1 /*
2 * lws-minimal-secure-streams
3 *
4 * Written in 2010-2020 by Andy Green <andy@warmcat.com>
5 *
6 * This file is made available under the Creative Commons CC0 1.0
7 * Universal Public Domain Dedication.
8 *
9 *
10 * This demonstrates a minimal http client using secure streams api.
11 *
12 * It visits https://warmcat.com/ and receives the html page there.
13 *
14 * This example is built two different ways from the same source... one includes
15 * the policy everything needed to fulfil the stream directly. The other -client
16 * variant has no policy itself and some other minor init changes, and connects
17 * to the -proxy example to actually get the connection done.
18 *
19 * In the -client build case, the example does not even init the tls libraries
20 * since the proxy part will take care of all that.
21 */
22
23 #include <libwebsockets.h>
24 #include <string.h>
25 #include <signal.h>
26
27 /*
28 * uncomment to force network traffic through 127.0.0.1:1080
29 *
30 * On your local machine, you can run a SOCKS5 proxy like this
31 *
32 * $ ssh -N -D 0.0.0.0:1080 localhost -v
33 *
34 * If enabled, this also fetches a remote policy that also
35 * specifies that all traffic should go through the remote
36 * proxy.
37 */
38 // #define VIA_LOCALHOST_SOCKS
39
40 static int interrupted, bad = 1, force_cpd_fail_portal,
41 force_cpd_fail_no_internet, test_respmap;
42 static const char *streamtype = "mintest";
43 static unsigned int timeout_ms = 3000;
44 static lws_state_notify_link_t nl;
45
46 /*
47 * If the -proxy app is fulfilling our connection, then we don't need to have
48 * the policy in the client.
49 *
50 * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
51 * a Unix Domain Socket. To test that, you need to separately run the
52 * ./lws-minimal-secure-streams-proxy test app on the same machine.
53 */
54
55 #if !defined(LWS_SS_USE_SSPC)
56 static const char * const default_ss_policy =
57 "{"
58 "\"release\":" "\"01234567\","
59 "\"product\":" "\"myproduct\","
60 "\"schema-version\":" "1,"
61 #if defined(VIA_LOCALHOST_SOCKS)
62 "\"via-socks5\":" "\"127.0.0.1:1080\","
63 #endif
64
65 "\"retry\": [" /* named backoff / retry strategies */
66 "{\"default\": {"
67 "\"backoff\": [" "1000,"
68 "2000,"
69 "3000,"
70 "5000,"
71 "10000"
72 "],"
73 "\"conceal\":" "5,"
74 "\"jitterpc\":" "20,"
75 "\"svalidping\":" "30,"
76 "\"svalidhup\":" "35"
77 "}}"
78 "],"
79 "\"certs\": [" /* named individual certificates in BASE64 DER */
80 /*
81 * Let's Encrypt certs for warmcat.com / libwebsockets.org
82 *
83 * We fetch the real policy from there using SS and switch to
84 * using that.
85 */
86 "{\"isrg_root_x1\": \""
87 "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw"
88 "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
89 "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4"
90 "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu"
91 "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY"
92 "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc"
93 "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+"
94 "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U"
95 "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW"
96 "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH"
97 "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC"
98 "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv"
99 "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn"
100 "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn"
101 "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw"
102 "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI"
103 "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV"
104 "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq"
105 "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL"
106 "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ"
107 "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK"
108 "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5"
109 "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur"
110 "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC"
111 "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc"
112 "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq"
113 "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA"
114 "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d"
115 "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc="
116 "\"}"
117 "],"
118 "\"trust_stores\": [" /* named cert chains */
119 "{"
120 "\"name\": \"le_via_isrg\","
121 "\"stack\": ["
122 "\"isrg_root_x1\""
123 "]"
124 "}"
125 "],"
126 "\"s\": ["
127 /*
128 * "fetch_policy" decides from where the real policy
129 * will be fetched, if present. Otherwise the initial
130 * policy is treated as the whole, hardcoded, policy.
