| 1 | /* |
|---|---|
| 2 | * libwebsockets - small server side websockets and web server implementation |
| 3 | * |
| 4 | * Copyright (C) 2019 - 2021 Andy Green <andy@warmcat.com> |
| 5 | * |
| 6 | * Permission is hereby granted, free of charge, to any person obtaining a copy |
| 7 | * of this software and associated documentation files (the "Software"), to |
| 8 | * deal in the Software without restriction, including without limitation the |
| 9 | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
| 10 | * sell copies of the Software, and to permit persons to whom the Software is |
| 11 | * furnished to do so, subject to the following conditions: |
| 12 | * |
| 13 | * The above copyright notice and this permission notice shall be included in |
| 14 | * all copies or substantial portions of the Software. |
| 15 | * |
| 16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
| 21 | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
| 22 | * IN THE SOFTWARE. |
| 23 | * |
| 24 | * included from libwebsockets.h |
| 25 | */ |
| 26 | |
| 27 | typedef int (*plugin_auth_status_cb)(struct lws_ss_handle *ss, int status); |
| 28 | |
| 29 | /** |
| 30 | * lws_ss_plugin_auth_t - api for an auth plugin |
| 31 | * |
| 32 | * Auth plugins create and sequence authenticated connections that can carry one |
| 33 | * or more streams to an endpoint. That may involve other connections to other |
| 34 | * places to eg, gather authenticated tokens and then make the real connection |
| 35 | * using the tokens. |
| 36 | * |
| 37 | * The secure stream object contains members to record which auth plugin the |
| 38 | * stream is bound to and an over-allocation of the secure stream object to |
| 39 | * contain the plugin auth private data. |
| 40 | * |
| 41 | * The auth plugin controls the state of the stream connection via the status |
| 42 | * callback, and handles retries. |
| 43 | * |
| 44 | * Network connections may require one kind of auth sequencing, and streams |
| 45 | * inside those connections another kind of auth sequencing depending on their |
| 46 | * role. So the secure stream object allows defining plugins for both kinds. |
| 47 | * |
| 48 | * Streams may disappear at any time and require reauth to bring a new one up. |
| 49 | * The auth plugin sequencer will connect / reconnect either on demand, or from |
| 50 | * the start and after any connectivity loss if any stream using the connection |
| 51 | * has the LWSSSPOLF_NAILED_UP flag. |
| 52 | */ |
| 53 | |
| 54 | #if defined(LWS_WITH_SSPLUGINS) |
| 55 | typedef struct lws_ss_plugin { |
| 56 | struct lws_ss_plugin *next; |
| 57 | const char *name; /**< auth plugin name */ |
| 58 | size_t alloc; /**< size of private allocation */ |
| 59 | |
| 60 | int (*create)(struct lws_ss_handle *ss, void *info, |
| 61 | plugin_auth_status_cb status); |
| 62 | /**< called when the auth plugin is instantiated |
| 63 | and bound to the secure stream. status is |
| 64 | called back with advisory information about |
| 65 | the authenticated stream state as it |
| 66 | proceeds */ |
| 67 | int (*destroy)(struct lws_ss_handle *ss); |
| 68 | /**< called when the related secure stream is |
| 69 | being destroyed, and anything the auth |
| 70 | plugin is doing should also be destroyed */ |
| 71 | int (*munge)(struct lws_ss_handle *ss, char *path, |
| 72 | size_t path_len); |
| 73 | /**< if the plugin needs to munge transactions |
