int main(int argc, const char **argv)
{
struct lws_context_creation_info info;
const char *p, *plugin_dirs[] = {
"/usr/local/share/libwebsockets-test-server/plugins",
NULL };
int n = 0, logs = LLL_USER | LLL_ERR | LLL_WARN | LLL_NOTICE
/* for LLL_ verbosity above NOTICE to be built into lws,
* lws must have been configured and built with
* -DCMAKE_BUILD_TYPE=DEBUG instead of =RELEASE */
/* | LLL_INFO */ /* | LLL_PARSER */ /* | LLL_HEADER */
/* | LLL_EXT */ /* | LLL_CLIENT */ /* | LLL_LATENCY */
/* | LLL_DEBUG */;
if ((p = lws_cmdline_option(argc, argv, "-d")))
logs = atoi(p);
lws_set_log_level(logs, NULL);
lwsl_user("LWS minimal http server TLS | visit https://localhost:7681\n");
signal(SIGINT, sigint_handler);
memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
info.port = 7681;
info.mounts = &mount;
info.error_document_404 = "/404.html";
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
info.plugin_dirs = plugin_dirs;
info.pvo = &pvo;
if (lws_cmdline_option(argc, argv, "-h"))
info.options |= LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK;
context = lws_create_context(&info);
if (!context) {
lwsl_err("lws init failed\n");
return 1;
}
info.headers = &pvo_hsbph[3];
if (!lws_create_vhost(context, &info)) {
lwsl_err("lws init failed\n");
return 1;
}
while (n >= 0 && !interrupted)
n = lws_service(context, 1000);
lws_context_destroy(context);
return 0;
}
void
init_lws(void)
{
struct lws_context_creation_info info;
lws_set_log_level(7, lwsl_emit_syslog);
os_memset(&info, 0, sizeof(info));
info.port = 80;
info.fd_limit_per_thread = 12;
info.max_http_header_pool = 1;
info.max_http_header_data = 512;
info.pt_serv_buf_size = 1500;
info.keepalive_timeout = 5;
//info.ws_ping_pong_interval = 30;
info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
context = lws_create_context(&info);
if (context == NULL)
return;
lws_get_fops(context)->open = esp8266_lws_fops_open;
lws_get_fops(context)->close = esp8266_lws_fops_close;
lws_get_fops(context)->read = esp8266_lws_fops_read;
lws_get_fops(context)->seek_cur = esp8266_lws_fops_seek_cur;
if (!lwsesp_is_booting_in_ap_mode()) {
info.vhost_name = "station";
info.protocols = protocols_station;
info.mounts = &mount_station;
if (!lws_create_vhost(context, &info))
lwsl_err("Failed to create vhost station\n");
} else {
info.vhost_name = "ap";
info.protocols = protocols_ap;
info.mounts = &mount_ap;
if (!lws_create_vhost(context, &info))
lwsl_err("Failed to create vhost ap\n");
}
lws_protocol_init(context);
}
static int
callback_acme_client(struct lws *wsi, enum lws_callback_reasons reason,
void *user, void *in, size_t len)
{
struct per_vhost_data__lws_acme_client *vhd =
(struct per_vhost_data__lws_acme_client *)
lws_protocol_vh_priv_get(lws_get_vhost(wsi),
lws_get_protocol(wsi));
char buf[LWS_PRE + 2536], *start = buf + LWS_PRE, *p = start,
*end = buf + sizeof(buf) - 1, digest[32], *failreason = NULL;
unsigned char **pp, *pend;
const char *content_type;
const struct lws_protocol_vhost_options *pvo;
struct lws_acme_cert_aging_args *caa;
struct acme_connection *ac = NULL;
struct lws_genhash_ctx hctx;
struct lws *cwsi;
int n, m;
if (vhd)
ac = vhd->ac;
switch ((int)reason) {
case LWS_CALLBACK_PROTOCOL_INIT:
vhd = lws_protocol_vh_priv_zalloc(lws_get_vhost(wsi),
lws_get_protocol(wsi),
sizeof(struct per_vhost_data__lws_acme_client));
vhd->context = lws_get_context(wsi);
vhd->protocol = lws_get_protocol(wsi);
vhd->vhost = lws_get_vhost(wsi);
/* compute how much we need to hold all the pvo payloads */
m = 0;
pvo = (const struct lws_protocol_vhost_options *)in;
while (pvo) {
m += strlen(pvo->value) + 1;
pvo = pvo->next;
}
p = vhd->pvo_data = malloc(m);
if (!p)
return -1;
pvo = (const struct lws_protocol_vhost_options *)in;
while (pvo) {
start = p;
n = strlen(pvo->value) + 1;
memcpy(start, pvo->value, n);
p += n;
for (m = 0; m < (int)LWS_ARRAY_SIZE(pvo_names); m++)
if (!strcmp(pvo->name, pvo_names[m]))
vhd->pvop[m] = start;
pvo = pvo->next;
}
n = 0;
for (m = 0; m < (int)LWS_ARRAY_SIZE(pvo_names); m++)
if (!vhd->pvop[m] && m >= LWS_TLS_REQ_ELEMENT_COMMON_NAME) {
lwsl_notice("%s: require pvo '%s'\n", __func__,
pvo_names[m]);
n |= 1;
} else
if (vhd->pvop[m])
lwsl_info(" %s: %s\n", pvo_names[m],
vhd->pvop[m]);
if (n) {
free(vhd->pvo_data);
vhd->pvo_data = NULL;
return -1;
}
#if !defined(LWS_WITH_ESP32)
/*
* load (or create) the registration keypair while we
* still have root
*/
if (lws_acme_load_create_auth_keys(vhd, 4096))
return 1;
/*
* in case we do an update, open the update files while we
* still have root
*/
lws_snprintf(buf, sizeof(buf) - 1, "%s.upd",
vhd->pvop[LWS_TLS_SET_CERT_PATH]);
vhd->fd_updated_cert = lws_open(buf, LWS_O_WRONLY | LWS_O_CREAT |
LWS_O_TRUNC, 0600);
if (vhd->fd_updated_cert < 0) {
lwsl_err("unable to create update cert file %s\n", buf);
return -1;
}
lws_snprintf(buf, sizeof(buf) - 1, "%s.upd",
vhd->pvop[LWS_TLS_SET_KEY_PATH]);
vhd->fd_updated_key = lws_open(buf, LWS_O_WRONLY | LWS_O_CREAT |
LWS_O_TRUNC, 0600);
if (vhd->fd_updated_key < 0) {
lwsl_err("unable to create update key file %s\n", buf);
return -1;
}
#endif
break;
case LWS_CALLBACK_PROTOCOL_DESTROY:
if (vhd && vhd->pvo_data) {
free(vhd->pvo_data);
vhd->pvo_data = NULL;
}
if (vhd)
lws_acme_finished(vhd);
break;
case LWS_CALLBACK_VHOST_CERT_AGING:
if (!vhd)
break;
caa = (struct lws_acme_cert_aging_args *)in;
/*
* Somebody is telling us about a cert some vhost is using.
*
* First see if the cert is getting close enough to expiry that
* we *want* to do something about it.
*/
if ((int)(ssize_t)len > 14)
break;
/*
* ...is this a vhost we were configured on?
*/
if (vhd->vhost != caa->vh)
return 1;
for (n = 0; n < (int)LWS_ARRAY_SIZE(vhd->pvop);n++)
if (caa->element_overrides[n])
vhd->pvop_active[n] = caa->element_overrides[n];
else
vhd->pvop_active[n] = vhd->pvop[n];
lwsl_notice("starting acme acquisition on %s: %s\n",
lws_get_vhost_name(caa->vh), vhd->pvop_active[LWS_TLS_SET_DIR_URL]);
lws_acme_start_acquisition(vhd, caa->vh);
break;
/*
* Client
*/
case LWS_CALLBACK_CLIENT_ESTABLISHED:
lwsl_notice("%s: CLIENT_ESTABLISHED\n", __func__);
break;
case LWS_CALLBACK_CLIENT_CONNECTION_ERROR:
lwsl_notice("%s: CLIENT_CONNECTION_ERROR: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_CLOSED_CLIENT_HTTP:
lwsl_notice("%s: CLOSED_CLIENT_HTTP: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_CLOSED:
lwsl_notice("%s: CLOSED: %p\n", __func__, wsi);
break;
case LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP:
lwsl_notice("lws_http_client_http_response %d\n",
lws_http_client_http_response(wsi));
if (!ac)
break;
ac->resp = lws_http_client_http_response(wsi);
/* we get a new nonce each time */
if (lws_hdr_total_length(wsi, WSI_TOKEN_REPLAY_NONCE) &&
lws_hdr_copy(wsi, ac->replay_nonce,
sizeof(ac->replay_nonce),
WSI_TOKEN_REPLAY_NONCE) < 0) {
lwsl_notice("%s: nonce too large\n", __func__);
goto failed;
}
switch (ac->state) {
case ACME_STATE_DIRECTORY:
lejp_construct(&ac->jctx, cb_dir, vhd, jdir_tok,
LWS_ARRAY_SIZE(jdir_tok));
break;
case ACME_STATE_NEW_REG:
break;
case ACME_STATE_NEW_AUTH:
lejp_construct(&ac->jctx, cb_authz, ac, jauthz_tok,
LWS_ARRAY_SIZE(jauthz_tok));
break;
case ACME_STATE_POLLING:
case ACME_STATE_ACCEPT_CHALL:
lejp_construct(&ac->jctx, cb_chac, ac, jchac_tok,
LWS_ARRAY_SIZE(jchac_tok));
break;
case ACME_STATE_POLLING_CSR:
ac->cpos = 0;
if (ac->resp != 201)
break;
/*
* He acknowledges he will create the cert...
* get the URL to GET it from in the Location
* header.
