1 /*
2 * lws-minimal-secure-streams
3 *
4 * Written in 2010-2020 by Andy Green <andy@warmcat.com>
5 *
6 * This file is made available under the Creative Commons CC0 1.0
7 * Universal Public Domain Dedication.
8 *
9 *
10 * This demonstrates a minimal http client using secure streams api.
11 *
12 * It visits https://warmcat.com/ and receives the html page there.
13 *
14 * This example is built two different ways from the same source... one includes
15 * the policy everything needed to fulfil the stream directly. The other -client
16 * variant has no policy itself and some other minor init changes, and connects
17 * to the -proxy example to actually get the connection done.
18 *
19 * In the -client build case, the example does not even init the tls libraries
20 * since the proxy part will take care of all that.
21 */
22
23 #include <libwebsockets.h>
24 #include <string.h>
25 #include <signal.h>
26
27 // #define FORCE_OS_TRUST_STORE
28
29 /*
30 * uncomment to force network traffic through 127.0.0.1:1080
31 *
32 * On your local machine, you can run a SOCKS5 proxy like this
33 *
34 * $ ssh -N -D 0.0.0.0:1080 localhost -v
35 *
36 * If enabled, this also fetches a remote policy that also
37 * specifies that all traffic should go through the remote
38 * proxy.
39 */
40 // #define VIA_LOCALHOST_SOCKS
41
42 static int interrupted, bad = 1, force_cpd_fail_portal,
43 force_cpd_fail_no_internet, test_respmap, test_ots;
44 static unsigned int timeout_ms = 3000;
45 static lws_state_notify_link_t nl;
46
47 /*
48 * If the -proxy app is fulfilling our connection, then we don't need to have
49 * the policy in the client.
50 *
51 * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
52 * a Unix Domain Socket. To test that, you need to separately run the
53 * ./lws-minimal-secure-streams-proxy test app on the same machine.
54 */
55
56 #if !defined(LWS_SS_USE_SSPC)
57 static const char * const default_ss_policy =
58 "{"
59 "\"release\":" "\"01234567\","
60 "\"product\":" "\"myproduct\","
61 "\"schema-version\":" "1,"
62 #if defined(VIA_LOCALHOST_SOCKS)
63 "\"via-socks5\":" "\"127.0.0.1:1080\","
64 #endif
65
66 "\"retry\": [" /* named backoff / retry strategies */
67 "{\"default\": {"
68 "\"backoff\": [" "1000,"
69 "2000,"
70 "3000,"
71 "5000,"
72 "10000"
73 "],"
74 "\"conceal\":" "5,"
75 "\"jitterpc\":" "20,"
76 "\"svalidping\":" "30,"
77 "\"svalidhup\":" "35"
78 "}}"
79 "],"
80 "\"certs\": [" /* named individual certificates in BASE64 DER */
81 /*
82 * Let's Encrypt certs for warmcat.com / libwebsockets.org
83 *
84 * We fetch the real policy from there using SS and switch to
85 * using that.
86 */
87 #if !defined(FORCE_OS_TRUST_STORE)
88 "{\"dst_root_x3\": \""
89 "MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/"
90 "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT"
91 "DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow"
92 "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD"
93 "Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB"
94 "AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O"
95 "rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq"
96 "OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b"
97 "xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw"
98 "7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD"
99 "aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV"
100 "HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG"
101 "SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69"
102 "ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr"
103 "AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz"
104 "R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5"
105 "JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo"
106 "Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ"
107 "\"}"
108 #endif
109 "],"
110 "\"trust_stores\": [" /* named cert chains */
111 #if !defined(FORCE_OS_TRUST_STORE)
112 "{"
113 "\"name\": \"le_via_dst\","
114 "\"stack\": ["
115 "\"dst_root_x3\""
116 "]"
117 "}"
118 #endif
119 "],"
120 "\"s\": ["
121 /*
122 * "fetch_policy" decides from where the real policy
123 * will be fetched, if present. Otherwise the initial
124 * policy is treated as the whole, hardcoded, policy.