| 74 | that have metadata outside the payload (eg, |
| 75 | add http headers) this callback will give |
| 76 | it the opportunity to do so */ |
| 77 | } lws_ss_plugin_t; |
| 78 | #endif |
| 79 | |
| 80 | /* the public, const metrics policy definition */ |
| 81 | |
| 82 | typedef struct lws_metric_policy { |
| 83 | /* order of first two mandated by JSON policy parsing scope union */ |
| 84 | const struct lws_metric_policy *next; |
| 85 | const char *name; |
| 86 | |
| 87 | const char *report; |
| 88 | |
| 89 | /**< the metrics policy name in the policy, used to bind to it */ |
| 90 | uint64_t us_schedule; |
| 91 | /**< us interval between lws_system metrics api reports */ |
| 92 | |
| 93 | uint32_t us_decay_unit; |
| 94 | /**< how many us to decay avg by half, 0 = no decay */ |
| 95 | uint8_t min_contributors; |
| 96 | /**< before we can judge something is an outlier */ |
| 97 | } lws_metric_policy_t; |
| 98 | |
| 99 | typedef struct lws_ss_x509 { |
| 100 | struct lws_ss_x509 *next; |
| 101 | const char *vhost_name; /**< vhost name using cert ctx */ |
| 102 | const uint8_t *ca_der; /**< DER x.509 cert */ |
| 103 | size_t ca_der_len; /**< length of DER cert */ |
| 104 | uint8_t keep:1; /**< ie, if used in server tls */ |
| 105 | } lws_ss_x509_t; |
| 106 | |
| 107 | enum { |
| 108 | LWSSSPOLF_OPPORTUNISTIC = (1 << 0), |
| 109 | /**< the connection doesn't exist unless client asks to write */ |
| 110 | LWSSSPOLF_NAILED_UP = (1 << 1), |
| 111 | /**< the connection tries to be connected the whole life of the ss */ |
| 112 | LWSSSPOLF_URGENT_TX = (1 << 2), |
| 113 | /**< this connection carries critical tx data */ |
| 114 | LWSSSPOLF_URGENT_RX = (1 << 3), |
| 115 | /**< this connection carries critical rx data */ |
| 116 | LWSSSPOLF_TLS = (1 << 4), |
| 117 | /**< stream must be connected via a tls tunnel */ |
| 118 | LWSSSPOLF_LONG_POLL = (1 << 5), |
| 119 | /**< stream used to receive async rx at arbitrary intervals */ |
| 120 | LWSSSPOLF_AUTH_BEARER = (1 << 6), |
| 121 | /**< for http, use lws_system auth token 0 in authentication: bearer */ |
| 122 | LWSSSPOLF_HTTP_NO_CONTENT_LENGTH = (1 << 7), |
| 123 | /**< don't add any content length even if we have it */ |
| 124 | LWSSSPOLF_QUIRK_NGHTTP2_END_STREAM = (1 << 8), |
| 125 | /**< set the client flag LCCSCF_H2_QUIRK_NGHTTP2_END_STREAM */ |
| 126 | LWSSSPOLF_H2_QUIRK_OVERFLOWS_TXCR = (1 << 9), |
| 127 | /**< set the client flag LCCSCF_H2_QUIRK_OVERFLOWS_TXCR */ |
| 128 | LWSSSPOLF_H2_QUIRK_UNCLEAN_HPACK_STATE = (1 << 10), |
| 129 | /**< HPACK decoder state does not end cleanly */ |
| 130 | LWSSSPOLF_HTTP_MULTIPART = (1 << 11), |
| 131 | /**< indicates stream goes out as specifically a multipart mime POST |
| 132 | * section... if the tx has LWSSS_FLAG_COALESCE_CONTINUES flag then more |
| 133 | * multipart sections are expected. Without it, the multipart wrapper |
| 134 | * is closed and the http transaction issue completed when this message |
| 135 | * finishes. */ |
| 136 | LWSSSPOLF_HTTP_X_WWW_FORM_URLENCODED = (1 << 12), |
| 137 | /**< set up lws_system client cert */ |
| 138 | LWSSSPOLF_LOCAL_SINK = (1 << 13), |
| 139 | /**< expected to bind to a local sink only */ |
| 140 | LWSSSPOLF_WAKE_SUSPEND__VALIDITY = (1 << 14), |
| 141 | /**< this stream's idle validity checks are critical enough we |
| 142 | * should arrange to wake from suspend to perform them |
| 143 | */ |
