTERED: 448 size = lws_system_blob_get_size(ab); 449 if (size) 450 break; 451 452 /* let's register our canned root token so auth can use it */ 453 lws_system_blob_direct_set(ab, 454 (const uint8_t *)canned_root_token_payload, 455 strlen(canned_root_token_payload)); 456 break; 457 458#endif 459 460 case LWS_SYSTATE_OPERATIONAL: 461 if (current == LWS_SYSTATE_OPERATIONAL) { 462 lws_ss_info_t ssi; 463 464 /* We're making an outgoing secure stream ourselves */ 465 466 memset(&ssi, 0, sizeof(ssi)); 467 ssi.handle_offset = offsetof(myss_t, ss); 468 ssi.opaque_user_data_offset = offsetof(myss_t, 469 opaque_data); 470 ssi.rx = myss_rx; 471 ssi.tx = myss_tx; 472 ssi.state = myss_state; 473#if defined(LWS_WITH_SECURE_STREAMS_BUFFER_DUMP) 474 ssi.dump = myss_headers_dump; 475#endif 476 ssi.user_alloc = sizeof(myss_t); 477 ssi.streamtype = test_ots ? "mintest-ots" : 478 (test_respmap ? "respmap" : 479 (test_local ? "mintest_local" : 480 "mintest")); 481 482 if (lws_ss_create(context, 0, &ssi, NULL, NULL, 483 NULL, NULL)) { 484 lwsl_err("%s: failed to create secure stream\n", 485 __func__); 486 interrupted = 1; 487 lws_cancel_service(context); 488 return -1; 489 } 490 } 491 break; 492 } 493 494 return 0; 495} 496 497static lws_state_notify_link_t * const app_notifier_list[] = { 498 &nl, NULL 499}; 500 501#if defined(LWS_WITH_SYS_METRICS) 502 503static int 504my_metric_report(lws_metric_pub_t *mp) 505{ 506 lws_metric_bucket_t *sub = mp->u.hist.head; 507 char buf[192]; 508 509 do { 510 if (lws_metrics_format(mp, &sub, buf, sizeof(buf))) 511 lwsl_user("%s: %s\n", __func__, buf); 512 } while ((mp->flags & LWSMTFL_REPORT_HIST) && sub); 513 514 /* 0 = leave metric to accumulate, 1 = reset the metric */ 515 516 return 1; 517} 518 519static const lws_system_ops_t system_ops = { 520 .metric_report = my_metric_report, 521}; 522 523#endif 524 525static void 526sigint_handler(int sig) 527{ 528 interrupted = 1; 529} 530 531int main(int argc, const char **argv) 532{ 533 struct lws_context_creation_info info; 534 struct lws_context *context; 535 int n = 0, expected = 0; 536 const char *p; 537 538 signal(SIGINT, sigint_handler); 539 540 memset(&info, 0, sizeof info); 541 lws_cmdline_option_handle_builtin(argc, argv, &info); 542 543 //lws_set_log_level(LLL_USER | LLL_ERR | LLL_DEBUG | LLL_NOTICE | LLL_INFO, NULL); 544 545 lwsl_user("LWS secure streams test client [-d<verb>]\n"); 546 547 /* these options are mutually exclusive if given */ 548 549 if (lws_cmdline_option(argc, argv, "--force-portal")) 550 force_cpd_fail_portal = 1; 551 552 if (lws_cmdline_option(argc, argv, "--force-no-internet")) 553 force_cpd_fail_no_internet = 1; 554 555 if (lws_cmdline_option(argc, argv, "--respmap")) 556 test_respmap = 1; 557 558 if (lws_cmdline_option(argc, argv, "--ots")) 559 /* 560 * Use a streamtype that relies on the OS trust store for 561 * validation 562 */ 563 test_ots = 1; 564 565 if (lws_cmdline_option(argc, argv, "--local")) 566 test_local = 1; 567 568 if ((p = lws_cmdline_option(argc, argv, "--timeout_ms"))) 569 timeout_ms = (unsigned int)atoi(p); 570 571 info.fd_limit_per_thread = 1 + 6 + 1; 572 info.port = CONTEXT_PORT_NO_LISTEN; 573#if defined(LWS_SS_USE_SSPC) 574 info.protocols = lws_sspc_protocols; 575 { 576 const char *p; 577 578 /* connect