125 */
126 "{\"fetch_policy\": {"
127 "\"endpoint\":" "\"warmcat.com\","
128 "\"port\":" "443,"
129 "\"protocol\":" "\"h1\","
130 "\"http_method\":" "\"GET\","
131 #if defined(VIA_LOCALHOST_SOCKS)
132 "\"http_url\":" "\"policy/minimal-proxy-socks.json\","
133 #else
134 "\"http_url\":" "\"policy/minimal-proxy-v4.2-v2.json\","
135 #endif
136 "\"tls\":" "true,"
137 "\"opportunistic\":" "true,"
138 #if !defined(FORCE_OS_TRUST_STORE)
139 "\"tls_trust_store\":" "\"le_via_dst\","
140 #endif
141 "\"retry\":" "\"default\""
142 "}},{"
143 /*
144 * "captive_portal_detect" describes
145 * what to do in order to check if the path to
146 * the Internet is being interrupted by a
147 * captive portal. If there's a larger policy
148 * fetched from elsewhere, it should also include
149 * this since it needs to be done at least after
150 * every DHCP acquisition
151 */
152 "\"captive_portal_detect\": {"
153 "\"endpoint\": \"connectivitycheck.android.com\","
154 "\"http_url\": \"generate_204\","
155 "\"port\": 80,"
156 "\"protocol\": \"h1\","
157 "\"http_method\": \"GET\","
158 "\"opportunistic\": true,"
159 "\"http_expect\": 204,"
160 "\"http_fail_redirect\": true"
161 "}}"
162 "]}"
163 ;
164
165 #endif
166
167 typedef struct myss {
168 struct lws_ss_handle *ss;
169 void *opaque_data;
170 /* ... application specific state ... */
171 lws_sorted_usec_list_t sul;
172 size_t amt;
173
174 struct lws_genhash_ctx hash_ctx;
175 } myss_t;
176
177 #if !defined(LWS_SS_USE_SSPC)
178
179 static const char *canned_root_token_payload =
180 "grant_type=refresh_token"
181 "&refresh_token=Atzr|IwEBIJedGXjDqsU_vMxykqOMg"
182 "SHfYe3CPcedueWEMWSDMaDnEmiW8RlR1Kns7Cb4B-TOSnqp7ifVsY4BMY2B8tpHfO39XP"
183 "zfu9HapGjTR458IyHX44FE71pWJkGZ79uVBpljP4sazJuk8XS3Oe_yLnm_DIO6fU1nU3Y"
184 "0flYmsOiOAQE_gRk_pdlmEtHnpMA-9rLw3mkY5L89Ty9kUygBsiFaYatouROhbsTn8-jW"
185 "k1zZLUDpT6ICtBXSnrCIg0pUbZevPFhTwdXd6eX-u4rq0W-XaDvPWFO7au-iPb4Zk5eZE"
186 "iX6sissYrtNmuEXc2uHu7MnQO1hHCaTdIO2CANVumf-PHSD8xseamyh04sLV5JgFzY45S"
187 "KvKMajiUZuLkMokOx86rjC2Hdkx5DO7G-dbG1ufBDG-N79pFMSs7Ck5pc283IdLoJkCQc"
188 "AGvTX8o8I29QqkcGou-9TKhOJmpX8As94T61ok0UqqEKPJ7RhfQHHYdCtsdwxgvfVr9qI"
189 "xL_hDCcTho8opCVX-6QhJHl6SQFlTw13"
190 "&client_id="
191 "amzn1.application-oa2-client.4823334c434b4190a2b5a42c07938a2d";
192
193 #endif
194
195 /* secure streams payload interface */
196
197 static lws_ss_state_return_t
myss_rx(void * userobj,const uint8_t * buf,size_t len,int flags)198 myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
199 {
200 myss_t *m = (myss_t *)userobj;
201 const char *md_srv = "not set", *md_test = "not set";
202 size_t md_srv_len = 7, md_test_len = 7;
203
204 if (flags & LWSSS_FLAG_PERF_JSON)
205 return LWSSSSRET_OK;
206
207 lws_ss_get_metadata(m->ss, "srv", (const void **)&md_srv, &md_srv_len);
208 lws_ss_get_metadata(m->ss, "test", (const void **)&md_test, &md_test_len);
209
210 lwsl_user("%s: len %d, flags: %d, srv: %.*s, test: %.*s\n", __func__,
211 (int)len, flags, (int)md_srv_len, md_srv,
212 (int)md_test_len, md_test);
213 lwsl_hexdump_info(buf, len);
214
215 /*
216 * If we received the whole message, for our example it means
217 * we are done.