*/
if (lws_hdr_copy(wsi, ac->challenge_uri,
sizeof(ac->challenge_uri),
WSI_TOKEN_HTTP_LOCATION) < 0) {
lwsl_notice("%s: missing cert location:\n",
__func__);
goto failed;
}
lwsl_notice("told to fetch cert from %s\n",
ac->challenge_uri);
break;
default:
break;
}
break;
case LWS_CALLBACK_CLIENT_APPEND_HANDSHAKE_HEADER:
if (!ac)
break;
switch (ac->state) {
case ACME_STATE_DIRECTORY:
break;
case ACME_STATE_NEW_REG:
p += lws_snprintf(p, end - p, "{"
"\"resource\":\"new-reg\","
"\"contact\":["
"\"mailto:%s\""
"],\"agreement\":\"%s\""
"}",
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_EMAIL],
ac->urls[JAD_TOS_URL]);
puts(start);
pkt_add_hdrs:
ac->len = lws_jws_create_packet(&vhd->jwk,
start, p - start,
ac->replay_nonce,
&ac->buf[LWS_PRE],
sizeof(ac->buf) -
LWS_PRE);
if (ac->len < 0) {
ac->len = 0;
lwsl_notice("lws_jws_create_packet failed\n");
goto failed;
}
pp = (unsigned char **)in;
pend = (*pp) + len;
ac->pos = 0;
content_type = "application/jose+json";
if (ac->state == ACME_STATE_POLLING_CSR)
content_type = "application/pkix-cert";
if (lws_add_http_header_by_token(wsi,
WSI_TOKEN_HTTP_CONTENT_TYPE,
(uint8_t *)content_type, 21, pp, pend)) {
lwsl_notice("could not add content type\n");
goto failed;
}
n = sprintf(buf, "%d", ac->len);
if (lws_add_http_header_by_token(wsi,
WSI_TOKEN_HTTP_CONTENT_LENGTH,
(uint8_t *)buf, n, pp, pend)) {
lwsl_notice("could not add content length\n");
goto failed;
}
lws_client_http_body_pending(wsi, 1);
lws_callback_on_writable(wsi);
lwsl_notice("prepare to send ACME_STATE_NEW_REG\n");
break;
case ACME_STATE_NEW_AUTH:
p += lws_snprintf(p, end - p,
"{"
"\"resource\":\"new-authz\","
"\"identifier\":{"
"\"type\":\"http-01\","
"\"value\":\"%s\""
"}"
"}", vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME]);
goto pkt_add_hdrs;
case ACME_STATE_ACCEPT_CHALL:
/*
* Several of the challenges in this document makes use
* of a key authorization string. A key authorization
* expresses a domain holder's authorization for a
* specified key to satisfy a specified challenge, by
* concatenating the token for the challenge with a key
* fingerprint, separated by a "." character:
*
* key-authz = token || '.' ||
* base64(JWK_Thumbprint(accountKey))
*
* The "JWK_Thumbprint" step indicates the computation
* specified in [RFC7638], using the SHA-256 digest. As
* specified in the individual challenges below, the
* token for a challenge is a JSON string comprised
* entirely of characters in the base64 alphabet.
* The "||" operator indicates concatenation of strings.
*
* keyAuthorization (required, string): The key
* authorization for this challenge. This value MUST
* match the token from the challenge and the client's
* account key.
*
* draft acme-01 tls-sni-01:
*
* {
* "keyAuthorization": "evaGxfADs...62jcerQ",
* } (Signed as JWS)
*
* draft acme-07 tls-sni-02:
*
* POST /acme/authz/1234/1
* Host: example.com
* Content-Type: application/jose+json
*
* {
* "protected": base64url({
* "alg": "ES256",
* "kid": "https://example.com/acme/acct/1",
* "nonce": "JHb54aT_KTXBWQOzGYkt9A",
* "url": "https://example.com/acme/authz/1234/1"
* }),
* "payload": base64url({
* "keyAuthorization": "evaGxfADs...62jcerQ"
* }),
* "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4"
* }
*
* On receiving a response, the server MUST verify that
* the key authorization in the response matches the
* "token" value in the challenge and the client's
* account key. If they do not match, then the server
* MUST return an HTTP error in response to the POST
* request in which the client sent the challenge.
*/
lws_jwk_rfc7638_fingerprint(&vhd->jwk, digest);
p = start;
end = &buf[sizeof(buf) - 1];
p += lws_snprintf(p, end - p,
"{\"resource\":\"challenge\","
"\"type\":\"tls-sni-0%d\","
"\"keyAuthorization\":\"%s.",
1 + ac->is_sni_02,
ac->chall_token);
n = lws_jws_base64_enc(digest, 32, p, end - p);
if (n < 0)
goto failed;
p += n;
p += lws_snprintf(p, end - p, "\"}");
puts(start);
goto pkt_add_hdrs;
case ACME_STATE_POLLING:
break;
case ACME_STATE_POLLING_CSR:
/*
* "To obtain a certificate for the domain, the agent
* constructs a PKCS#10 Certificate Signing Request that
* asks the Let’s Encrypt CA to issue a certificate for
* example.com with a specified public key. As usual,
* the CSR includes a signature by the private key
* corresponding to the public key in the CSR. The agent
* also signs the whole CSR with the authorized
* key for example.com so that the Let’s Encrypt CA
* knows it’s authorized."
*
* IOW we must create a new RSA keypair which will be
* the cert public + private key, and put the public
* key in the CSR. The CSR, just for transport, is also
* signed with our JWK, showing that as the owner of the
* authorized JWK, the request should be allowed.
*
* The cert comes back with our public key in it showing
* that the owner of the matching private key (we
* created that keypair) is the owner of the cert.
*
* We feed the CSR the elements we want in the cert,
* like the CN etc, and it gives us the b64URL-encoded
* CSR and the PEM-encoded (public +)private key in
* memory buffers.
*/
if (ac->goes_around)
break;
p += lws_snprintf(p, end - p,
"{\"resource\":\"new-cert\","
"\"csr\":\"");
n = lws_tls_acme_sni_csr_create(vhd->context,
&vhd->pvop_active[0],
(uint8_t *)p, end - p,
&ac->alloc_privkey_pem,
&ac->len_privkey_pem);
if (n < 0) {
lwsl_notice("CSR generation failed\n");
goto failed;
}
p += n;
p += lws_snprintf(p, end - p, "\"}");
puts(start);
goto pkt_add_hdrs;
default:
break;
}
break;
case LWS_CALLBACK_CLIENT_HTTP_WRITEABLE:
lwsl_notice("LWS_CALLBACK_CLIENT_HTTP_WRITEABLE\n");
if (!ac)
break;
if (ac->pos == ac->len)
break;
ac->buf[LWS_PRE + ac->len] = '\0';
if (lws_write(wsi, (uint8_t *)ac->buf + LWS_PRE,
ac->len, LWS_WRITE_HTTP_FINAL) < 0)
return -1;
lwsl_notice("wrote %d\n", ac->len);
ac->pos = ac->len;
lws_client_http_body_pending(wsi, 0);
break;
/* chunked content */
case LWS_CALLBACK_RECEIVE_CLIENT_HTTP_READ:
if (!ac)
return -1;
switch (ac->state) {
case ACME_STATE_POLLING:
case ACME_STATE_ACCEPT_CHALL:
case ACME_STATE_NEW_AUTH:
case ACME_STATE_DIRECTORY:
((char *)in)[len] = '\0';
puts(in);
m = (int)(signed char)lejp_parse(&ac->jctx,
(uint8_t *)in, len);
if (m < 0 && m != LEJP_CONTINUE) {
lwsl_notice("lejp parse failed %d\n", m);
goto failed;
}
break;
case ACME_STATE_NEW_REG:
((char *)in)[len] = '\0';
puts(in);
break;
case ACME_STATE_POLLING_CSR:
/* it should be the DER cert! */
if (ac->cpos + len > sizeof(ac->buf)) {
lwsl_notice("Incoming cert is too large!\n");
goto failed;
}
memcpy(&ac->buf[ac->cpos], in, len);
ac->cpos += len;
break;
default:
break;
}
break;
/* unchunked content */
case LWS_CALLBACK_RECEIVE_CLIENT_HTTP:
lwsl_notice("%s: LWS_CALLBACK_RECEIVE_CLIENT_HTTP\n", __func__);
{
char buffer[2048 + LWS_PRE];
char *px = buffer + LWS_PRE;
int lenx = sizeof(buffer) - LWS_PRE;
if (lws_http_client_read(wsi, &px, &lenx) < 0)
return -1;
}
break;
case LWS_CALLBACK_COMPLETED_CLIENT_HTTP:
lwsl_notice("%s: COMPLETED_CLIENT_HTTP\n", __func__);
if (!ac)
return -1;
switch (ac->state) {
case ACME_STATE_DIRECTORY:
lejp_destruct(&ac->jctx);
/* check dir validity */
for (n = 0; n < 6; n++)
lwsl_notice(" %d: %s\n", n, ac->urls[n]);
/*
* So... having the directory now... we try to
* register our keys next. It's OK if it ends up
* they're already registered... this eliminates any
* gaps where we stored the key but registration did
* not complete for some reason...
*/
ac->state = ACME_STATE_NEW_REG;
lws_acme_report_status(vhd->vhost, LWS_CUS_REG, NULL);
strcpy(buf, ac->urls[JAD_NEW_REG_URL]);
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
goto failed;
}
return -1; /* close the completed client connection */
case ACME_STATE_NEW_REG:
if ((ac->resp >= 200 && ac->resp < 299) ||
ac->resp == 409) {
/*
* Our account already existed, or exists now.
*
* Move on to requesting a cert auth.
*/
ac->state = ACME_STATE_NEW_AUTH;
lws_acme_report_status(vhd->vhost, LWS_CUS_AUTH,
NULL);
strcpy(buf, ac->urls[JAD_NEW_AUTHZ_URL]);
cwsi = lws_acme_client_connect(vhd->context,
vhd->vhost, &ac->cwsi,
&ac->i, buf, "POST");
if (!cwsi)
lwsl_notice("%s: failed to connect\n",
__func__);
return -1; /* close the completed client connection */
} else {
lwsl_notice("new-reg replied %d\n", ac->resp);
goto failed;
}
return -1; /* close the completed client connection */
case ACME_STATE_NEW_AUTH:
lejp_destruct(&ac->jctx);
if (ac->resp / 100 == 4) {
lws_snprintf(buf, sizeof(buf),
"Auth failed: %s", ac->detail);
failreason = buf;
lwsl_notice("auth failed\n");
goto failed;
}
lwsl_notice("chall: %s (%d)\n", ac->chall_token, ac->resp);
if (!ac->chall_token[0]) {
lwsl_notice("no challenge\n");
goto failed;
}
ac->state = ACME_STATE_ACCEPT_CHALL;
lws_acme_report_status(vhd->vhost, LWS_CUS_CHALLENGE,
NULL);
/* tls-sni-01 ... what a mess.
* The stuff in
* https://tools.ietf.org/html/
* draft-ietf-acme-acme-01#section-7.3
* "requires" n but it's missing from let's encrypt
* tls-sni-01 challenge. The go docs say that they just
* implement one hashing round regardless
* https://godoc.org/golang.org/x/crypto/acme
*
* The go way is what is actually implemented today by
* letsencrypt
*
* "A client responds to this challenge by constructing
* a key authorization from the "token" value provided
* in the challenge and the client's account key. The
* client first computes the SHA-256 digest Z0 of the
* UTF8-encoded key authorization, and encodes Z0 in
* UTF-8 lower-case hexadecimal form."
*/
/* tls-sni-02
*
* SAN A MUST be constructed as follows: compute the
* SHA-256 digest of the UTF-8-encoded challenge token
* and encode it in lowercase hexadecimal form. The
* dNSName is "x.y.token.acme.invalid", where x
* is the first half of the hexadecimal representation
* and y is the second half.
