1 /*
2 * Policy fetching for Secure Streams
3 *
4 * libwebsockets - small server side websockets and web server implementation
5 *
6 * Copyright (C) 2019 - 2020 Andy Green <andy@warmcat.com>
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to
10 * deal in the Software without restriction, including without limitation the
11 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
12 * sell copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
23 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
24 * IN THE SOFTWARE.
25 */
26
27 #include <private-lib-core.h>
28
29 typedef struct ss_fetch_policy {
30 struct lws_ss_handle *ss;
31 void *opaque_data;
32 /* ... application specific state ... */
33
34 lws_sorted_usec_list_t sul;
35
36 uint8_t partway;
37 } ss_fetch_policy_t;
38
39 /* secure streams payload interface */
40
41 static int
ss_fetch_policy_rx(void * userobj,const uint8_t * buf,size_t len,int flags)42 ss_fetch_policy_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
43 {
44 ss_fetch_policy_t *m = (ss_fetch_policy_t *)userobj;
45 struct lws_context *context = (struct lws_context *)m->opaque_data;
46
47 if (flags & LWSSS_FLAG_SOM) {
48 if (lws_ss_policy_parse_begin(context))
49 return 1;
50 m->partway = 1;
51 }
52
53 if (len && lws_ss_policy_parse(context, buf, len) < 0)
54 return 1;
55
56 if (flags & LWSSS_FLAG_EOM)
57 m->partway = 2;
58
59 return 0;
60 }
61
62 static int
ss_fetch_policy_tx(void * userobj,lws_ss_tx_ordinal_t ord,uint8_t * buf,size_t * len,int * flags)63 ss_fetch_policy_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf,
64 size_t *len, int *flags)
65 {
66 return 1;
67 }
68
69 static void
policy_set(lws_sorted_usec_list_t * sul)70 policy_set(lws_sorted_usec_list_t *sul)
71 {
72 ss_fetch_policy_t *m = lws_container_of(sul, ss_fetch_policy_t, sul);
73 struct lws_context *context = (struct lws_context *)m->opaque_data;
74
75 /*
76 * We get called if the policy parse was successful, just after the
77 * ss connection close that was using the vhost from the old policy
78 */
79
80 if (lws_ss_policy_set(context, "updated"))
81 lwsl_err("%s: policy set failed\n", __func__);
82 else {
83 context->policy_updated = 1;
84 lws_state_transition_steps(&context->mgr_system,
85 LWS_SYSTATE_OPERATIONAL);
86 }
87 }
88
89 static int
ss_fetch_policy_state(void * userobj,void * sh,lws_ss_constate_t state,lws_ss_tx_ordinal_t ack)90 ss_fetch_policy_state(void *userobj, void *sh, lws_ss_constate_t state,
91 lws_ss_tx_ordinal_t ack)
92 {
93 ss_fetch_policy_t *m = (ss_fetch_policy_t *)userobj;
94 struct lws_context *context = (struct lws_context *)m->opaque_data;
95
96 lwsl_info("%s: %s, ord 0x%x\n", __func__, lws_ss_state_name(state),
97 (unsigned int)ack);
98
99 switch (state) {
100 case LWSSSCS_CREATING:
101 lws_ss_request_tx(m->ss);
102 break;
103 case LWSSSCS_CONNECTING:
104 break;
105
106 case LWSSSCS_DISCONNECTED:
107 lwsl_info("%s: DISCONNECTED\n", __func__);
108 switch (m->partway) {
109 case 1:
110 lws_ss_policy_parse_abandon(context);
111 break;
112
113 case 2:
114 lws_sul_schedule(context, 0, &m->sul, policy_set, 1);
115 break;
116 }
117 m->partway = 0;
118 break;
119
120 default:
121 break;
122 }
123
124 return 0;
125 }
126
127 int
lws_ss_sys_fetch_policy(struct lws_context * context)128 lws_ss_sys_fetch_policy(struct lws_context *context)
129 {
130 lws_ss_info_t ssi;
131
132 if (context->hss_fetch_policy) /* already exists */
133 return 0;
134
135 /* We're making an outgoing secure stream ourselves */
136
137 memset(&ssi, 0, sizeof(ssi));
138 ssi.handle_offset = offsetof(ss_fetch_policy_t, ss);
139 ssi.opaque_user_data_offset = offsetof(ss_fetch_policy_t, opaque_data);
140 ssi.rx = ss_fetch_policy_rx;
141 ssi.tx = ss_fetch_policy_tx;
142 ssi.state = ss_fetch_policy_state;
143 ssi.user_alloc = sizeof(ss_fetch_policy_t);
144 ssi.streamtype = "fetch_policy";
145
146 if (lws_ss_create(context, 0, &ssi, context, &context->hss_fetch_policy,
147 NULL, NULL)) {
148 /*
149 * If there's no fetch_policy streamtype, it can just be we're
150 * running on a proxied client with no policy of its own,
151 * it's OK.
152 */
153 lwsl_info("%s: Create LWA auth ss failed (policy?)\n", __func__);
154
155 return 1;
156 }
157
158 return 0;
159 }
160