218 */
219 if (flags & LWSSS_FLAG_EOM) {
220 bad = 0;
221 interrupted = 1;
222 }
223
224 return LWSSSSRET_OK;
225 }
226
227 static lws_ss_state_return_t
myss_tx(void * userobj,lws_ss_tx_ordinal_t ord,uint8_t * buf,size_t * len,int * flags)228 myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
229 int *flags)
230 {
231 //myss_t *m = (myss_t *)userobj;
232
233 /* in this example, we don't send stuff */
234
235 return LWSSSSRET_TX_DONT_SEND;
236 }
237
238 static lws_ss_state_return_t
myss_state(void * userobj,void * sh,lws_ss_constate_t state,lws_ss_tx_ordinal_t ack)239 myss_state(void *userobj, void *sh, lws_ss_constate_t state,
240 lws_ss_tx_ordinal_t ack)
241 {
242 myss_t *m = (myss_t *)userobj;
243
244 lwsl_user("%s: %s (%d), ord 0x%x\n", __func__,
245 lws_ss_state_name((int)state), state, (unsigned int)ack);
246
247 switch (state) {
248 case LWSSSCS_CREATING:
249 return lws_ss_client_connect(m->ss);
250
251 case LWSSSCS_CONNECTING:
252 lws_ss_start_timeout(m->ss, timeout_ms);
253
254 if (lws_ss_set_metadata(m->ss, "uptag", "myuptag123", 10))
255 /* can fail, eg due to OOM, retry later if so */
256 return LWSSSSRET_DISCONNECT_ME;
257
258 if (lws_ss_set_metadata(m->ss, "ctype", "myctype", 7))
259 /* can fail, eg due to OOM, retry later if so */
260 return LWSSSSRET_DISCONNECT_ME;
261 break;
262
263 case LWSSSCS_ALL_RETRIES_FAILED:
264 /* if we're out of retries, we want to close the app and FAIL */
265 interrupted = 1;
266 bad = 2;
267 break;
268
269 case LWSSSCS_QOS_ACK_REMOTE:
270 lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
271 break;
272
273 case LWSSSCS_TIMEOUT:
274 lwsl_notice("%s: LWSSSCS_TIMEOUT\n", __func__);
275 /* if we're out of time */
276 interrupted = 1;
277 bad = 3;
278 break;
279
280 case LWSSSCS_USER_BASE:
281 lwsl_notice("%s: LWSSSCS_USER_BASE\n", __func__);
282 break;
283
284 default:
285 break;
286 }
287
288 return LWSSSSRET_OK;
289 }
290
291 static int
app_system_state_nf(lws_state_manager_t * mgr,lws_state_notify_link_t * link,int current,int target)292 app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
293 int current, int target)
294 {
295 struct lws_context *context = lws_system_context_from_system_mgr(mgr);
296 #if !defined(LWS_SS_USE_SSPC)
297
298 lws_system_blob_t *ab = lws_system_get_blob(context,
299 LWS_SYSBLOB_TYPE_AUTH, 1 /* AUTH_IDX_ROOT */);
300 size_t size;
301 #endif
302
303 /*
304 * For the things we care about, let's notice if we are trying to get
305 * past them when we haven't solved them yet, and make the system
306 * state wait while we trigger the dependent action.