131 */
132 "{\"fetch_policy\": {"
133 "\"endpoint\":" "\"warmcat.com\","
134 "\"port\":" "443,"
135 "\"protocol\":" "\"h1\","
136 "\"http_method\":" "\"GET\","
137 #if defined(VIA_LOCALHOST_SOCKS)
138 "\"http_url\":" "\"policy/minimal-proxy-socks.json\","
139 #else
140 "\"http_url\":" "\"policy/minimal-proxy-v4.2-v2.json\","
141 #endif
142 "\"tls\":" "true,"
143 "\"opportunistic\":" "true,"
144 "\"retry\":" "\"default\","
145 "\"tls_trust_store\":" "\"le_via_isrg\""
146 "}},{"
147 /*
148 * "captive_portal_detect" describes
149 * what to do in order to check if the path to
150 * the Internet is being interrupted by a
151 * captive portal. If there's a larger policy
152 * fetched from elsewhere, it should also include
153 * this since it needs to be done at least after
154 * every DHCP acquisition
155 */
156 "\"captive_portal_detect\": {"
157 "\"endpoint\": \"connectivitycheck.android.com\","
158 "\"http_url\": \"generate_204\","
159 "\"port\": 80,"
160 "\"protocol\": \"h1\","
161 "\"http_method\": \"GET\","
162 "\"opportunistic\": true,"
163 "\"http_expect\": 204,"
164 "\"http_fail_redirect\": true"
165 "}}"
166 "]}"
167 ;
168
169 #endif
170
171 typedef struct myss {
172 struct lws_ss_handle *ss;
173 void *opaque_data;
174 /* ... application specific state ... */
175 lws_sorted_usec_list_t sul;
176 } myss_t;
177
178 #if !defined(LWS_SS_USE_SSPC)
179
180 static const char *canned_root_token_payload =
181 "grant_type=refresh_token"
182 "&refresh_token=Atzr|IwEBIJedGXjDqsU_vMxykqOMg"
183 "SHfYe3CPcedueWEMWSDMaDnEmiW8RlR1Kns7Cb4B-TOSnqp7ifVsY4BMY2B8tpHfO39XP"
184 "zfu9HapGjTR458IyHX44FE71pWJkGZ79uVBpljP4sazJuk8XS3Oe_yLnm_DIO6fU1nU3Y"
185 "0flYmsOiOAQE_gRk_pdlmEtHnpMA-9rLw3mkY5L89Ty9kUygBsiFaYatouROhbsTn8-jW"
186 "k1zZLUDpT6ICtBXSnrCIg0pUbZevPFhTwdXd6eX-u4rq0W-XaDvPWFO7au-iPb4Zk5eZE"
187 "iX6sissYrtNmuEXc2uHu7MnQO1hHCaTdIO2CANVumf-PHSD8xseamyh04sLV5JgFzY45S"
188 "KvKMajiUZuLkMokOx86rjC2Hdkx5DO7G-dbG1ufBDG-N79pFMSs7Ck5pc283IdLoJkCQc"
189 "AGvTX8o8I29QqkcGou-9TKhOJmpX8As94T61ok0UqqEKPJ7RhfQHHYdCtsdwxgvfVr9qI"
190 "xL_hDCcTho8opCVX-6QhJHl6SQFlTw13"
191 "&client_id="
192 "amzn1.application-oa2-client.4823334c434b4190a2b5a42c07938a2d";
193
194 #endif
195
196 /* secure streams payload interface */
197
198 static lws_ss_state_return_t
myss_rx(void * userobj,const uint8_t * buf,size_t len,int flags)199 myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
200 {
201 myss_t *m = (myss_t *)userobj;
202 const char *md_srv = "not set", *md_test = "not set";
203 size_t md_srv_len = 7, md_test_len = 7;
204
205 if (flags & LWSSS_FLAG_PERF_JSON) {
206 lwsl_user("%.*s\n", (int)len, (const char *)buf);
207
208 return LWSSSSRET_OK;
209 }
210
211 lws_ss_get_metadata(m->ss, "srv", (const void **)&md_srv, &md_srv_len);
212 lws_ss_get_metadata(m->ss, "test", (const void **)&md_test, &md_test_len);
213
214 lwsl_user("%s: len %d, flags: %d, srv: %.*s, test: %.*s\n", __func__,
215 (int)len, flags, (int)md_srv_len, md_srv,
216 (int)md_test_len, md_test);
217 lwsl_hexdump_info(buf, len);
218
219 /*
220 * If we received the whole message, for our example it means
221 * we are done.
