1 /*
2  * lws-minimal-secure-streams-metadata
3  *
4  * Written in 2010-2020 by Andy Green <andy@warmcat.com>
5  *
6  * This file is made available under the Creative Commons CC0 1.0
7  * Universal Public Domain Dedication.
8  *
9  *
10  * This demonstrates a minimal http client using secure streams api.
11  *
12  * It visits https://warmcat.com/ and receives the html page there.
13  *
14  * This example is built two different ways from the same source... one includes
15  * the policy everything needed to fulfil the stream directly.  The other -client
16  * variant has no policy itself and some other minor init changes, and connects
17  * to the -proxy example to actually get the connection done.
18  *
19  * In the -client build case, the example does not even init the tls libraries
20  * since the proxy part will take care of all that.
21  */
22 
23 #include <libwebsockets.h>
24 #include <string.h>
25 #include <signal.h>
26 
27 /*
28  * uncomment to force network traffic through 127.0.0.1:1080
29  *
30  * On your local machine, you can run a SOCKS5 proxy like this
31  *
32  * $ ssh -N -D 0.0.0.0:1080 localhost -v
33  *
34  * If enabled, this also fetches a remote policy that also
35  * specifies that all traffic should go through the remote
36  * proxy.
37  */
38 // #define VIA_LOCALHOST_SOCKS
39 
40 static int interrupted, bad = 1, force_cpd_fail_portal,
41 	   force_cpd_fail_no_internet;
42 static lws_state_notify_link_t nl;
43 
44 /*
45  * If the -proxy app is fulfilling our connection, then we don't need to have
46  * the policy in the client.
47  *
48  * When we build with LWS_SS_USE_SSPC, the apis hook up to a proxy process over
49  * a Unix Domain Socket.  To test that, you need to separately run the
50  * ./lws-minimal-secure-streams-proxy test app on the same machine.
51  */
52 
53 #if !defined(LWS_SS_USE_SSPC)
54 static const char * const default_ss_policy =
55 	"{"
56 	  "\"release\":"			"\"01234567\","
57 	  "\"product\":"			"\"myproduct\","
58 	  "\"schema-version\":"			"1,"
59 #if defined(VIA_LOCALHOST_SOCKS)
60 	  "\"via-socks5\":"                     "\"127.0.0.1:1080\","
61 #endif
62 
63 	  "\"retry\": ["	/* named backoff / retry strategies */
64 		"{\"default\": {"
65 			"\"backoff\": ["	 "1000,"
66 						 "2000,"
67 						 "3000,"
68 						 "5000,"
69 						"10000"
70 				"],"
71 			"\"conceal\":"		"5,"
72 			"\"jitterpc\":"		"20,"
73 			"\"svalidping\":"	"30,"
74 			"\"svalidhup\":"	"35"
75 		"}}"
76 	  "],"
77 	  "\"certs\": [" /* named individual certificates in BASE64 DER */
78 		/*
79 		 * Let's Encrypt certs for warmcat.com / libwebsockets.org
80 		 *
81 		 * We fetch the real policy from there using SS and switch to
82 		 * using that.