307 */
308 switch (target) {
309
310 #if !defined(LWS_SS_USE_SSPC)
311
312 /*
313 * The proxy takes responsibility for this stuff if we get things
314 * done through that
315 */
316
317 case LWS_SYSTATE_INITIALIZED: /* overlay on the hardcoded policy */
318 case LWS_SYSTATE_POLICY_VALID: /* overlay on the loaded policy */
319
320 if (target != current)
321 break;
322
323 if (force_cpd_fail_portal)
324
325 /* this makes it look like we're behind a captive portal
326 * because the overriden address does a redirect */
327
328 lws_ss_policy_overlay(context,
329 "{\"s\": [{\"captive_portal_detect\": {"
330 "\"endpoint\": \"google.com\","
331 "\"http_url\": \"/\","
332 "\"port\": 80"
333 "}}]}");
334
335 if (force_cpd_fail_no_internet)
336
337 /* this looks like no internet, because the overridden
338 * port doesn't have anything that will connect to us */
339
340 lws_ss_policy_overlay(context,
341 "{\"s\": [{\"captive_portal_detect\": {"
342 "\"endpoint\": \"warmcat.com\","
343 "\"http_url\": \"/\","
344 "\"port\": 999"
345 "}}]}");
346 break;
347
348 case LWS_SYSTATE_REGISTERED:
349 size = lws_system_blob_get_size(ab);
350 if (size)
351 break;
352
353 /* let's register our canned root token so auth can use it */
354 lws_system_blob_direct_set(ab,
355 (const uint8_t *)canned_root_token_payload,
356 strlen(canned_root_token_payload));
357 break;
358
359 #endif
360
361 case LWS_SYSTATE_OPERATIONAL:
362 if (current == LWS_SYSTATE_OPERATIONAL) {
363 lws_ss_info_t ssi;
364
365 /* We're making an outgoing secure stream ourselves */
366
367 memset(&ssi, 0, sizeof(ssi));
368 ssi.handle_offset = offsetof(myss_t, ss);
369 ssi.opaque_user_data_offset = offsetof(myss_t,
370 opaque_data);
371 ssi.rx = myss_rx;
372 ssi.tx = myss_tx;
373 ssi.state = myss_state;
374 ssi.user_alloc = sizeof(myss_t);
375 ssi.streamtype = test_ots ? "mintest-ots" :
376 (test_respmap ? "respmap" : "mintest");
377
378 if (lws_ss_create(context, 0, &ssi, NULL, NULL,
379 NULL, NULL)) {
380 lwsl_err("%s: failed to create secure stream\n",
381 __func__);
382 return -1;
383 }
384 }
385 break;
386 }
387
388 return 0;
389 }
390
391 static lws_state_notify_link_t * const app_notifier_list[] = {
392 &nl, NULL
393 };
394
395 #if defined(LWS_WITH_SYS_METRICS)
396
397 static int
my_metric_report(lws_metric_pub_t * mp)398 my_metric_report(lws_metric_pub_t *mp)
399 {
400 lws_metric_bucket_t *sub = mp->u.hist.head;
401 char buf[192];
402
403 do {
404 if (lws_metrics_format(mp, &sub, buf, sizeof(buf)))
405 lwsl_user("%s: %s\n", __func__, buf);
406 } while ((mp->flags & LWSMTFL_REPORT_HIST) && sub);
407
408 /* 0 = leave metric to accumulate, 1 = reset the metric */
409
410 return 1;
411 }
412
413 static const lws_system_ops_t system_ops = {
414 .metric_report = my_metric_report,
415 };
416
417 #endif
418
419 static void
sigint_handler(int sig)420 sigint_handler(int sig)
421 {
422 interrupted = 1;
423 }
424
main(int argc,const char ** argv)425 int main(int argc, const char **argv)
426 {
427 struct lws_context_creation_info info;
428 struct lws_context *context;
429 int n = 0, expected = 0;
430 const char *p;
431
432 signal(SIGINT, sigint_handler);
433
434 memset(&info, 0, sizeof info);
435 lws_cmdline_option_handle_builtin(argc, argv, &info);
436
437 lwsl_user("LWS secure streams test client [-d<verb>]\n");
438
439 /* these options are mutually exclusive if given */
440
441 if (lws_cmdline_option(argc, argv, "--force-portal"))
442 force_cpd_fail_portal = 1;
443
444 if (lws_cmdline_option(argc, argv, "--force-no-internet"))
445 force_cpd_fail_no_internet = 1;