| 144 | LWSSSPOLF_SERVER = (1 << 15), |
| 145 | /**< we listen on a socket as a server */ |
| 146 | LWSSSPOLF_ALLOW_REDIRECTS = (1 << 16), |
| 147 | /**< follow redirects */ |
| 148 | LWSSSPOLF_HTTP_MULTIPART_IN = (1 << 17), |
| 149 | /**< handle inbound multipart mime at SS level */ |
| 150 | |
| 151 | LWSSSPOLF_ATTR_LOW_LATENCY = (1 << 18), |
| 152 | /**< stream requires low latency */ |
| 153 | LWSSSPOLF_ATTR_HIGH_THROUGHPUT = (1 << 19), |
| 154 | /**< stream requires high throughput */ |
| 155 | LWSSSPOLF_ATTR_HIGH_RELIABILITY = (1 << 20), |
| 156 | /**< stream requires high reliability */ |
| 157 | LWSSSPOLF_ATTR_LOW_COST = (1 << 21), |
| 158 | /**< stream is not critical and should be handled as cheap as poss */ |
| 159 | LWSSSPOLF_PERF = (1 << 22), |
| 160 | /**< capture and report performace information */ |
| 161 | LWSSSPOLF_DIRECT_PROTO_STR = (1 << 23), |
| 162 | /**< metadata as direct protocol string, e.g. http header */ |
| 163 | LWSSSPOLF_HTTP_CACHE_COOKIES = (1 << 24), |
| 164 | /**< Record http cookies and pass them back on future requests */ |
| 165 | LWSSSPOLF_PRIORITIZE_READS = (1 << 25), |
| 166 | /**< prioritize clearing reads at expense of writes */ |
| 167 | |
| 168 | }; |
| 169 | |
| 170 | typedef struct lws_ss_trust_store { |
| 171 | struct lws_ss_trust_store *next; |
| 172 | const char *name; |
| 173 | |
| 174 | const lws_ss_x509_t *ssx509[6]; |
| 175 | int count; |
| 176 | } lws_ss_trust_store_t; |
| 177 | |
| 178 | enum { |
| 179 | LWSSSP_H1, |
| 180 | LWSSSP_H2, |
| 181 | LWSSSP_WS, |
| 182 | LWSSSP_MQTT, |
| 183 | LWSSSP_RAW, |
| 184 | |
| 185 | |
| 186 | LWSSS_HBI_AUTH = 0, |
| 187 | LWSSS_HBI_DSN, |
| 188 | LWSSS_HBI_FWV, |
| 189 | LWSSS_HBI_TYPE, |
| 190 | |
| 191 | _LWSSS_HBI_COUNT /* always last */ |
| 192 | }; |
| 193 | |
| 194 | /* |
| 195 | * This does for both the static policy metadata entry, and the runtime metadata |
| 196 | * handling object. |
| 197 | */ |
| 198 | |
| 199 | typedef struct lws_ss_metadata { |
| 200 | struct lws_ss_metadata *next; |
| 201 | const char *name; |
| 202 | void *value__may_own_heap; |
| 203 | size_t length; |
| 204 | |
| 205 | uint8_t value_length; /* only valid if set by policy */ |
| 206 | uint8_t value_is_http_token; /* valid if set by policy */ |
| 207 | #if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR) |
| 208 | uint8_t name_on_lws_heap:1; /* proxy metatadata does this */ |
| 209 | #endif |
| 210 | uint8_t value_on_lws_heap:1; /* proxy + rx metadata does this */ |
| 211 | #if defined(LWS_WITH_SECURE_STREAMS_PROXY_API) |
| 212 | uint8_t pending_onward:1; |
| 213 | #endif |
| 214 | } lws_ss_metadata_t; |
| 215 | |
| 216 | typedef struct lws_ss_http_respmap { |
| 217 | uint16_t resp; /* the http response code */ |
| 218 | uint16_t state; /* low 16-bits of associated state */ |
| 219 | } lws_ss_http_respmap_t; |
| 220 | |
| 221 | /* |
| 222 | * This is a mapping between an auth streamtype and a name and other information |
| 223 | * that can be independently instantiated. Other streamtypes can indicate they |
| 224 | * require this authentication on their connection. |
| 225 | */ |
| 226 | |
| 227 | typedef struct lws_ss_auth { |
| 228 | struct lws_ss_auth *next; |
| 229 | const char *name; |
| 230 | |
| 231 | const char *type; |
| 232 | const char *streamtype; |
| 233 | uint8_t blob_index; |
| 234 | } lws_ss_auth_t; |
| 235 | |
| 236 | /** |