to ssproxy via UDS by default, else via 579 * tcp connection to this port */ 580 if ((p = lws_cmdline_option(argc, argv, "-p"))) 581 info.ss_proxy_port = (uint16_t)atoi(p); 582 583 /* UDS "proxy.ss.lws" in abstract namespace, else this socket 584 * path; when -p given this can specify the network interface 585 * to bind to */ 586 if ((p = lws_cmdline_option(argc, argv, "-i"))) 587 info.ss_proxy_bind = p; 588 589 /* if -p given, -a specifies the proxy address to connect to */ 590 if ((p = lws_cmdline_option(argc, argv, "-a"))) 591 info.ss_proxy_address = p; 592 } 593#else 594 info.pss_policies_json = default_ss_policy; 595 info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS | 596 LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW | 597 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT; 598#endif 599 600#if defined(LWS_WITH_MBEDTLS) 601 602 /* uncomment to force mbedtls to load a system trust store like 603 * openssl does 604 * 605 * info.mbedtls_client_preload_filepath = 606 * "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"; 607 */ 608#endif 609 610 /* integrate us with lws system state management when context created */ 611 612 nl.name = "app"; 613 nl.notify_cb = app_system_state_nf; 614 info.register_notifier_list = app_notifier_list; 615 616 617#if defined(LWS_WITH_SYS_METRICS) 618 info.system_ops = &system_ops; 619 info.metrics_prefix = "ssmex"; 620#endif 621 622 /* create the context */ 623 624 context = lws_create_context(&info); 625 if (!context) { 626 lwsl_err("lws init failed\n"); 627 goto bail; 628 } 629 630#if !defined(LWS_SS_USE_SSPC) 631 /* 632 * If we're being a proxied client, the proxy does all this 633 */ 634 635 /* 636 * Set the related lws_system blobs 637 * 638 * ...direct_set() sets a pointer, so the thing pointed to has to have 639 * a suitable lifetime, eg, something that already exists on the heap or 640 * a const string in .rodata like this 641 */ 642 643 lws_system_blob_direct_set(lws_system_get_blob(context, 644 LWS_SYSBLOB_TYPE_DEVICE_SERIAL, 0), 645 (const uint8_t *)"SN12345678", 10); 646 lws_system_blob_direct_set(lws_system_get_blob(context, 647 LWS_SYSBLOB_TYPE_DEVICE_FW_VERSION, 0), 648 (const uint8_t *)"v0.01", 5); 649 650 /* 651 * ..._heap_append() appends to a buflist kind of arrangement on heap, 652 * just one block is fine, otherwise it will concatenate the fragments 653 * in the order they were appended (and take care of freeing them at 654 * context destroy time). ..._heap_empty() is also available to remove 655 * everything that was already allocated. 656 * 657 * Here we use _heap_append() just so it's tested as well as direct set. 658 */ 659 660 lws_system_blob_heap_append(lws_system_get_blob(context, 661 LWS_SYSBLOB_TYPE_DEVICE_TYPE, 0), 662 (const uint8_t *)"spacerocket", 11); 663#endif 664 665 /* the event loop */ 666 667 while (n >= 0 && !interrupted) 668 n = lws_service(context, 0); 669 670 lws_context_destroy(context); 671 672bail: 673 if ((p = lws_cmdline_option(argc, argv, "--expected-exit"))) 674 expected = atoi(p); 675 676 if (bad == expected) { 677 lwsl_user("Completed: OK (seen expected %d)\n", expected); 678 return 0; 679 } else 680 lwsl_err("Completed: failed: exit %d, expected %d\n", bad, expected); 681 682 return 1; 683} 684