446
447 if (lws_cmdline_option(argc, argv, "--respmap"))
448 test_respmap = 1;
449
450 if (lws_cmdline_option(argc, argv, "--ots"))
451 /*
452 * Use a streamtype that relies on the OS trust store for
453 * validation
454 */
455 test_ots = 1;
456
457 if ((p = lws_cmdline_option(argc, argv, "--timeout_ms")))
458 timeout_ms = (unsigned int)atoi(p);
459
460 info.fd_limit_per_thread = 1 + 6 + 1;
461 info.port = CONTEXT_PORT_NO_LISTEN;
462 #if defined(LWS_SS_USE_SSPC)
463 info.protocols = lws_sspc_protocols;
464 {
465 const char *p;
466
467 /* connect to ssproxy via UDS by default, else via
468 * tcp connection to this port */
469 if ((p = lws_cmdline_option(argc, argv, "-p")))
470 info.ss_proxy_port = (uint16_t)atoi(p);
471
472 /* UDS "proxy.ss.lws" in abstract namespace, else this socket
473 * path; when -p given this can specify the network interface
474 * to bind to */
475 if ((p = lws_cmdline_option(argc, argv, "-i")))
476 info.ss_proxy_bind = p;
477
478 /* if -p given, -a specifies the proxy address to connect to */
479 if ((p = lws_cmdline_option(argc, argv, "-a")))
480 info.ss_proxy_address = p;
481 }
482 #else
483 info.pss_policies_json = default_ss_policy;
484 info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
485 LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW |
486 LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
487 #endif
488
489 /* integrate us with lws system state management when context created */
490
491 nl.name = "app";
492 nl.notify_cb = app_system_state_nf;
493 info.register_notifier_list = app_notifier_list;
494
495
496 #if defined(LWS_WITH_SYS_METRICS)
497 info.system_ops = &system_ops;
498 info.metrics_prefix = "ssmex";
499 #endif
500
501 /* create the context */
502
503 context = lws_create_context(&info);
504 if (!context) {
505 lwsl_err("lws init failed\n");
506 goto bail;
507 }
508
509 #if !defined(LWS_SS_USE_SSPC)
510 /*
511 * If we're being a proxied client, the proxy does all this
512 */
513
514 /*
515 * Set the related lws_system blobs
516 *
517 * ...direct_set() sets a pointer, so the thing pointed to has to have
518 * a suitable lifetime, eg, something that already exists on the heap or
519 * a const string in .rodata like this
520 */
521
522 lws_system_blob_direct_set(lws_system_get_blob(context,
523 LWS_SYSBLOB_TYPE_DEVICE_SERIAL, 0),
524 (const uint8_t *)"SN12345678", 10);
525 lws_system_blob_direct_set(lws_system_get_blob(context,
526 LWS_SYSBLOB_TYPE_DEVICE_FW_VERSION, 0),
527 (const uint8_t *)"v0.01", 5);
528
529 /*
530 * ..._heap_append() appends to a buflist kind of arrangement on heap,
531 * just one block is fine, otherwise it will concatenate the fragments
532 * in the order they were appended (and take care of freeing them at
533 * context destroy time). ..._heap_empty() is also available to remove
534 * everything that was already allocated.
535 *
536 * Here we use _heap_append() just so it's tested as well as direct set.
537 */
538
539 lws_system_blob_heap_append(lws_system_get_blob(context,
540 LWS_SYSBLOB_TYPE_DEVICE_TYPE, 0),
541 (const uint8_t *)"spacerocket", 11);
542 #endif
543
544 /* the event loop */
545
546 while (n >= 0 && !interrupted)
547 n = lws_service(context, 0);
548
549 lws_context_destroy(context);
550
551 bail:
552 if ((p = lws_cmdline_option(argc, argv, "--expected-exit")))
553 expected = atoi(p);
554
555 if (bad == expected) {
556 lwsl_user("Completed: OK (seen expected %d)\n", expected);
557 return 0;
558 } else
559 lwsl_err("Completed: failed: exit %d, expected %d\n", bad, expected);
560
561 return 1;
562 }
563