83 		 */
84 		"{\"isrg_root_x1\": \"" /* ISRG ROOT X1 */
85 	"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw"
86 	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
87 	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4"
88 	"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu"
89 	"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY"
90 	"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc"
91 	"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+"
92 	"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U"
93 	"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW"
94 	"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH"
95 	"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC"
96 	"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv"
97 	"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn"
98 	"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn"
99 	"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw"
100 	"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI"
101 	"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV"
102 	"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq"
103 	"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL"
104 	"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ"
105 	"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK"
106 	"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5"
107 	"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur"
108 	"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC"
109 	"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc"
110 	"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq"
111 	"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA"
112 	"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d"
113 	"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc="
114 		"\"},"
115 		"{\"LEX3_isrg_root_x1\": \"" /* LE X3 signed by ISRG X1 root */
116 	"MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw"
117 	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh"
118 	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1"
119 	"WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg"
120 	"RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi"
121 	"MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX"
122 	"NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf"
123 	"89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl"
124 	"Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc"
125 	"Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz"
126 	"uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB"
127 	"AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU"
128 	"BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB"
129 	"FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo"
130 	"SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js"
131 	"LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF"
132 	"BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG"
133 	"AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD"
134 	"VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB"
135 	"ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx"
136 	"A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM"
137 	"UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2"
138 	"DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1"
139 	"eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu"
140 	"OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw"
141 	"p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY"
142 	"2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0"
143 	"ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR"
144 	"PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b"
145 	"rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt"
146 		"\"}"
147 	  "],"
148 	  "\"trust_stores\": [" /* named cert chains */
149 		"{"
150 			"\"name\": \"le_via_isrg\","
151 			"\"stack\": ["
152 				"\"isrg_root_x1\","
153 				"\"LEX3_isrg_root_x1\""
154 			"]"
155 		"}"
156 	  "],"
157 	  "\"s\": ["
158 		"{\"mintest\": {"
159 			"\"endpoint\":"		"\"${servername}\","
160 			"\"port\":"		"443,"
161 			"\"protocol\":"		"\"h1\","
162 			"\"http_method\":"	"\"GET\","
163 			"\"http_url\":"		"\"\","
164 			"\"tls\":"		"true,"
165 			"\"opportunistic\":"	"true,"
166 			"\"retry\":"		"\"default\","
167 			"\"tls_trust_store\":"	"\"le_via_isrg\","
168 			"\"metadata\": ["
169 				"{\"servername\": \"\"}"
170 			"]"
171 		"}}"
172 	"]}"
173 ;
174 
175 #endif
176 
177 typedef struct myss {
178 	struct lws_ss_handle 		*ss;
179 	void				*opaque_data;
180 	/* ... application specific state ... */
181 	lws_sorted_usec_list_t		sul;
182 } myss_t;
183 
184 /* secure streams payload interface */
185 
186 static int
myss_rx(void * userobj,const uint8_t * buf,size_t len,int flags)187 myss_rx(void *userobj, const uint8_t *buf, size_t len, int flags)
188 {
189 //	myss_t *m = (myss_t *)userobj;
190 
191 	lwsl_user("%s: len %d, flags: %d\n", __func__, (int)len, flags);
192 	lwsl_hexdump_info(buf, len);
193 
194 	/*
195 	 * If we received the whole message, for our example it means
196 	 * we are done.
197 	 */
198 	if (flags & LWSSS_FLAG_EOM) {
199 		bad = 0;
200 		interrupted = 1;
201 	}
202 
203 	return 0;
204 }
205 
206 static int
myss_tx(void * userobj,lws_ss_tx_ordinal_t ord,uint8_t * buf,size_t * len,int * flags)207 myss_tx(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf, size_t *len,
208 	int *flags)
209 {
210 	//myss_t *m = (myss_t *)userobj;
211 
212 	return 0;
213 }
214 
215 static int
myss_state(void * userobj,void * sh,lws_ss_constate_t state,lws_ss_tx_ordinal_t ack)216 myss_state(void *userobj, void *sh, lws_ss_constate_t state,
217 	   lws_ss_tx_ordinal_t ack)
218 {
219 	myss_t *m = (myss_t *)userobj;
220 
221 	lwsl_user("%s: %s, ord 0x%x\n", __func__, lws_ss_state_name(state),
222 		  (unsigned int)ack);
223 
224 	switch (state) {
225 	case LWSSSCS_CREATING:
226 		lws_ss_set_metadata(m->ss, "servername", "warmcat.com", 11);
227 		lws_ss_client_connect(m->ss);
228 		break;
229 	case LWSSSCS_ALL_RETRIES_FAILED:
230 		/* if we're out of retries, we want to close the app and FAIL */
231 		interrupted = 1;
232 		break;
233 	case LWSSSCS_QOS_ACK_REMOTE:
234 		lwsl_notice("%s: LWSSSCS_QOS_ACK_REMOTE\n", __func__);
235 		break;
236 	default:
237 		break;
238 	}
239 
240 	return 0;
241 }
242 
243 static int
app_system_state_nf(lws_state_manager_t * mgr,lws_state_notify_link_t * link,int current,int target)244 app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
245 		    int current, int target)
246 {
247 	struct lws_context *context = lws_system_context_from_system_mgr(mgr);
248 
249 	/*
250 	 * For the things we care about, let's notice if we are trying to get
251 	 * past them when we haven't solved them yet, and make the system
252 	 * state wait while we trigger the dependent action.