| 237 | * lws_ss_policy_t: policy database entry for a stream type |
| 238 | * |
| 239 | * Decides the system policy for how to implement connections of name |
| 240 | * .streamtype. |
| 241 | * |
| 242 | * Streams may need one kind of auth sequencing for the network connection and |
| 243 | * another kind of auth sequencing for the streams that are carried inside it, |
| 244 | * this is the purpose of .nauth and .sauth. Both are optional and may be NULL. |
| 245 | * |
| 246 | * An array of these is set at context creation time, ending with one with a |
| 247 | * NULL streamtype. |
| 248 | */ |
| 249 | typedef struct lws_ss_policy { |
| 250 | struct lws_ss_policy *next; |
| 251 | const char *streamtype; /**< stream type lhs to match on */ |
| 252 | |
| 253 | const char *endpoint; /**< DNS address to connect to */ |
| 254 | const char *rideshare_streamtype; /**< optional transport |
| 255 | * on another, preexisting stream of this |
| 256 | * streamtype name */ |
| 257 | const char *payload_fmt; |
| 258 | const char *socks5_proxy; |
| 259 | lws_ss_metadata_t *metadata; /* linked-list of metadata */ |
| 260 | const lws_metric_policy_t *metrics; /* linked-list of metric policies */ |
| 261 | const lws_ss_auth_t *auth; /* NULL or auth object we bind to */ |
| 262 | |
| 263 | /* protocol-specific connection policy details */ |
| 264 | |
| 265 | union { |
| 266 | |
| 267 | #if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2) || defined(LWS_ROLE_WS) |
| 268 | |
| 269 | /* details for http-related protocols... */ |
| 270 | |
| 271 | struct { |
| 272 | |
| 273 | /* common to all http-related protocols */ |
| 274 | |
| 275 | const char *method; |
| 276 | const char *url; |
| 277 | |
| 278 | const char *multipart_name; |
| 279 | const char *multipart_filename; |
| 280 | const char *multipart_content_type; |
| 281 | |
| 282 | const char *blob_header[_LWSSS_HBI_COUNT]; |
| 283 | const char *auth_preamble; |
| 284 | |
| 285 | const lws_ss_http_respmap_t *respmap; |
| 286 | |
| 287 | union { |
| 288 | // struct { /* LWSSSP_H1 */ |
| 289 | // } h1; |
| 290 | // struct { /* LWSSSP_H2 */ |
| 291 | // } h2; |
| 292 | struct { /* LWSSSP_WS */ |
| 293 | const char *subprotocol; |
| 294 | uint8_t binary; |
| 295 | /* false = TEXT, true = BINARY */ |
| 296 | } ws; |
| 297 | } u; |
| 298 | |
| 299 | uint16_t resp_expect; |
| 300 | uint8_t count_respmap; |
| 301 | uint8_t fail_redirect:1; |
| 302 | } http; |
| 303 | |
| 304 | #endif |
| 305 | |
| 306 | #if defined(LWS_ROLE_MQTT) |
| 307 | |
| 308 | struct { |
| 309 | const char *topic; /* stream sends on this topic */ |
| 310 | const char *subscribe; /* stream subscribes to this topic */ |
| 311 | |
| 312 | const char *will_topic; |
| 313 | const char *will_message; |
| 314 | |
| 315 | const char *birth_topic; |
| 316 | const char *birth_message; |
| 317 | |
| 318 | uint16_t keep_alive; |
| 319 | uint8_t qos; |
| 320 | uint8_t clean_start; |
| 321 | uint8_t will_qos; |
| 322 | uint8_t will_retain; |
| 323 | uint8_t birth_qos; |
| 324 | uint8_t birth_retain; |
| 325 | uint8_t aws_iot; |
| 326 | uint8_t retain; |
| 327 | |
| 328 | } mqtt; |
| 329 | |
| 330 | #endif |
| 331 | |
| 332 | /* details for non-http related protocols... */ |
| 333 | } u; |
| 334 | |
| 335 | #if defined(LWS_WITH_SSPLUGINS) |
| 336 | const |
| 337 | struct lws_ss_plugin *plugins[2]; /**< NULL or auth plugin */ |