*/
memset(&ac->ci, 0, sizeof(ac->ci));
/* first compute the key authorization */
lws_jwk_rfc7638_fingerprint(&vhd->jwk, digest);
p = start;
end = &buf[sizeof(buf) - 1];
p += lws_snprintf(p, end - p, "%s.", ac->chall_token);
n = lws_jws_base64_enc(digest, 32, p, end - p);
if (n < 0)
goto failed;
p += n;
if (lws_genhash_init(&hctx, LWS_GENHASH_TYPE_SHA256))
return -1;
if (lws_genhash_update(&hctx, (uint8_t *)start,
lws_ptr_diff(p, start))) {
lws_genhash_destroy(&hctx, NULL);
return -1;
}
if (lws_genhash_destroy(&hctx, digest))
return -1;
p = buf;
for (n = 0; n < 32; n++) {
p += lws_snprintf(p, end - p, "%02x",
digest[n] & 0xff);
if (n == (32 / 2) - 1)
p = buf + 64;
}
p = ac->san_a;
if (ac->is_sni_02) {
lws_snprintf(p, sizeof(ac->san_a),
"%s.%s.token.acme.invalid",
buf, buf + 64);
/*
* SAN B MUST be constructed as follows: compute
* the SHA-256 digest of the UTF-8 encoded key
* authorization and encode it in lowercase
* hexadecimal form. The dNSName is
* "x.y.ka.acme.invalid" where x is the first
* half of the hexadecimal representation and y
* is the second half.
*/
lws_jwk_rfc7638_fingerprint(&vhd->jwk,
(char *)digest);
p = buf;
for (n = 0; n < 32; n++) {
p += lws_snprintf(p, end - p, "%02x",
digest[n] & 0xff);
if (n == (32 / 2) - 1)
p = buf + 64;
}
p = ac->san_b;
lws_snprintf(p, sizeof(ac->san_b),
"%s.%s.ka.acme.invalid",
buf, buf + 64);
} else {
lws_snprintf(p, sizeof(ac->san_a),
"%s.%s.acme.invalid", buf, buf + 64);
ac->san_b[0] = '\0';
}
lwsl_notice("san_a: '%s'\n", ac->san_a);
lwsl_notice("san_b: '%s'\n", ac->san_b);
/*
* tls-sni-01:
*
* The client then configures the TLS server at the
* domain such that when a handshake is initiated with
* the Server Name Indication extension set to
* "<Zi[0:32]>.<Zi[32:64]>.acme.invalid", the
* corresponding generated certificate is presented.
*
* tls-sni-02:
*
* The client MUST ensure that the certificate is
* served to TLS connections specifying a Server Name
* Indication (SNI) value of SAN A.
*/
ac->ci.vhost_name = ac->san_a;
/*
* we bind to exact iface of real vhost, so we can
* share the listen socket by SNI
*/
ac->ci.iface = ac->real_vh_iface;
/* listen on the same port as the vhost that triggered
* us */
ac->ci.port = ac->real_vh_port;
/* Skip filling in any x509 info into the ssl_ctx.
* It will be done at the callback
* LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS
* in this callback handler (below)
*/
ac->ci.options = LWS_SERVER_OPTION_CREATE_VHOST_SSL_CTX |
LWS_SERVER_OPTION_SKIP_PROTOCOL_INIT |
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
/* make ourselves protocols[0] for the new vhost */
ac->ci.protocols = acme_protocols;
/*
* vhost .user points to the ac associated with the
* temporary vhost
*/
ac->ci.user = ac;
ac->vhost = lws_create_vhost(lws_get_context(wsi),
&ac->ci);
if (!ac->vhost)
goto failed;
/*
* The challenge-specific vhost is up... let the ACME
* server know we are ready to roll...
*/
ac->goes_around = 0;
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i,
ac->challenge_uri,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect\n",
__func__);
goto failed;
}
return -1; /* close the completed client connection */
case ACME_STATE_ACCEPT_CHALL:
/*
* he returned something like this (which we parsed)
*
* {
* "type": "tls-sni-01",
* "status": "pending",
* "uri": "https://acme-staging.api.letsencrypt.org/
* acme/challenge/xCt7bT3FaxoIQU3Qry87t5h
* uKDcC-L-0ERcD5DLAZts/71100507",
* "token": "j2Vs-vLI_dsza4A35SFHIU03aIe2PzFRijbqCY
* dIVeE",
* "keyAuthorization": "j2Vs-vLI_dsza4A35SFHIU03aIe2
* PzFRijbqCYdIVeE.nmOtdFd8Jikn6K8NnYYmT5
* vCM_PwSDT8nLdOYoFXhRU"
* }
*
*/
lwsl_notice("%s: COMPLETED accept chall: %s\n",
__func__, ac->challenge_uri);
poll_again:
ac->state = ACME_STATE_POLLING;
lws_acme_report_status(vhd->vhost, LWS_CUS_CHALLENGE, NULL);
if (ac->goes_around++ == 20) {
lwsl_notice("%s: too many chall retries\n",
__func__);
goto failed;
}
lws_timed_callback_vh_protocol(vhd->vhost, vhd->protocol,
LWS_CALLBACK_USER + 0xac33, ac->goes_around == 1 ? 10 : 2);
return -1; /* close the completed client connection */
case ACME_STATE_POLLING:
if (ac->resp == 202 &&
strcmp(ac->status, "invalid") &&
strcmp(ac->status, "valid")) {
lwsl_notice("status: %s\n", ac->status);
goto poll_again;
}
if (!strcmp(ac->status, "invalid")) {
lwsl_notice("%s: polling failed\n", __func__);
lws_snprintf(buf, sizeof(buf),
"Challenge Invalid: %s", ac->detail);
failreason = buf;
goto failed;
}
lwsl_notice("Challenge passed\n");
/*
* The challenge was validated... so delete the
* temp SNI vhost now its job is done
*/
if (ac->vhost)
lws_vhost_destroy(ac->vhost);
ac->vhost = NULL;
/*
* now our JWK is accepted as authorized to make
* requests for the domain, next move is create the
* CSR signed with the JWK, and send it to the ACME
* server to request the actual certs.
*/
ac->state = ACME_STATE_POLLING_CSR;
lws_acme_report_status(vhd->vhost, LWS_CUS_REQ, NULL);
ac->goes_around = 0;
strcpy(buf, ac->urls[JAD_NEW_CERT_URL]);
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i, buf,
"POST");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
goto failed;
}
return -1; /* close the completed client connection */
case ACME_STATE_POLLING_CSR:
/*
* (after POSTing the CSR)...
*
* If the CA decides to issue a certificate, then the
* server creates a new certificate resource and
* returns a URI for it in the Location header field
* of a 201 (Created) response.
*
* HTTP/1.1 201 Created
* Location: https://example.com/acme/cert/asdf
*
* If the certificate is available at the time of the
* response, it is provided in the body of the response.
* If the CA has not yet issued the certificate, the
* body of this response will be empty. The client
* should then send a GET request to the certificate URI
* to poll for the certificate. As long as the
* certificate is unavailable, the server MUST provide a
* 202 (Accepted) response and include a Retry-After
* header to indicate when the server believes the
* certificate will be issued.
*/
if (ac->resp < 200 || ac->resp > 202) {
lwsl_notice("CSR poll failed on resp %d\n",
ac->resp);
goto failed;
}
if (ac->resp == 200) {
char *pp;
int max;
lwsl_notice("The cert was sent..\n");
lws_acme_report_status(vhd->vhost,
LWS_CUS_ISSUE, NULL);
/*
* That means we have the issued cert DER in
* ac->buf, length in ac->cpos; and the key in
* ac->alloc_privkey_pem, length in
* ac->len_privkey_pem.
*
* We write out a PEM copy of the cert, and a
* PEM copy of the private key, using the
* write-only fds we opened while we still
* had root.
*
* Estimate the size of the PEM version of the
* cert and allocate a temp buffer for it.
*
* This is a bit complicated because first we
* drop the b64url version into the buffer at
* +384, then we add the header at 0 and move
* lines of it back + '\n' to make PEM.
*
* This avoids the need for two fullsize
* allocations.
*/
max = (ac->cpos * 4) / 3 + 16 + 384;
start = p = malloc(max);
if (!p)
goto failed;
n = lws_b64_encode_string(ac->buf, ac->cpos,
start + 384, max - 384);
if (n < 0) {
free(start);
goto failed;
}
pp = start + 384;
p += lws_snprintf(start, 64, "%s",
"-----BEGIN CERTIFICATE-----\n");
while (n) {
m = 65;
if (n < m)
m = n;
memcpy(p, pp, m);
n -= m;
p += m;
pp += m;
if (n)
*p++ = '\n';
}
p += lws_snprintf(p,
max - lws_ptr_diff(p, start),
"%s",
"\n-----END CERTIFICATE-----\n");
n = lws_plat_write_cert(vhd->vhost, 0,
vhd->fd_updated_cert, start,
lws_ptr_diff(p, start));
free(start);
if (n) {
lwsl_err("unable to write ACME cert! %d\n", n);
goto failed;
}
/*
* don't close it... we may update the certs
* again
*/
if (lws_plat_write_cert(vhd->vhost, 1,
vhd->fd_updated_key,
ac->alloc_privkey_pem,
ac->len_privkey_pem)) {
lwsl_err("unable to write ACME key!\n");
goto failed;
}
/*
* we have written the persistent copies
*/
lwsl_notice("%s: Updated certs written for %s "
"to %s.upd and %s.upd\n", __func__,
vhd->pvop_active[LWS_TLS_REQ_ELEMENT_COMMON_NAME],
vhd->pvop_active[LWS_TLS_SET_CERT_PATH],
vhd->pvop_active[LWS_TLS_SET_KEY_PATH]);
/* notify lws there was a cert update */
if (lws_tls_cert_updated(vhd->context,
vhd->pvop_active[LWS_TLS_SET_CERT_PATH],
vhd->pvop_active[LWS_TLS_SET_KEY_PATH],
ac->buf, ac->cpos,
ac->alloc_privkey_pem,
ac->len_privkey_pem)) {
lwsl_notice("problem setting certs\n");
}
lws_acme_finished(vhd);
lws_acme_report_status(vhd->vhost,
LWS_CUS_SUCCESS, NULL);
return 0;
}
lws_acme_report_status(vhd->vhost, LWS_CUS_CONFIRM, NULL);
/* he is preparing the cert, go again with a GET */
if (ac->goes_around++ == 30) {
lwsl_notice("%s: too many retries\n",
__func__);
goto failed;
}
strcpy(buf, ac->challenge_uri);
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i, buf,
"GET");
if (!cwsi) {
lwsl_notice("%s: failed to connect to acme\n",
__func__);
goto failed;
}
return -1; /* close the completed client connection */
default:
break;
}
break;
case LWS_CALLBACK_USER + 0xac33:
if (!vhd)
break;
cwsi = lws_acme_client_connect(vhd->context, vhd->vhost,
&ac->cwsi, &ac->i,
ac->challenge_uri,
"GET");
if (!cwsi) {
lwsl_notice("%s: failed to connect\n", __func__);
goto failed;
}
break;
case LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS:
/*
* This goes to vhost->protocols[0], but for our temp certs
* vhost we created, we have arranged that to be our protocol,
* so the callback will come here.