253 	 */
254 	switch (target) {
255 
256 	case LWS_SYSTATE_OPERATIONAL:
257 		if (current == LWS_SYSTATE_OPERATIONAL) {
258 			lws_ss_info_t ssi;
259 
260 			/* We're making an outgoing secure stream ourselves */
261 
262 			memset(&ssi, 0, sizeof(ssi));
263 			ssi.handle_offset = offsetof(myss_t, ss);
264 			ssi.opaque_user_data_offset = offsetof(myss_t,
265 							       opaque_data);
266 			ssi.rx = myss_rx;
267 			ssi.tx = myss_tx;
268 			ssi.state = myss_state;
269 			ssi.user_alloc = sizeof(myss_t);
270 			ssi.streamtype = "mintest";
271 
272 			if (lws_ss_create(context, 0, &ssi, NULL, NULL,
273 					  NULL, NULL)) {
274 				lwsl_err("%s: failed to create secure stream\n",
275 					 __func__);
276 				return -1;
277 			}
278 		}
279 		break;
280 	}
281 
282 	return 0;
283 }
284 
285 static lws_state_notify_link_t * const app_notifier_list[] = {
286 	&nl, NULL
287 };
288 
289 static void
sigint_handler(int sig)290 sigint_handler(int sig)
291 {
292 	interrupted = 1;
293 }
294 
main(int argc,const char ** argv)295 int main(int argc, const char **argv)
296 {
297 	struct lws_context_creation_info info;
298 	struct lws_context *context;
299 	int n = 0;
300 
301 	signal(SIGINT, sigint_handler);
302 
303 	memset(&info, 0, sizeof info);
304 	lws_cmdline_option_handle_builtin(argc, argv, &info);
305 
306 	lwsl_user("LWS secure streams test client [-d<verb>]\n");
307 
308 	/* these options are mutually exclusive if given */
309 
310 	if (lws_cmdline_option(argc, argv, "--force-portal"))
311 		force_cpd_fail_portal = 1;
312 
313 	if (lws_cmdline_option(argc, argv, "--force-no-internet"))
314 		force_cpd_fail_no_internet = 1;
315 
316 	info.fd_limit_per_thread = 1 + 6 + 1;
317 	info.port = CONTEXT_PORT_NO_LISTEN;
318 
319 #if defined(LWS_SS_USE_SSPC)
320 	info.protocols = lws_sspc_protocols;
321 	{
322 		const char *p;
323 
324 		/* connect to ssproxy via UDS by default, else via
325 		 * tcp connection to this port */
326 		if ((p = lws_cmdline_option(argc, argv, "-p")))
327 			info.ss_proxy_port = atoi(p);
328 
329 		/* UDS "proxy.ss.lws" in abstract namespace, else this socket
330 		 * path; when -p given this can specify the network interface
331 		 * to bind to */
332 		if ((p = lws_cmdline_option(argc, argv, "-i")))
333 			info.ss_proxy_bind = p;
334 
335 		/* if -p given, -a specifies the proxy address to connect to */
336 		if ((p = lws_cmdline_option(argc, argv, "-a")))
337 			info.ss_proxy_address = p;
338 	}
339 #else
340 	info.pss_policies_json = default_ss_policy;
341 	info.options = LWS_SERVER_OPTION_EXPLICIT_VHOSTS |
342 		       LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
343 #endif
344 
345 	/* integrate us with lws system state management when context created */
346 
347 	nl.name = "app";
348 	nl.notify_cb = app_system_state_nf;
349 	info.register_notifier_list = app_notifier_list;
350 
351 	/* create the context */
352 
353 	context = lws_create_context(&info);
354 	if (!context) {
355 		lwsl_err("lws init failed\n");
356 		return 1;
357 	}
358 
359 
360 	/* the event loop */
361 
362 	while (n >= 0 && !interrupted)
363 		n = lws_service(context, 0);
364 
365 	lws_context_destroy(context);
366 
367 	lwsl_user("Completed: %s\n", bad ? "failed" : "OK");
368 
369 	return bad;
370 }
371