222 */
223 if (flags & LWSSS_FLAG_EOM) {
224 bad = 0;
225 interrupted = 1;
226 }
227
228 return LWSSSSRET_OK;
229 }
230
231 static lws_ss_state_return_t
myss_tx(void * userobj,lws_ss_tx_ordinal_t ord,uint8_t * buf,size_t * len,int * flags)232 myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
233 int *flags)
234 {
235 //myss_t *m = (myss_t *)userobj;
236
237 /* in this example, we don't send stuff */
238
239 return LWSSSSRET_TX_DONT_SEND;
240 }
241
242 static lws_ss_state_return_t
myss_state(void * userobj,void * sh,lws_ss_constate_t state,lws_ss_tx_ordinal_t ack)243 myss_state(void *userobj, void *sh, lws_ss_constate_t state,
244 lws_ss_tx_ordinal_t ack)
245 {
246 myss_t *m = (myss_t *)userobj;
247
248 lwsl_user("%s: %s (%d), ord 0x%x\n", __func__,
249 lws_ss_state_name((int)state), state, (unsigned int)ack);
250
251 switch (state) {
252 case LWSSSCS_CREATING:
253 return lws_ss_client_connect(m->ss);
254
255 case LWSSSCS_CONNECTING:
256 lws_ss_start_timeout(m->ss, timeout_ms);
257 if (lws_ss_set_metadata(m->ss, "uptag", "myuptag123", 10))
258 /* can fail, eg due to OOM, retry later if so */
259 return LWSSSSRET_DISCONNECT_ME;
260
261 if (lws_ss_set_metadata(m->ss, "ctype", "myctype", 7))
262 /* can fail, eg due to OOM, retry later if so */
263 return LWSSSSRET_DISCONNECT_ME;
264 break;
265
266 case LWSSSCS_ALL_RETRIES_FAILED:
267 /* if we're out of retries, we want to close the app and FAIL */
268 interrupted = 1;
269 bad = 2;
270 break;
271
272 case LWSSSCS_QOS_ACK_REMOTE:
273 lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
274 break;
275
276 case LWSSSCS_TIMEOUT:
277 lwsl_notice("%s: LWSSSCS_TIMEOUT\n", __func__);
278 /* if we're out of time */
279 interrupted = 1;
280 bad = 3;
281 break;
282
283 case LWSSSCS_USER_BASE:
284 lwsl_notice("%s: LWSSSCS_USER_BASE\n", __func__);
285 break;
286
287 default:
288 break;
289 }
290
291 return LWSSSSRET_OK;
292 }
293
294 static int
app_system_state_nf(lws_state_manager_t * mgr,lws_state_notify_link_t * link,int current,int target)295 app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
296 int current, int target)
297 {
298 struct lws_context *context = lws_system_context_from_system_mgr(mgr);
299 #if !defined(LWS_SS_USE_SSPC)
300
301 lws_system_blob_t *ab = lws_system_get_blob(context,
302 LWS_SYSBLOB_TYPE_AUTH, 1 /* AUTH_IDX_ROOT */);
303 size_t size;
304 #endif
305
306 /*
307 * For the things we care about, let's notice if we are trying to get
308 * past them when we haven't solved them yet, and make the system
309 * state wait while we trigger the dependent action.