*
* When we created the temp vhost, we set its pvo to point
* to the ac associated with the temp vhost.
*/
lwsl_debug("LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS\n");
ac = (struct acme_connection *)lws_get_vhost_user(
(struct lws_vhost *)in);
lws_acme_report_status((struct lws_vhost *)in,
LWS_CUS_CREATE_REQ,
"creating challenge cert");
if (lws_tls_acme_sni_cert_create((struct lws_vhost *)in,
ac->san_a, ac->san_b)) {
lwsl_err("%s: creating the sni test cert failed\n", __func__);
return -1;
}
break;
default:
break;
}
return 0;
failed:
lwsl_err("%s: failed out\n", __func__);
lws_acme_report_status(vhd->vhost, LWS_CUS_FAILED, failreason);
lws_acme_finished(vhd);
return -1;
}
int main(int argc, const char **argv)
{
struct lws_context_creation_info info;
struct lws_context *context;
const char *p;
int n = 0, logs = LLL_USER | LLL_ERR | LLL_WARN | LLL_NOTICE
/* for LLL_ verbosity above NOTICE to be built into lws,
* lws must have been configured and built with
* -DCMAKE_BUILD_TYPE=DEBUG instead of =RELEASE */
/* | LLL_INFO */ /* | LLL_PARSER */ /* | LLL_HEADER */
/* | LLL_EXT */ /* | LLL_CLIENT */ /* | LLL_LATENCY */
/* | LLL_DEBUG */;
if ((p = lws_cmdline_option(argc, argv, "-d")))
logs = atoi(p);
lws_set_log_level(logs, NULL);
lwsl_user("LWS minimal http server-multivhost | visit http://localhost:7681 / 7682\n");
signal(SIGINT, sigint_handler);
memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
/*
* Because of LWS_SERVER_OPTION_EXPLICIT_VHOSTS, this only creates
* the context and no longer creates a default vhost
*/
context = lws_create_context(&info);
if (!context) {
lwsl_err("lws init failed\n");
return 1;
}
/* it's our job now to create the vhosts we want:
*
* - "localhost1" listen on 7681 and serve ./mount-origin-localhost1/
* - "localhost2" listen on 7682 and serve ./mount-origin-localhost2/
* - "localhost3" share 7682 and serve ./mount-origin-localhost3/
*
* Note lws supports dynamic vhost creation and destruction at runtime.
* When using multi-vhost with your own protocols, you must provide a
* pvo for each vhost naming each protocol you want enabled on it.
* minimal-ws-server-threads demonstrates how to provide pvos.
*/
info.port = 7681;
info.mounts = &mount_localhost1;
info.error_document_404 = "/404.html";
info.vhost_name = "localhost1";
if (!lws_create_vhost(context, &info)) {
lwsl_err("Failed to create first vhost\n");
goto bail;
}
info.port = 7682;
info.mounts = &mount_localhost2;
info.error_document_404 = "/404.html";
info.vhost_name = "localhost2";
if (!lws_create_vhost(context, &info)) {
lwsl_err("Failed to create second vhost\n");
goto bail;
}
/* a second vhost listens on port 7682 */
info.mounts = &mount_localhost3;
info.error_document_404 = "/404.html";
info.vhost_name = "localhost3";
info.finalize = vh_destruction_notification;
info.finalize_arg = NULL;
if (!lws_create_vhost(context, &info)) {
lwsl_err("Failed to create third vhost\n");
goto bail;
}
if (lws_cmdline_option(argc, argv, "--die-after-vhost")) {
lwsl_warn("bailing after creating vhosts\n");
goto bail;
}
while (n >= 0 && !interrupted)
n = lws_service(context, 1000);
bail:
lws_context_destroy(context);
return 0;
}
int main(int argc, const char **argv)
{
struct lws_context_creation_info info;
struct lws_context *context;
const char *p;
int n = 0, logs = LLL_USER | LLL_ERR | LLL_WARN | LLL_NOTICE
/* for LLL_ verbosity above NOTICE to be built into lws,
* lws must have been configured and built with
* -DCMAKE_BUILD_TYPE=DEBUG instead of =RELEASE */
/* | LLL_INFO */ /* | LLL_PARSER */ /* | LLL_HEADER */
/* | LLL_EXT */ /* | LLL_CLIENT */ /* | LLL_LATENCY */
/* | LLL_DEBUG */;
signal(SIGINT, sigint_handler);
if ((p = lws_cmdline_option(argc, argv, "-d")))
logs = atoi(p);
lws_set_log_level(logs, NULL);
lwsl_user("LWS minimal http server dynamic | visit http://localhost:7681\n");
memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
/* for testing ah queue, not useful in real world */
if (lws_cmdline_option(argc, argv, "--ah1"))
info.max_http_header_pool = 1;
context = lws_create_context(&info);
if (!context) {
lwsl_err("lws init failed\n");
return 1;
}
/* http on 7681 */
info.port = 7681;
info.protocols = protocols;
info.mounts = &mount;
info.vhost_name = "http";
if (!lws_create_vhost(context, &info)) {
lwsl_err("Failed to create tls vhost\n");
goto bail;
}
/* https on 7682 */
info.port = 7682;
info.error_document_404 = "/404.html";
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
info.vhost_name = "localhost";
if (!lws_create_vhost(context, &info)) {
lwsl_err("Failed to create tls vhost\n");
goto bail;
}
while (n >= 0 && !interrupted)
n = lws_service(context, 1000);
bail:
lws_context_destroy(context);
return 0;
}
int main(int argc, char **argv)
{
struct lws_context_creation_info info;
struct lws_vhost *vhost;
char interface_name[128] = "";
unsigned int ms, oldms = 0;
const char *iface = NULL;
char cert_path[1024] = "";
char key_path[1024] = "";
char ca_path[1024] = "";
int uid = -1, gid = -1;
int use_ssl = 0;
int pp_secs = 0;
int opts = 0;
int n = 0;
#ifndef _WIN32
/* LOG_PERROR is not POSIX standard, and may not be portable */
#ifdef __sun
int syslog_options = LOG_PID;
#else
int syslog_options = LOG_PID | LOG_PERROR;
#endif
#endif
#ifndef LWS_NO_DAEMONIZE
int daemonize = 0;
#endif
/*
* take care to zero down the info struct, he contains random garbaage
* from the stack otherwise
*/
memset(&info, 0, sizeof info);
info.port = 7681;
while (n >= 0) {
n = getopt_long(argc, argv, "eci:hsap:d:Dr:C:K:A:R:vu:g:P:k",
options, NULL);
if (n < 0)
continue;
switch (n) {
case 'e':
opts |= LWS_SERVER_OPTION_LIBEV;
break;
#ifndef LWS_NO_DAEMONIZE
case 'D':
daemonize = 1;
#if !defined(_WIN32) && !defined(__sun)
syslog_options &= ~LOG_PERROR;
#endif
break;
#endif
case 'u':
uid = atoi(optarg);
break;
case 'g':
gid = atoi(optarg);
break;
case 'd':
debug_level = atoi(optarg);
break;
case 's':
use_ssl = 1;
break;
case 'a':
opts |= LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT;
break;
case 'p':
info.port = atoi(optarg);
break;
case 'i':
strncpy(interface_name, optarg, sizeof interface_name);
interface_name[(sizeof interface_name) - 1] = '\0';
iface = interface_name;
break;
case 'k':
info.bind_iface = 1;
#if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP)
info.caps[0] = CAP_NET_RAW;
info.count_caps = 1;
#endif
break;
case 'c':
close_testing = 1;
fprintf(stderr, " Close testing mode -- closes on "
"client after 50 dumb increments"
"and suppresses lws_mirror spam\n");
break;
case 'r':
resource_path = optarg;
printf("Setting resource path to \"%s\"\n",
resource_path);
break;
case 'C':
strncpy(cert_path, optarg, sizeof(cert_path) - 1);
cert_path[sizeof(cert_path) - 1] = '\0';
break;
case 'K':
strncpy(key_path, optarg, sizeof(key_path) - 1);
key_path[sizeof(key_path) - 1] = '\0';
break;
case 'A':
strncpy(ca_path, optarg, sizeof(ca_path) - 1);
ca_path[sizeof(ca_path) - 1] = '\0';
break;
case 'P':
pp_secs = atoi(optarg);
lwsl_notice("Setting pingpong interval to %d\n",
pp_secs);
break;
#if defined(LWS_OPENSSL_SUPPORT)
case 'v':
use_ssl = 1;
opts |=
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;
break;
#if defined(LWS_HAVE_SSL_CTX_set1_param)
case 'R':
strncpy(crl_path, optarg, sizeof(crl_path) - 1);
crl_path[sizeof(crl_path) - 1] = '\0';
break;
#endif
#endif
case 'h':
fprintf(stderr, "Usage: test-server "
"[--port=<p>] [--ssl] "
"[-d <log bitfield>] "
"[--resource_path <path>]\n");
exit(1);
}
}
#if !defined(LWS_NO_DAEMONIZE) && !defined(WIN32)
/*
* normally lock path would be /var/lock/lwsts or similar, to
* simplify getting started without having to take care about
* permissions or running as root, set to /tmp/.lwsts-lock
*/
if (daemonize && lws_daemonize("/tmp/.lwsts-lock")) {
fprintf(stderr, "Failed to daemonize\n");
return 10;
}
#endif
signal(SIGINT, sighandler);
#ifndef _WIN32
/* we will only try to log things according to our debug_level */
setlogmask(LOG_UPTO(LOG_DEBUG));
openlog("lwsts", syslog_options, LOG_DAEMON);
#endif
/* tell the library what debug level to emit and to send it to syslog */
lws_set_log_level(debug_level, lwsl_emit_syslog);
lwsl_notice("libwebsockets test server - license LGPL2.1+SLE\n");
lwsl_notice("(C) Copyright 2010-2016 Andy Green <*****@*****.**>\n");
printf("Using resource path \"%s\"\n", resource_path);
#ifdef EXTERNAL_POLL
max_poll_elements = getdtablesize();
pollfds = malloc(max_poll_elements * sizeof(struct lws_pollfd));
fd_lookup = malloc(max_poll_elements * sizeof(int));
if (pollfds == NULL || fd_lookup == NULL) {
lwsl_err("Out of memory pollfds=%d\n", max_poll_elements);
return -1;
}
#endif
info.iface = iface;
info.protocols = protocols;
info.ssl_cert_filepath = NULL;
info.ssl_private_key_filepath = NULL;
info.ws_ping_pong_interval = pp_secs;
if (use_ssl) {
if (strlen(resource_path) > sizeof(cert_path) - 32) {
lwsl_err("resource path too long\n");
return -1;
}
if (!cert_path[0])
sprintf(cert_path, "%s/libwebsockets-test-server.pem",
resource_path);
if (strlen(resource_path) > sizeof(key_path) - 32) {
lwsl_err("resource path too long\n");