| 338 | const void *plugins_info[2]; /**< plugin-specific data */ |
| 339 | #endif |
| 340 | |
| 341 | #if defined(LWS_WITH_SECURE_STREAMS_AUTH_SIGV4) |
| 342 | /* directly point to the metadata name, no need to expand */ |
| 343 | const char *aws_region; |
| 344 | const char *aws_service; |
| 345 | #endif |
| 346 | /* |
| 347 | * We're either a client connection policy that wants a trust store, |
| 348 | * or we're a server policy that wants a mem cert and key... Hold |
| 349 | * these mutually-exclusive things in a union. |
| 350 | */ |
| 351 | |
| 352 | union { |
| 353 | const lws_ss_trust_store_t *store; |
| 354 | /**< CA certs needed for conn validation, only set between |
| 355 | * policy parsing and vhost creation */ |
| 356 | struct { |
| 357 | const lws_ss_x509_t *cert; |
| 358 | /**< the server's signed cert with the pubkey */ |
| 359 | const lws_ss_x509_t *key; |
| 360 | /**< the server's matching private key */ |
| 361 | } server; |
| 362 | } trust; |
| 363 | |
| 364 | const lws_retry_bo_t *retry_bo; /**< retry policy to use */ |
| 365 | |
| 366 | uint32_t proxy_buflen; /**< max dsh alloc for proxy */ |
| 367 | uint32_t proxy_buflen_rxflow_on_above; |
| 368 | uint32_t proxy_buflen_rxflow_off_below; |
| 369 | |
| 370 | uint32_t client_buflen; /**< max dsh alloc for client */ |
| 371 | uint32_t client_buflen_rxflow_on_above; |
| 372 | uint32_t client_buflen_rxflow_off_below; |
| 373 | |
| 374 | |
| 375 | uint32_t timeout_ms; /**< default message response |
| 376 | * timeout in ms */ |
| 377 | uint32_t flags; /**< stream attribute flags */ |
| 378 | |
| 379 | uint16_t port; /**< endpoint port */ |
| 380 | |
| 381 | uint8_t metadata_count; /**< metadata count */ |
| 382 | uint8_t protocol; /**< protocol index */ |
| 383 | uint8_t client_cert; /**< which client cert to apply |
| 384 | 0 = none, 1+ = cc 0+ */ |
| 385 | uint8_t priority; /* 0 = normal, 6 = max normal, |
| 386 | * 7 = network management */ |
| 387 | } lws_ss_policy_t; |
| 388 | |
| 389 | #if !defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY) |
| 390 | |
| 391 | /* |
| 392 | * These only exist / have meaning if there's a dynamic JSON policy enabled |
| 393 | */ |
| 394 | |
| 395 | LWS_VISIBLE LWS_EXTERN int |
| 396 | lws_ss_policy_parse_begin(struct lws_context *context, int overlay); |
| 397 | |
| 398 | LWS_VISIBLE LWS_EXTERN int |
| 399 | lws_ss_policy_parse_abandon(struct lws_context *context); |
| 400 | |
| 401 | LWS_VISIBLE LWS_EXTERN int |
| 402 | lws_ss_policy_parse(struct lws_context *context, const uint8_t *buf, size_t len); |
| 403 | |
| 404 | LWS_VISIBLE LWS_EXTERN int |
| 405 | lws_ss_policy_overlay(struct lws_context *context, const char *overlay); |
| 406 | |
| 407 | /* |
| 408 | * You almost certainly don't want these, they return the first policy or auth |
| 409 | * object in a linked-list of objects created by lws_ss_policy_parse above, |
| 410 | * they are exported to generate static policy with |
| 411 | */ |
| 412 | LWS_VISIBLE LWS_EXTERN const lws_ss_policy_t * |
| 413 | lws_ss_policy_get(struct lws_context *context); |
| 414 | |
| 415 | LWS_VISIBLE LWS_EXTERN const lws_ss_auth_t * |
| 416 | lws_ss_auth_get(struct lws_context *context); |
| 417 | |
| 418 | #endif |
| 419 |
Generated while processing DDNet/engine/shared/websockets.cpp
Generated on 2024-Jul-05 from project include
Powered by 
Code Browser 2.1
Generator usage only permitted with license.