310 */
311 switch (target) {
312
313 #if !defined(LWS_SS_USE_SSPC)
314
315 /*
316 * The proxy takes responsibility for this stuff if we get things
317 * done through that
318 */
319
320 case LWS_SYSTATE_INITIALIZED: /* overlay on the hardcoded policy */
321 case LWS_SYSTATE_POLICY_VALID: /* overlay on the loaded policy */
322
323 if (target != current)
324 break;
325
326 if (force_cpd_fail_portal)
327
328 /* this makes it look like we're behind a captive portal
329 * because the overriden address does a redirect */
330
331 lws_ss_policy_overlay(context,
332 "{\"s\": [{\"captive_portal_detect\": {"
333 "\"endpoint\": \"google.com\","
334 "\"http_url\": \"/\","
335 "\"port\": 80"
336 "}}]}");
337
338 if (force_cpd_fail_no_internet)
339
340 /* this looks like no internet, because the overridden
341 * port doesn't have anything that will connect to us */
342
343 lws_ss_policy_overlay(context,
344 "{\"s\": [{\"captive_portal_detect\": {"
345 "\"endpoint\": \"warmcat.com\","
346 "\"http_url\": \"/\","
347 "\"port\": 999"
348 "}}]}");
349 break;
350
351 case LWS_SYSTATE_REGISTERED:
352 size = lws_system_blob_get_size(ab);
353 if (size)
354 break;
355
356 /* let's register our canned root token so auth can use it */
357 lws_system_blob_direct_set(ab,
358 (const uint8_t *)canned_root_token_payload,
359 strlen(canned_root_token_payload));
360 break;
361
362 #endif
363
364 case LWS_SYSTATE_OPERATIONAL:
365 if (current == LWS_SYSTATE_OPERATIONAL) {
366 lws_ss_info_t ssi;
367
368 /* We're making an outgoing secure stream ourselves */
369
370 memset(&ssi, 0, sizeof(ssi));
371 ssi.handle_offset = offsetof(myss_t, ss);
372 ssi.opaque_user_data_offset = offsetof(myss_t,
373 opaque_data);
374 ssi.rx = myss_rx;
375 ssi.tx = myss_tx;
376 ssi.state = myss_state;
377 ssi.user_alloc = sizeof(myss_t);
378 ssi.streamtype = test_respmap ? "respmap" : streamtype;
379
380 if (lws_ss_create(context, 0, &ssi, NULL, NULL,
381 NULL, NULL)) {
382 lwsl_err("%s: failed to create secure stream\n",
383 __func__);
384 return -1;
385 }
386 }
387 break;
388 }
389
390 return 0;
391 }
392
393 static lws_state_notify_link_t * const app_notifier_list[] = {
394 &nl, NULL
395 };
396
397 #if defined(LWS_WITH_SYS_METRICS)
398
399 static int
my_metric_report(lws_metric_pub_t * mp)400 my_metric_report(lws_metric_pub_t *mp)
401 {
402 lws_metric_bucket_t *sub = mp->u.hist.head;
403 char buf[192];
404
405 do {
406 if (lws_metrics_format(mp, &sub, buf, sizeof(buf)))
407 lwsl_user("%s: %s\n", __func__, buf);
408 } while ((mp->flags & LWSMTFL_REPORT_HIST) && sub);
409
410 /* 0 = leave metric to accumulate, 1 = reset the metric */
411
412 return 1;
413 }
414
415 static const lws_system_ops_t system_ops = {
416 .metric_report = my_metric_report,
417 };
418
419 #endif
420
421 static void
sigint_handler(int sig)422 sigint_handler(int sig)
423 {
424 interrupted = 1;
425 }
426
main(int argc,const char ** argv)427 int main(int argc, const char **argv)
428 {
429 struct lws_context_creation_info info;
430 struct lws_context *context;
431 int n = 0, expected = 0;
432 const char *p;
433
434 signal(SIGINT, sigint_handler);
435
436 memset(&info, 0, sizeof info);
437 lws_cmdline_option_handle_builtin(argc, argv, &info);
438
439 lwsl_user("LWS secure streams test client PERF [-d<verb>]\n");
440
441 /* these options are mutually exclusive if given */
442
443 if (lws_cmdline_option(argc, argv, "--force-portal"))
444 force_cpd_fail_portal = 1;
445
446 if (lws_cmdline_option(argc, argv, "--force-no-internet"))
447 force_cpd_fail_no_internet = 1;
448
449 if (lws_cmdline_option(argc, argv, "--respmap"))
450 test_respmap = 1;