return -1;
}
if (!key_path[0])
sprintf(key_path,
"%s/libwebsockets-test-server.key.pem",
resource_path);
info.ssl_cert_filepath = cert_path;
info.ssl_private_key_filepath = key_path;
if (ca_path[0])
info.ssl_ca_filepath = ca_path;
}
info.gid = gid;
info.uid = uid;
info.max_http_header_pool = 16;
info.options =
opts | LWS_SERVER_OPTION_VALIDATE_UTF8 |
LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.extensions = exts;
info.timeout_secs = 5;
info.ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"HIGH:!aNULL:!eNULL:!EXPORT:"
"!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:"
"!SHA1:!DHE-RSA-AES128-GCM-SHA256:"
"!DHE-RSA-AES128-SHA256:"
"!AES128-GCM-SHA256:"
"!AES128-SHA256:"
"!DHE-RSA-AES256-SHA256:" "!AES256-GCM-SHA384:" "!AES256-SHA256";
if (use_ssl)
/* redirect guys coming on http */
info.options |= LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS;
printf("options:%x\r\n", info.options);
printf("before create\n");
context = lws_create_context(&info);
printf("end create\n");
if (context == NULL) {
lwsl_err("libwebsocket init failed\n");
return -1;
}
printf("111111\r\n");
vhost = lws_create_vhost(context, &info);
if (!vhost) {
lwsl_err("vhost creation failed\n");
return -1;
}
printf("222222\r\n");
#if !defined(LWS_NO_CLIENT) && defined(LWS_OPENSSL_SUPPORT)
lws_init_vhost_client_ssl(&info, vhost);
#endif
/* this shows how to override the lws file operations. You don't need
* to do any of this unless you have a reason (eg, want to serve
* compressed files without decompressing the whole archive)
*/
/* stash original platform fops */
fops_plat = *(lws_get_fops(context));
/* override the active fops */
lws_get_fops(context)->open = test_server_fops_open;
n = 0;
#ifdef EXTERNAL_POLL
int ms_1sec = 0;
#endif
while (n >= 0 && !force_exit) {
struct timeval tv;
gettimeofday(&tv, NULL);
/*
* This provokes the LWS_CALLBACK_SERVER_WRITEABLE for every
* live websocket connection using the DUMB_INCREMENT protocol,
* as soon as it can take more packets (usually immediately)
*/
ms = (tv.tv_sec * 1000) + (tv.tv_usec / 1000);
if ((ms - oldms) > 1) {
lws_callback_on_writable_all_protocol(context,
&protocols
[PROTOCOL_DUMB_INCREMENT]);
oldms = ms;
}
lws_callback_on_writable_all_protocol(context,
&protocols
[PROTOCOL_FILE_SERVER_SEND]);
#ifdef EXTERNAL_POLL
/*
* this represents an existing server's single poll action
* which also includes libwebsocket sockets
*/
n = poll(pollfds, count_pollfds, 50);
if (n < 0)
continue;
if (n) {
for (n = 0; n < count_pollfds; n++)
if (pollfds[n].revents)
/*
* returns immediately if the fd does not
* match anything under libwebsockets
* control
*/
if (lws_service_fd(context,
&pollfds[n]) < 0)
goto done;
/* if needed, force-service wsis that may not have read all input */
while (!lws_service_adjust_timeout(context, 1, 0)) {
lwsl_notice("extpoll doing forced service!\n");
lws_service_tsi(context, -1, 0);
}
} else {
/* no revents, but before polling again, make lws check for any timeouts */
if (ms - ms_1sec > 1000) {
lwsl_notice("1 per sec\n");
lws_service_fd(context, NULL);
ms_1sec = ms;
}
}
#else
/*
* If libwebsockets sockets are all we care about,
* you can use this api which takes care of the poll()
* and looping through finding who needed service.
*
* If no socket needs service, it'll return anyway after
* the number of ms in the second argument.
*/
n = lws_service(context, 5);
#endif
}
#ifdef EXTERNAL_POLL
done:
#endif
lws_context_destroy(context);
lwsl_notice("libwebsockets-test-server exited cleanly\n");
#ifndef _WIN32
closelog();
#endif
return 0;
}
/* Transport implementation */
int janus_websockets_init(janus_transport_callbacks *callback, const char *config_path) {
if(g_atomic_int_get(&stopping)) {
/* Still stopping from before */
return -1;
}
if(callback == NULL || config_path == NULL) {
/* Invalid arguments */
return -1;
}
#ifndef LWS_WITH_IPV6
JANUS_LOG(LOG_WARN, "libwebsockets has been built without IPv6 support, will bind to IPv4 only\n");
#endif
/* This is the callback we'll need to invoke to contact the gateway */
gateway = callback;
/* Prepare the common context */
struct lws_context_creation_info wscinfo;
memset(&wscinfo, 0, sizeof wscinfo);
wscinfo.options |= LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
/* We use vhosts on the same context to address both APIs, secure or not */
struct lws_vhost *wss = NULL, *swss = NULL,
*admin_wss = NULL, *admin_swss = NULL;
/* Read configuration */
char filename[255];
g_snprintf(filename, 255, "%s/%s.cfg", config_path, JANUS_WEBSOCKETS_PACKAGE);
JANUS_LOG(LOG_VERB, "Configuration file: %s\n", filename);
janus_config *config = janus_config_parse(filename);
if(config != NULL) {
janus_config_print(config);
/* Handle configuration */
janus_config_item *item = janus_config_get_item_drilldown(config, "general", "json");
if(item && item->value) {
/* Check how we need to format/serialize the JSON output */
if(!strcasecmp(item->value, "indented")) {
/* Default: indented, we use three spaces for that */
json_format = JSON_INDENT(3) | JSON_PRESERVE_ORDER;
} else if(!strcasecmp(item->value, "plain")) {
/* Not indented and no new lines, but still readable */
json_format = JSON_INDENT(0) | JSON_PRESERVE_ORDER;
} else if(!strcasecmp(item->value, "compact")) {
/* Compact, so no spaces between separators */
json_format = JSON_COMPACT | JSON_PRESERVE_ORDER;
} else {
JANUS_LOG(LOG_WARN, "Unsupported JSON format option '%s', using default (indented)\n", item->value);
json_format = JSON_INDENT(3) | JSON_PRESERVE_ORDER;
}
}
/* Check if we need to send events to handlers */
janus_config_item *events = janus_config_get_item_drilldown(config, "general", "events");
if(events != NULL && events->value != NULL)
notify_events = janus_is_true(events->value);
if(!notify_events && callback->events_is_enabled()) {
JANUS_LOG(LOG_WARN, "Notification of events to handlers disabled for %s\n", JANUS_WEBSOCKETS_NAME);
}
item = janus_config_get_item_drilldown(config, "general", "ws_logging");
if(item && item->value) {
/* libwebsockets uses a mask to set log levels, as documented here:
* https://libwebsockets.org/lws-api-doc-master/html/group__log.html */
if(strstr(item->value, "none")) {
/* Disable libwebsockets logging completely (the default) */
} else if(strstr(item->value, "all")) {
/* Enable all libwebsockets logging */
ws_log_level = LLL_ERR | LLL_WARN | LLL_NOTICE | LLL_INFO |
LLL_DEBUG | LLL_PARSER | LLL_HEADER | LLL_EXT |
LLL_CLIENT | LLL_LATENCY | LLL_USER | LLL_COUNT;
} else {
/* Only enable some of the properties */
if(strstr(item->value, "err"))
ws_log_level |= LLL_ERR;
if(strstr(item->value, "warn"))
ws_log_level |= LLL_WARN;
if(strstr(item->value, "notice"))
ws_log_level |= LLL_NOTICE;
if(strstr(item->value, "info"))
ws_log_level |= LLL_INFO;
if(strstr(item->value, "debug"))
ws_log_level |= LLL_DEBUG;
if(strstr(item->value, "parser"))
ws_log_level |= LLL_PARSER;
if(strstr(item->value, "header"))
ws_log_level |= LLL_HEADER;
if(strstr(item->value, "ext"))
ws_log_level |= LLL_EXT;
if(strstr(item->value, "client"))
ws_log_level |= LLL_CLIENT;
if(strstr(item->value, "latency"))
ws_log_level |= LLL_LATENCY;
if(strstr(item->value, "user"))
ws_log_level |= LLL_USER;
if(strstr(item->value, "count"))
ws_log_level |= LLL_COUNT;
}
}
JANUS_LOG(LOG_INFO, "libwebsockets logging: %d\n", ws_log_level);
lws_set_log_level(ws_log_level, janus_websockets_log_emit_function);
/* Any ACL for either the Janus or Admin API? */
item = janus_config_get_item_drilldown(config, "general", "ws_acl");
if(item && item->value) {
gchar **list = g_strsplit(item->value, ",", -1);
gchar *index = list[0];
if(index != NULL) {
int i=0;
while(index != NULL) {
if(strlen(index) > 0) {
JANUS_LOG(LOG_INFO, "Adding '%s' to the Janus API allowed list...\n", index);
janus_websockets_allow_address(g_strdup(index), FALSE);
}
i++;
index = list[i];
}
}
g_strfreev(list);
list = NULL;
}
item = janus_config_get_item_drilldown(config, "admin", "admin_ws_acl");
if(item && item->value) {
gchar **list = g_strsplit(item->value, ",", -1);
gchar *index = list[0];
if(index != NULL) {
int i=0;
while(index != NULL) {
if(strlen(index) > 0) {
JANUS_LOG(LOG_INFO, "Adding '%s' to the Admin/monitor allowed list...\n", index);
janus_websockets_allow_address(g_strdup(index), TRUE);
}
i++;
index = list[i];
}
}
g_strfreev(list);
list = NULL;
}
/* Check if we need to enable the transport level ping/pong mechanism */
int pingpong_trigger = 0, pingpong_timeout = 0;
item = janus_config_get_item_drilldown(config, "general", "pingpong_trigger");
if(item && item->value) {
#if LWS_LIBRARY_VERSION_MAJOR >= 2 && LWS_LIBRARY_VERSION_MINOR >= 1
pingpong_trigger = atoi(item->value);
if(pingpong_trigger < 0) {
JANUS_LOG(LOG_WARN, "Invalid value for pingpong_trigger (%d), ignoring...\n", pingpong_trigger);
pingpong_trigger = 0;
}
#else
JANUS_LOG(LOG_WARN, "WebSockets ping/pong only supported in libwebsockets >= 2.1\n");
#endif
}
item = janus_config_get_item_drilldown(config, "general", "pingpong_timeout");
if(item && item->value) {
#if LWS_LIBRARY_VERSION_MAJOR >= 2 && LWS_LIBRARY_VERSION_MINOR >= 1
pingpong_timeout = atoi(item->value);
if(pingpong_timeout < 0) {
JANUS_LOG(LOG_WARN, "Invalid value for pingpong_timeout (%d), ignoring...\n", pingpong_timeout);
pingpong_timeout = 0;
}
#else
JANUS_LOG(LOG_WARN, "WebSockets ping/pong only supported in libwebsockets >= 2.1\n");
#endif
}
if((pingpong_trigger && !pingpong_timeout) || (!pingpong_trigger && pingpong_timeout)) {
JANUS_LOG(LOG_WARN, "pingpong_trigger and pingpong_timeout not both set, ignoring...\n");
}
#if LWS_LIBRARY_VERSION_MAJOR >= 2 && LWS_LIBRARY_VERSION_MINOR >= 1
if(pingpong_trigger > 0 && pingpong_timeout > 0) {
wscinfo.ws_ping_pong_interval = pingpong_trigger;
wscinfo.timeout_secs = pingpong_timeout;
}
#endif
/* Force single-thread server */
wscinfo.count_threads = 1;
/* Create the base context */
wsc = lws_create_context(&wscinfo);
if(wsc == NULL) {
JANUS_LOG(LOG_ERR, "Error creating libwebsockets context...\n");
janus_config_destroy(config);
return -1; /* No point in keeping the plugin loaded */
}
/* Setup the Janus API WebSockets server(s) */
item = janus_config_get_item_drilldown(config, "general", "ws");
if(!item || !item->value || !janus_is_true(item->value)) {
JANUS_LOG(LOG_WARN, "WebSockets server disabled\n");
} else {
int wsport = 8188;
item = janus_config_get_item_drilldown(config, "general", "ws_port");
if(item && item->value)
wsport = atoi(item->value);
char *interface = NULL;
item = janus_config_get_item_drilldown(config, "general", "ws_interface");
if(item && item->value)
interface = (char *)item->value;
char *ip = NULL;
item = janus_config_get_item_drilldown(config, "general", "ws_ip");
if(item && item->value) {
ip = (char *)item->value;
char *iface = janus_websockets_get_interface_name(ip);
if(iface == NULL) {
JANUS_LOG(LOG_WARN, "No interface associated with %s? Falling back to no interface...\n", ip);
}
ip = iface;
}
/* Prepare context */
struct lws_context_creation_info info;
memset(&info, 0, sizeof info);
info.port = wsport;
info.iface = ip ? ip : interface;
info.protocols = ws_protocols;
info.extensions = NULL;
info.ssl_cert_filepath = NULL;
info.ssl_private_key_filepath = NULL;
info.ssl_private_key_password = NULL;
info.gid = -1;
info.uid = -1;
info.options = 0;
/* Create the WebSocket context */
wss = lws_create_vhost(wsc, &info);
if(wss == NULL) {
JANUS_LOG(LOG_FATAL, "Error creating vhost for WebSockets server...\n");
} else {
JANUS_LOG(LOG_INFO, "WebSockets server started (port %d)...\n", wsport);
}
g_free(ip);
}
item = janus_config_get_item_drilldown(config, "general", "wss");
if(!item || !item->value || !janus_is_true(item->value)) {
JANUS_LOG(LOG_WARN, "Secure WebSockets server disabled\n");
} else {
int wsport = 8989;
item = janus_config_get_item_drilldown(config, "general", "wss_port");
if(item && item->value)
wsport = atoi(item->value);
char *interface = NULL;
item = janus_config_get_item_drilldown(config, "general", "wss_interface");
if(item && item->value)
interface = (char *)item->value;
char *ip = NULL;
item = janus_config_get_item_drilldown(config, "general", "wss_ip");
if(item && item->value) {
ip = (char *)item->value;
char *iface = janus_websockets_get_interface_name(ip);
if(iface == NULL) {
JANUS_LOG(LOG_WARN, "No interface associated with %s? Falling back to no interface...\n", ip);
}
ip = iface;
}
item = janus_config_get_item_drilldown(config, "certificates", "cert_pem");
if(!item || !item->value) {
JANUS_LOG(LOG_FATAL, "Missing certificate/key path\n");
} else {
char *server_pem = (char *)item->value;
char *server_key = (char *)item->value;
char *password = NULL;
item = janus_config_get_item_drilldown(config, "certificates", "cert_key");
if(item && item->value)
server_key = (char *)item->value;
item = janus_config_get_item_drilldown(config, "certificates", "cert_pwd");
if(item && item->value)
password = (char *)item->value;
JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key);
/* Prepare secure context */
struct lws_context_creation_info info;
memset(&info, 0, sizeof info);
info.port = wsport;
info.iface = ip ? ip : interface;
info.protocols = sws_protocols;
info.extensions = NULL;
info.ssl_cert_filepath = server_pem;
info.ssl_private_key_filepath = server_key;
info.ssl_private_key_password = password;
info.gid = -1;
info.uid = -1;
#if LWS_LIBRARY_VERSION_MAJOR >= 2
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
#else
info.options = 0;
#endif
/* Create the secure WebSocket context */
swss = lws_create_vhost(wsc, &info);
if(swss == NULL) {
JANUS_LOG(LOG_FATAL, "Error creating vhost for Secure WebSockets server...\n");
} else {
JANUS_LOG(LOG_INFO, "Secure WebSockets server started (port %d)...\n", wsport);
}
g_free(ip);
}
}
/* Do the same for the Admin API, if enabled */
item = janus_config_get_item_drilldown(config, "admin", "admin_ws");
if(!item || !item->value || !janus_is_true(item->value)) {
JANUS_LOG(LOG_WARN, "Admin WebSockets server disabled\n");
} else {
int wsport = 7188;
item = janus_config_get_item_drilldown(config, "admin", "admin_ws_port");
if(item && item->value)
wsport = atoi(item->value);
char *interface = NULL;
item = janus_config_get_item_drilldown(config, "admin", "admin_ws_interface");
if(item && item->value)
interface = (char *)item->value;
char *ip = NULL;
item = janus_config_get_item_drilldown(config, "admin", "admin_ws_ip");
if(item && item->value) {
ip = (char *)item->value;
char *iface = janus_websockets_get_interface_name(ip);
if(iface == NULL) {
JANUS_LOG(LOG_WARN, "No interface associated with %s? Falling back to no interface...\n", ip);
}
ip = iface;
}
/* Prepare context */
struct lws_context_creation_info info;
memset(&info, 0, sizeof info);
info.port = wsport;
info.iface = ip ? ip : interface;
info.protocols = admin_ws_protocols;
info.extensions = NULL;
info.ssl_cert_filepath = NULL;
info.ssl_private_key_filepath = NULL;
info.ssl_private_key_password = NULL;
info.gid = -1;
info.uid = -1;
info.options = 0;
/* Create the WebSocket context */
admin_wss = lws_create_vhost(wsc, &info);
if(admin_wss == NULL) {
JANUS_LOG(LOG_FATAL, "Error creating vhost for Admin WebSockets server...\n");
} else {
JANUS_LOG(LOG_INFO, "Admin WebSockets server started (port %d)...\n", wsport);
}
g_free(ip);
}
item = janus_config_get_item_drilldown(config, "admin", "admin_wss");
if(!item || !item->value || !janus_is_true(item->value)) {
JANUS_LOG(LOG_WARN, "Secure Admin WebSockets server disabled\n");
} else {
int wsport = 7989;
item = janus_config_get_item_drilldown(config, "admin", "admin_wss_port");
if(item && item->value)
wsport = atoi(item->value);
char *interface = NULL;
item = janus_config_get_item_drilldown(config, "admin", "admin_wss_interface");
if(item && item->value)
interface = (char *)item->value;
char *ip = NULL;
item = janus_config_get_item_drilldown(config, "admin", "admin_wss_ip");
if(item && item->value) {
ip = (char *)item->value;
char *iface = janus_websockets_get_interface_name(ip);
if(iface == NULL) {
JANUS_LOG(LOG_WARN, "No interface associated with %s? Falling back to no interface...\n", ip);
}
ip = iface;
}
item = janus_config_get_item_drilldown(config, "certificates", "cert_pem");
if(!item || !item->value) {
JANUS_LOG(LOG_FATAL, "Missing certificate/key path\n");
} else {
char *server_pem = (char *)item->value;
char *server_key = (char *)item->value;
char *password = NULL;
item = janus_config_get_item_drilldown(config, "certificates", "cert_key");
if(item && item->value)
server_key = (char *)item->value;
item = janus_config_get_item_drilldown(config, "certificates", "cert_pwd");
if(item && item->value)
password = (char *)item->value;
JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key);
/* Prepare secure context */
struct lws_context_creation_info info;
memset(&info, 0, sizeof info);
info.port = wsport;
info.iface = ip ? ip : interface;
info.protocols = admin_sws_protocols;
info.extensions = NULL;
info.ssl_cert_filepath = server_pem;
info.ssl_private_key_filepath = server_key;
info.ssl_private_key_password = password;
info.gid = -1;
info.uid = -1;
#if LWS_LIBRARY_VERSION_MAJOR >= 2
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
#else
info.options = 0;
#endif
/* Create the secure WebSocket context */
admin_swss = lws_create_vhost(wsc, &info);
if(admin_swss == NULL) {
JANUS_LOG(LOG_FATAL, "Error creating vhost for Secure Admin WebSockets server...\n");
} else {
JANUS_LOG(LOG_INFO, "Secure Admin WebSockets server started (port %d)...\n", wsport);
}
g_free(ip);
}
}
}
janus_config_destroy(config);
config = NULL;
if(!wss && !swss && !admin_wss && !admin_swss) {
JANUS_LOG(LOG_WARN, "No WebSockets server started, giving up...\n");
lws_context_destroy(wsc);
return -1; /* No point in keeping the plugin loaded */
}
ws_janus_api_enabled = wss || swss;
ws_admin_api_enabled = admin_wss || admin_swss;
g_atomic_int_set(&initialized, 1);
GError *error = NULL;
/* Start the WebSocket service thread */
if(ws_janus_api_enabled || ws_admin_api_enabled) {
ws_thread = g_thread_try_new("ws thread", &janus_websockets_thread, wsc, &error);
if(!ws_thread) {
g_atomic_int_set(&initialized, 0);