451
452 if (lws_cmdline_option(argc, argv, "--test404"))
453 streamtype = "mintest404";
454
455 if (lws_cmdline_option(argc, argv, "--test404red"))
456 streamtype = "mintest404red";
457
458 if (lws_cmdline_option(argc, argv, "--test404redref"))
459 streamtype = "mintest404redref";
460
461 if ((p = lws_cmdline_option(argc, argv, "--timeout_ms")))
462 timeout_ms = (unsigned int)atoi(p);
463
464 info.fd_limit_per_thread = 1 + 6 + 1;
465 info.port = CONTEXT_PORT_NO_LISTEN;
466 #if defined(LWS_SS_USE_SSPC)
467 info.protocols = lws_sspc_protocols;
468 {
469 const char *p;
470
471 /* connect to ssproxy via UDS by default, else via
472 * tcp connection to this port */
473 if ((p = lws_cmdline_option(argc, argv, "-p")))
474 info.ss_proxy_port = (uint16_t)atoi(p);
475
476 /* UDS "proxy.ss.lws" in abstract namespace, else this socket
477 * path; when -p given this can specify the network interface
478 * to bind to */
479 if ((p = lws_cmdline_option(argc, argv, "-i")))
480 info.ss_proxy_bind = p;
481
482 /* if -p given, -a specifies the proxy address to connect to */
483 if ((p = lws_cmdline_option(argc, argv, "-a")))
484 info.ss_proxy_address = p;
485 }
486 #else
487 info.pss_policies_json = default_ss_policy;
488 info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
489 LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW |
490 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
491 #endif
492
493 /* integrate us with lws system state management when context created */
494
495 nl.name = "app";
496 nl.notify_cb = app_system_state_nf;
497 info.register_notifier_list = app_notifier_list;
498
499
500 #if defined(LWS_WITH_SYS_METRICS)
501 info.system_ops = &system_ops;
502 info.metrics_prefix = "ssmex";
503 #endif
504
505 /* create the context */
506
507 context = lws_create_context(&info);
508 if (!context) {
509 lwsl_err("lws init failed\n");
510 goto bail;
511 }
512
513 #if !defined(LWS_SS_USE_SSPC)
514 /*
515 * If we're being a proxied client, the proxy does all this
516 */
517
518 /*
519 * Set the related lws_system blobs
520 *
521 * ...direct_set() sets a pointer, so the thing pointed to has to have
522 * a suitable lifetime, eg, something that already exists on the heap or
523 * a const string in .rodata like this
524 */
525
526 lws_system_blob_direct_set(lws_system_get_blob(context,
527 LWS_SYSBLOB_TYPE_DEVICE_SERIAL, 0),
528 (const uint8_t *)"SN12345678", 10);
529 lws_system_blob_direct_set(lws_system_get_blob(context,
530 LWS_SYSBLOB_TYPE_DEVICE_FW_VERSION, 0),
531 (const uint8_t *)"v0.01", 5);
532
533 /*
534 * ..._heap_append() appends to a buflist kind of arrangement on heap,
535 * just one block is fine, otherwise it will concatenate the fragments
536 * in the order they were appended (and take care of freeing them at
537 * context destroy time). ..._heap_empty() is also available to remove
538 * everything that was already allocated.
539 *
540 * Here we use _heap_append() just so it's tested as well as direct set.
541 */
542
543 lws_system_blob_heap_append(lws_system_get_blob(context,
544 LWS_SYSBLOB_TYPE_DEVICE_TYPE, 0),
545 (const uint8_t *)"spacerocket", 11);
546 #endif
547
548 /* the event loop */
549
550 while (n >= 0 && !interrupted)
551 n = lws_service(context, 0);
552
553 lws_context_destroy(context);
554
555 bail:
556 if ((p = lws_cmdline_option(argc, argv, "--expected-exit")))
557 expected = atoi(p);
558
559 if (bad == expected) {
560 lwsl_user("Completed: OK (seen expected %d)\n", expected);
561 return 0;
562 } else
563 lwsl_err("Completed: failed: exit %d, expected %d\n", bad, expected);
564
565 return 1;
566 }
567