JANUS_LOG(LOG_ERR, "Got error %d (%s) trying to launch the WebSockets thread...\n", error->code, error->message ? error->message : "??");
return -1;
}
}
/* Done */
JANUS_LOG(LOG_INFO, "%s initialized!\n", JANUS_WEBSOCKETS_NAME);
return 0;
}
bool WebSocketTcpServer::init()
{
LOG_DEBUG("\n");
memset(&m_context_create_info, 0x00, sizeof(m_context_create_info));
m_context_create_info.port = stoi(m_bind);
m_context_create_info.iface = nullptr;
m_context_create_info.protocols = m_lws_protocols;
m_context_create_info.extensions = nullptr;
m_context_create_info.keepalive_timeout = 60;
m_context_create_info.timeout_secs = 5;
m_context_create_info.gid = -1;
m_context_create_info.uid = -1;
if ( m_security )
{
m_context_create_info.vhost_name = "localhost";
m_context_create_info.ssl_private_key_filepath = m_private_key_file.data();
m_context_create_info.ssl_private_key_password = m_private_key_password.data();
m_context_create_info.ssl_cert_filepath = m_cert_file.data();
m_context_create_info.ssl_ca_filepath = m_ca_file.data();
m_context_create_info.options =
LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS
| LWS_SERVER_OPTION_VALIDATE_UTF8
| LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT
| LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED
| LWS_SERVER_OPTION_EXPLICIT_VHOSTS
| LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
/**
* @warning LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT has a bug
* When client request ws(non-secure), server emit so much many logs (reason 34,35,36)
* via callback_websocket()
*/
m_context_create_info.ssl_cipher_list =
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"HIGH:!aNULL:!eNULL:!EXPORT:"
"!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:"
"!SHA1:!DHE-RSA-AES128-GCM-SHA256:"
"!DHE-RSA-AES128-SHA256:"
"!AES128-GCM-SHA256:"
"!AES128-SHA256:"
"!DHE-RSA-AES256-SHA256:"
"!AES256-GCM-SHA384:"
"!AES256-SHA256";
}
else
{
m_context_create_info.ssl_private_key_filepath = nullptr;
m_context_create_info.ssl_cert_filepath = nullptr;
m_context_create_info.ssl_ca_filepath = nullptr;
m_context_create_info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
}
m_context_create_info.server_string = m_name.data();
m_context_create_info.fd_limit_per_thread = m_max_client;
m_context_create_info.user = this;
m_context = lws_create_context(&m_context_create_info);
if ( nullptr == m_context )
{
LOG_ERROR("context has nullptr \n");
return false;
}
m_vhost = lws_create_vhost(m_context, &m_context_create_info);
if ( nullptr == m_vhost )
{
LOG_ERROR("vhost_context has nullptr \n");
return false;
}
return true;
}
static char
lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
{
struct jpargs *a = (struct jpargs *)ctx->user;
struct lws_protocol_vhost_options *pvo, *mp_cgienv;
struct lws_http_mount *m;
char *p, *p1;
int n;
#if 0
lwsl_notice(" %d: %s (%d)\n", reason, ctx->path, ctx->path_match);
for (n = 0; n < ctx->wildcount; n++)
lwsl_notice(" %d\n", ctx->wild[n]);
#endif
if (reason == LEJPCB_OBJECT_START && ctx->path_match == LEJPVP + 1) {
/* set the defaults for this vhost */
a->valid = 1;
a->head = NULL;
a->last = NULL;
a->info->port = 0;
a->info->iface = NULL;
a->info->protocols = a->protocols;
a->info->extensions = a->extensions;
a->info->ssl_cert_filepath = NULL;
a->info->ssl_private_key_filepath = NULL;
a->info->ssl_ca_filepath = NULL;
a->info->timeout_secs = 5;
a->info->ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"HIGH:!aNULL:!eNULL:!EXPORT:"
"!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:"
"!SHA1:!DHE-RSA-AES128-GCM-SHA256:"
"!DHE-RSA-AES128-SHA256:"
"!AES128-GCM-SHA256:"
"!AES128-SHA256:"
"!DHE-RSA-AES256-SHA256:"
"!AES256-GCM-SHA384:"
"!AES256-SHA256";
a->info->pvo = NULL;
a->info->keepalive_timeout = 60;
a->info->log_filepath = NULL;
a->info->options &= ~(LWS_SERVER_OPTION_UNIX_SOCK |
LWS_SERVER_OPTION_STS);
a->enable_client_ssl = 0;
}
if (reason == LEJPCB_OBJECT_START &&
ctx->path_match == LEJPVP_MOUNTS + 1) {
a->fresh_mount = 1;
memset(&a->m, 0, sizeof(a->m));
}
/* this catches, eg, vhosts[].ws-protocols[].xxx-protocol */
if (reason == LEJPCB_OBJECT_START &&
ctx->path_match == LEJPVP_PROTOCOL_NAME + 1) {
a->pvo = lwsws_align(a);
a->p += sizeof(*a->pvo);
n = lejp_get_wildcard(ctx, 0, a->p, a->end - a->p);
/* ie, enable this protocol, no options yet */
a->pvo->next = a->info->pvo;
a->info->pvo = a->pvo;
a->pvo->name = a->p;
lwsl_notice(" adding protocol %s\n", a->p);
a->p += n;
a->pvo->value = a->p;
a->pvo->options = NULL;
goto dostring;
}
if (reason == LEJPCB_OBJECT_END &&
(ctx->path_match == LEJPVP + 1 || !ctx->path[0]) &&
a->valid) {
struct lws_vhost *vhost;
//lwsl_notice("%s\n", ctx->path);
if (!a->info->port) {
lwsl_err("Port required (eg, 443)");
return 1;
}
a->valid = 0;
a->info->mounts = a->head;
vhost = lws_create_vhost(a->context, a->info);
if (!vhost) {
lwsl_err("Failed to create vhost %s\n",
a->info->vhost_name);
return 1;
}
a->any_vhosts = 1;
if (a->enable_client_ssl) {
memset(a->info, 0, sizeof(*a->info));
a->info->options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
lws_init_vhost_client_ssl(a->info, vhost);
}
return 0;
}
if (reason == LEJPCB_OBJECT_END &&
ctx->path_match == LEJPVP_MOUNTS + 1) {
static const char * const mount_protocols[] = {
"http://",
"https://",
"file://",
"cgi://",
">http://",
">https://",
"callback://"
};
if (!a->fresh_mount)
return 0;
if (!a->m.mountpoint || !a->m.origin) {
lwsl_err("mountpoint and origin required\n");
return 1;
}
lwsl_debug("adding mount %s\n", a->m.mountpoint);
m = lwsws_align(a);
memcpy(m, &a->m, sizeof(*m));
if (a->last)
a->last->mount_next = m;
for (n = 0; n < ARRAY_SIZE(mount_protocols); n++)
if (!strncmp(a->m.origin, mount_protocols[n],
strlen(mount_protocols[n]))) {
lwsl_err("----%s\n", a->m.origin);
m->origin_protocol = n;
m->origin = a->m.origin +
strlen(mount_protocols[n]);
break;
}
if (n == ARRAY_SIZE(mount_protocols)) {
lwsl_err("unsupported protocol:// %s\n", a->m.origin);
return 1;
}
a->p += sizeof(*m);
if (!a->head)
a->head = m;
a->last = m;
a->fresh_mount = 0;
}
/* we only match on the prepared path strings */
if (!(reason & LEJP_FLAG_CB_IS_VALUE) || !ctx->path_match)
return 0;
switch (ctx->path_match - 1) {
case LEJPVP_NAME:
a->info->vhost_name = a->p;
break;
case LEJPVP_PORT:
a->info->port = atoi(ctx->buf);
return 0;
case LEJPVP_INTERFACE:
a->info->iface = a->p;
break;
case LEJPVP_UNIXSKT:
if (arg_to_bool(ctx->buf))
a->info->options |= LWS_SERVER_OPTION_UNIX_SOCK;
else
a->info->options &= ~(LWS_SERVER_OPTION_UNIX_SOCK);
return 0;
case LEJPVP_STS:
if (arg_to_bool(ctx->buf))
a->info->options |= LWS_SERVER_OPTION_STS;
else
a->info->options &= ~(LWS_SERVER_OPTION_STS);
return 0;
case LEJPVP_HOST_SSL_KEY:
a->info->ssl_private_key_filepath = a->p;
break;
case LEJPVP_HOST_SSL_CERT:
a->info->ssl_cert_filepath = a->p;
break;
case LEJPVP_HOST_SSL_CA:
a->info->ssl_ca_filepath = a->p;
break;
case LEJPVP_ACCESS_LOG:
a->info->log_filepath = a->p;
break;
case LEJPVP_MOUNTPOINT:
a->m.mountpoint = a->p;
a->m.mountpoint_len = (unsigned char)strlen(ctx->buf);
break;
case LEJPVP_ORIGIN:
if (!strncmp(ctx->buf, "callback://", 11))
a->m.protocol = a->p + 11;
if (!a->m.origin)
a->m.origin = a->p;
break;
case LEJPVP_DEFAULT:
a->m.def = a->p;
break;
case LEJPVP_DEFAULT_AUTH_MASK:
a->m.auth_mask = atoi(ctx->buf);
return 0;
case LEJPVP_MOUNT_CACHE_MAX_AGE:
a->m.cache_max_age = atoi(ctx->buf);
return 0;
case LEJPVP_MOUNT_CACHE_REUSE:
a->m.cache_reusable = arg_to_bool(ctx->buf);
return 0;
case LEJPVP_MOUNT_CACHE_REVALIDATE:
a->m.cache_revalidate = arg_to_bool(ctx->buf);
return 0;
case LEJPVP_MOUNT_CACHE_INTERMEDIARIES:
a->m.cache_intermediaries = arg_to_bool(ctx->buf);;
return 0;
case LEJPVP_CGI_TIMEOUT:
a->m.cgi_timeout = atoi(ctx->buf);
return 0;
case LEJPVP_KEEPALIVE_TIMEOUT:
a->info->keepalive_timeout = atoi(ctx->buf);
return 0;
case LEJPVP_CIPHERS:
a->info->ssl_cipher_list = a->p;
break;
case LEJPVP_ECDH_CURVE:
a->info->ecdh_curve = a->p;
break;
case LEJPVP_PMO:
case LEJPVP_CGI_ENV:
mp_cgienv = lwsws_align(a);
a->p += sizeof(*a->m.cgienv);
mp_cgienv->next = a->m.cgienv;
a->m.cgienv = mp_cgienv;
n = lejp_get_wildcard(ctx, 0, a->p, a->end - a->p);
mp_cgienv->name = a->p;
a->p += n;
mp_cgienv->value = a->p;
mp_cgienv->options = NULL;
lwsl_notice(" adding pmo / cgi-env '%s' = '%s'\n", mp_cgienv->name,
mp_cgienv->value);
goto dostring;
case LEJPVP_PROTOCOL_NAME_OPT:
/* this catches, eg,
* vhosts[].ws-protocols[].xxx-protocol.yyy-option
* ie, these are options attached to a protocol with { }
*/
pvo = lwsws_align(a);
a->p += sizeof(*a->pvo);
n = lejp_get_wildcard(ctx, 1, a->p, a->end - a->p);
/* ie, enable this protocol, no options yet */
pvo->next = a->pvo->options;
a->pvo->options = pvo;
pvo->name = a->p;
a->p += n;
pvo->value = a->p;
pvo->options = NULL;
break;
case LEJPVP_MOUNT_EXTRA_MIMETYPES:
a->pvo_em = lwsws_align(a);
a->p += sizeof(*a->pvo_em);
n = lejp_get_wildcard(ctx, 0, a->p, a->end - a->p);
/* ie, enable this protocol, no options yet */
a->pvo_em->next = a->m.extra_mimetypes;
a->m.extra_mimetypes = a->pvo_em;
a->pvo_em->name = a->p;
lwsl_notice(" adding extra-mimetypes %s -> %s\n", a->p, ctx->buf);
a->p += n;
a->pvo_em->value = a->p;
a->pvo_em->options = NULL;
break;
case LEJPVP_MOUNT_INTERPRET:
a->pvo_int = lwsws_align(a);
a->p += sizeof(*a->pvo_int);
n = lejp_get_wildcard(ctx, 0, a->p, a->end - a->p);
/* ie, enable this protocol, no options yet */
a->pvo_int->next = a->m.interpret;
a->m.interpret = a->pvo_int;
a->pvo_int->name = a->p;
lwsl_notice(" adding interpret %s -> %s\n", a->p,
ctx->buf);
a->p += n;
a->pvo_int->value = a->p;
a->pvo_int->options = NULL;
break;
case LEJPVP_ENABLE_CLIENT_SSL:
a->enable_client_ssl = arg_to_bool(ctx->buf);
return 0;
case LEJPVP_NOIPV6:
if (arg_to_bool(ctx->buf))
a->info->options |= LWS_SERVER_OPTION_DISABLE_IPV6;
else
a->info->options &= ~(LWS_SERVER_OPTION_DISABLE_IPV6);
return 0;
case LEJPVP_IPV6ONLY:
a->info->options |= LWS_SERVER_OPTION_IPV6_V6ONLY_MODIFY;
if (arg_to_bool(ctx->buf))
a->info->options |= LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE;
else
a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE);
return 0;
case LEJPVP_SSL_OPTION_SET:
a->info->ssl_options_set |= atol(ctx->buf);
return 0;
case LEJPVP_SSL_OPTION_CLEAR:
a->info->ssl_options_clear |= atol(ctx->buf);
return 0;
default:
return 0;
}
dostring:
p = ctx->buf;
p1 = strstr(p, ESC_INSTALL_DATADIR);
if (p1) {
n = p1 - p;
if (n > a->end - a->p)
n = a->end - a->p;
strncpy(a->p, p, n);
a->p += n;
a->p += snprintf(a->p, a->end - a->p, "%s", LWS_INSTALL_DATADIR);
p += n + strlen(ESC_INSTALL_DATADIR);
}
a->p += snprintf(a->p, a->end - a->p, "%s", p);
*(a->p)++ = '\0';
return 0;
}
LWS_VISIBLE struct lws_context *
lws_create_context(struct lws_context_creation_info *info)
{
struct lws_context *context = NULL;
#ifndef LWS_NO_DAEMONIZE
int pid_daemon = get_daemonize_pid();
#endif
int n, m;
#if defined(__ANDROID__)
struct rlimit rt;
#endif
lwsl_notice("Initial logging level %d\n", log_level);
lwsl_notice("Libwebsockets version: %s\n", library_version);
#if LWS_POSIX
#ifdef LWS_USE_IPV6
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DISABLE_IPV6))
lwsl_notice("IPV6 compiled in and enabled\n");
else
lwsl_notice("IPV6 compiled in but disabled\n");
#else
lwsl_notice("IPV6 not compiled in\n");
#endif
lws_feature_status_libev(info);
lws_feature_status_libuv(info);
#endif
lwsl_info(" LWS_DEF_HEADER_LEN : %u\n", LWS_DEF_HEADER_LEN);
lwsl_info(" LWS_MAX_PROTOCOLS : %u\n", LWS_MAX_PROTOCOLS);
lwsl_info(" LWS_MAX_SMP : %u\n", LWS_MAX_SMP);
lwsl_info(" SPEC_LATEST_SUPPORTED : %u\n", SPEC_LATEST_SUPPORTED);
lwsl_info(" sizeof (*info) : %u\n", sizeof(*info));
#if LWS_POSIX
lwsl_info(" SYSTEM_RANDOM_FILEPATH: '%s'\n", SYSTEM_RANDOM_FILEPATH);
#endif
if (lws_plat_context_early_init())
return NULL;
context = lws_zalloc(sizeof(struct lws_context));
if (!context) {
lwsl_err("No memory for websocket context\n");
return NULL;
}
if (info->pt_serv_buf_size)
context->pt_serv_buf_size = info->pt_serv_buf_size;
else
context->pt_serv_buf_size = 4096;
context->reject_service_keywords = info->reject_service_keywords;
context->time_up = time(NULL);
#ifndef LWS_NO_DAEMONIZE
if (pid_daemon) {
context->started_with_parent = pid_daemon;
lwsl_notice(" Started with daemon pid %d\n", pid_daemon);
}
#endif
#if defined(__ANDROID__)
n = getrlimit ( RLIMIT_NOFILE,&rt);
if (-1 == n) {
lwsl_err("Get RLIMIT_NOFILE failed!\n");
return NULL;
}
context->max_fds = rt.rlim_cur;
#else
context->max_fds = getdtablesize();
#endif
if (info->count_threads)
context->count_threads = info->count_threads;
else
context->count_threads = 1;
if (context->count_threads > LWS_MAX_SMP)
context->count_threads = LWS_MAX_SMP;
context->token_limits = info->token_limits;
context->options = info->options;
if (info->timeout_secs)
context->timeout_secs = info->timeout_secs;
else
context->timeout_secs = AWAITING_TIMEOUT;
context->ws_ping_pong_interval = info->ws_ping_pong_interval;
lwsl_info(" default timeout (secs): %u\n", context->timeout_secs);
if (info->max_http_header_data)
context->max_http_header_data = info->max_http_header_data;
else
if (info->max_http_header_data2)
context->max_http_header_data =
info->max_http_header_data2;
else
context->max_http_header_data = LWS_DEF_HEADER_LEN;
if (info->max_http_header_pool)
context->max_http_header_pool = info->max_http_header_pool;
else
context->max_http_header_pool = LWS_DEF_HEADER_POOL;
/*
* Allocate the per-thread storage for scratchpad buffers,
* and header data pool
*/
for (n = 0; n < context->count_threads; n++) {
context->pt[n].serv_buf = lws_zalloc(context->pt_serv_buf_size);
if (!context->pt[n].serv_buf) {
lwsl_err("OOM\n");
return NULL;
}
#ifdef LWS_USE_LIBUV
context->pt[n].context = context;
#endif
context->pt[n].tid = n;
context->pt[n].http_header_data = lws_malloc(context->max_http_header_data *
context->max_http_header_pool);
if (!context->pt[n].http_header_data)
goto bail;
context->pt[n].ah_pool = lws_zalloc(sizeof(struct allocated_headers) *
context->max_http_header_pool);
for (m = 0; m < context->max_http_header_pool; m++)
context->pt[n].ah_pool[m].data =
(char *)context->pt[n].http_header_data +
(m * context->max_http_header_data);
if (!context->pt[n].ah_pool)
goto bail;
lws_pt_mutex_init(&context->pt[n]);
}
if (info->fd_limit_per_thread)
context->fd_limit_per_thread = info->fd_limit_per_thread;
else
context->fd_limit_per_thread = context->max_fds /
context->count_threads;
lwsl_notice(" Threads: %d each %d fds\n", context->count_threads,
context->fd_limit_per_thread);
memset(&wsi, 0, sizeof(wsi));
wsi.context = context;
if (!info->ka_interval && info->ka_time > 0) {
lwsl_err("info->ka_interval can't be 0 if ka_time used\n");
return NULL;
}
#ifdef LWS_USE_LIBEV
/* (Issue #264) In order to *avoid breaking backwards compatibility*, we
* enable libev mediated SIGINT handling with a default handler of
* lws_sigint_cb. The handler can be overridden or disabled
* by invoking lws_sigint_cfg after creating the context, but
* before invoking lws_initloop:
*/
context->use_ev_sigint = 1;
context->lws_ev_sigint_cb = &lws_ev_sigint_cb;
#endif /* LWS_USE_LIBEV */
#ifdef LWS_USE_LIBUV
/* (Issue #264) In order to *avoid breaking backwards compatibility*, we
* enable libev mediated SIGINT handling with a default handler of
* lws_sigint_cb. The handler can be overridden or disabled
* by invoking lws_sigint_cfg after creating the context, but
* before invoking lws_initloop:
*/
context->use_ev_sigint = 1;
context->lws_uv_sigint_cb = &lws_uv_sigint_cb;
#endif
lwsl_info(" mem: context: %5u bytes (%d ctx + (%d thr x %d))\n",
sizeof(struct lws_context) +
(context->count_threads * context->pt_serv_buf_size),
sizeof(struct lws_context),
context->count_threads,
context->pt_serv_buf_size);
lwsl_info(" mem: http hdr rsvd: %5u bytes (%u thr x (%u + %u) x %u))\n",
(context->max_http_header_data +
sizeof(struct allocated_headers)) *
context->max_http_header_pool * context->count_threads,
context->count_threads,
context->max_http_header_data,
sizeof(struct allocated_headers),
context->max_http_header_pool);
n = sizeof(struct lws_pollfd) * context->count_threads *
context->fd_limit_per_thread;
context->pt[0].fds = lws_zalloc(n);
if (context->pt[0].fds == NULL) {
lwsl_err("OOM allocating %d fds\n", context->max_fds);
goto bail;
}
lwsl_info(" mem: pollfd map: %5u\n", n);
if (info->server_string) {
context->server_string = info->server_string;
context->server_string_len = (short)
strlen(context->server_string);
} else {
context->server_string = "libwebsockets";
context->server_string_len = 13;
}
#if LWS_MAX_SMP > 1
/* each thread serves his own chunk of fds */
for (n = 1; n < (int)info->count_threads; n++)
context->pt[n].fds = context->pt[n - 1].fds +
context->fd_limit_per_thread;
#endif
if (lws_plat_init(context, info))
goto bail;
lws_context_init_ssl_library(info);
context->user_space = info->user;
/*
* if he's not saying he'll make his own vhosts later then act
* compatibly and make a default vhost using the data in the info
*/
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_EXPLICIT_VHOSTS))
if (!lws_create_vhost(context, info)) {
lwsl_err("Failed to create default vhost\n");
return NULL;
}
lws_context_init_extensions(info, context);
lwsl_notice(" mem: per-conn: %5u bytes + protocol rx buf\n",
sizeof(struct lws));
strcpy(context->canonical_hostname, "unknown");
lws_server_get_canonical_hostname(context, info);
context->uid = info->uid;
context->gid = info->gid;
/*
* drop any root privs for this process
* to listen on port < 1023 we would have needed root, but now we are
* listening, we don't want the power for anything else
*/
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_EXPLICIT_VHOSTS))
lws_plat_drop_app_privileges(info);
/*
* give all extensions a chance to create any per-context
* allocations they need
*/
if (info->port != CONTEXT_PORT_NO_LISTEN) {
if (lws_ext_cb_all_exts(context, NULL,
LWS_EXT_CB_SERVER_CONTEXT_CONSTRUCT, NULL, 0) < 0)
goto bail;
} else
if (lws_ext_cb_all_exts(context, NULL,
LWS_EXT_CB_CLIENT_CONTEXT_CONSTRUCT, NULL, 0) < 0)
goto bail;
return context;
bail:
lws_context_destroy(context);
return NULL;
}
