libwebsockets
Lightweight C library for HTML5 websockets
lws-secure-streams-policy.h
1 /*
2  * libwebsockets - small server side websockets and web server implementation
3  *
4  * Copyright (C) 2019 - 2021 Andy Green <andy@warmcat.com>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to
8  * deal in the Software without restriction, including without limitation the
9  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10  * sell copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22  * IN THE SOFTWARE.
23  *
24  * included from libwebsockets.h
25  */
26 
27 typedef int (*plugin_auth_status_cb)(struct lws_ss_handle *ss, int status);
28 
54 #if defined(LWS_WITH_SSPLUGINS)
55 typedef struct lws_ss_plugin {
56  struct lws_ss_plugin *next;
57  const char *name;
58  size_t alloc;
60  int (*create)(struct lws_ss_handle *ss, void *info,
61  plugin_auth_status_cb status);
67  int (*destroy)(struct lws_ss_handle *ss);
71  int (*munge)(struct lws_ss_handle *ss, char *path,
72  size_t path_len);
77 } lws_ss_plugin_t;
78 #endif
79 
80 /* the public, const metrics policy definition */
81 
82 typedef struct lws_metric_policy {
83  /* order of first two mandated by JSON policy parsing scope union */
84  const struct lws_metric_policy *next;
85  const char *name;
86 
87  const char *report;
88 
90  uint64_t us_schedule;
93  uint32_t us_decay_unit;
95  uint8_t min_contributors;
97 } lws_metric_policy_t;
98 
99 typedef struct lws_ss_x509 {
100  struct lws_ss_x509 *next;
101  const char *vhost_name;
102  const uint8_t *ca_der;
103  size_t ca_der_len;
104  uint8_t keep:1;
105 } lws_ss_x509_t;
106 
107 enum {
108  LWSSSPOLF_OPPORTUNISTIC = (1 << 0),
110  LWSSSPOLF_NAILED_UP = (1 << 1),
112  LWSSSPOLF_URGENT_TX = (1 << 2),
114  LWSSSPOLF_URGENT_RX = (1 << 3),
116  LWSSSPOLF_TLS = (1 << 4),
118  LWSSSPOLF_LONG_POLL = (1 << 5),
120  LWSSSPOLF_AUTH_BEARER = (1 << 6),
122  LWSSSPOLF_HTTP_NO_CONTENT_LENGTH = (1 << 7),
124  LWSSSPOLF_QUIRK_NGHTTP2_END_STREAM = (1 << 8),
126  LWSSSPOLF_H2_QUIRK_OVERFLOWS_TXCR = (1 << 9),
128  LWSSSPOLF_H2_QUIRK_UNCLEAN_HPACK_STATE = (1 << 10),
130  LWSSSPOLF_HTTP_MULTIPART = (1 << 11),
136  LWSSSPOLF_HTTP_X_WWW_FORM_URLENCODED = (1 << 12),
138  LWSSSPOLF_LOCAL_SINK = (1 << 13),
140  LWSSSPOLF_WAKE_SUSPEND__VALIDITY = (1 << 14),
144  LWSSSPOLF_SERVER = (1 << 15),
146  LWSSSPOLF_ALLOW_REDIRECTS = (1 << 16),
148  LWSSSPOLF_HTTP_MULTIPART_IN = (1 << 17),
151  LWSSSPOLF_ATTR_LOW_LATENCY = (1 << 18),
153  LWSSSPOLF_ATTR_HIGH_THROUGHPUT = (1 << 19),
155  LWSSSPOLF_ATTR_HIGH_RELIABILITY = (1 << 20),
157  LWSSSPOLF_ATTR_LOW_COST = (1 << 21),
159  LWSSSPOLF_PERF = (1 << 22),
161  LWSSSPOLF_DIRECT_PROTO_STR = (1 << 23),
163  LWSSSPOLF_HTTP_CACHE_COOKIES = (1 << 24),
166 };
167 
168 typedef struct lws_ss_trust_store {
169  struct lws_ss_trust_store *next;
170  const char *name;
171 
172  const lws_ss_x509_t *ssx509[6];
173  int count;
174 } lws_ss_trust_store_t;
175 
176 enum {
177  LWSSSP_H1,
178  LWSSSP_H2,
179  LWSSSP_WS,
180  LWSSSP_MQTT,
181  LWSSSP_RAW,
182 
183 
184  LWSSS_HBI_AUTH = 0,
185  LWSSS_HBI_DSN,
186  LWSSS_HBI_FWV,
187  LWSSS_HBI_TYPE,
188 
189  _LWSSS_HBI_COUNT /* always last */
190 };
191 
192 /*
193  * This does for both the static policy metadata entry, and the runtime metadata
194  * handling object.
195  */
196 
197 typedef struct lws_ss_metadata {
198  struct lws_ss_metadata *next;
199  const char *name;
200  void *value__may_own_heap;
201  size_t length;
202 
203  uint8_t value_length; /* only valid if set by policy */
204  uint8_t value_is_http_token; /* valid if set by policy */
205 #if defined(LWS_WITH_SS_DIRECT_PROTOCOL_STR)
206  uint8_t name_on_lws_heap:1; /* proxy metatadata does this */
207 #endif
208  uint8_t value_on_lws_heap:1; /* proxy + rx metadata does this */
209 #if defined(LWS_WITH_SECURE_STREAMS_PROXY_API)
210  uint8_t pending_onward:1;
211 #endif
212 } lws_ss_metadata_t;
213 
214 typedef struct lws_ss_http_respmap {
215  uint16_t resp; /* the http response code */
216  uint16_t state; /* low 16-bits of associated state */
217 } lws_ss_http_respmap_t;
218 
219 /*
220  * This is a mapping between an auth streamtype and a name and other information
221  * that can be independently instantiated. Other streamtypes can indicate they
222  * require this authentication on their connection.
223  */
224 
225 typedef struct lws_ss_auth {
226  struct lws_ss_auth *next;
227  const char *name;
228 
229  const char *type;
230  const char *streamtype;
231  uint8_t blob_index;
232 } lws_ss_auth_t;
233 
247 typedef struct lws_ss_policy {
248  struct lws_ss_policy *next;
249  const char *streamtype;
251  const char *endpoint;
252  const char *rideshare_streamtype;
255  const char *payload_fmt;
256  const char *socks5_proxy;
257  lws_ss_metadata_t *metadata; /* linked-list of metadata */
258  const lws_metric_policy_t *metrics; /* linked-list of metric policies */
259  const lws_ss_auth_t *auth; /* NULL or auth object we bind to */
260 
261  /* protocol-specific connection policy details */
262 
263  union {
264 
265 #if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2) || defined(LWS_ROLE_WS)
266 
267  /* details for http-related protocols... */
268 
269  struct {
270 
271  /* common to all http-related protocols */
272 
273  const char *method;
274  const char *url;
275 
276  const char *multipart_name;
277  const char *multipart_filename;
278  const char *multipart_content_type;
279 
280  const char *blob_header[_LWSSS_HBI_COUNT];
281  const char *auth_preamble;
282 
283  const lws_ss_http_respmap_t *respmap;
284 
285  union {
286 // struct { /* LWSSSP_H1 */
287 // } h1;
288 // struct { /* LWSSSP_H2 */
289 // } h2;
290  struct { /* LWSSSP_WS */
291  const char *subprotocol;
292  uint8_t binary;
293  /* false = TEXT, true = BINARY */
294  } ws;
295  } u;
296 
297  uint16_t resp_expect;
298  uint8_t count_respmap;
299  uint8_t fail_redirect:1;
300  } http;
301 
302 #endif
303 
304 #if defined(LWS_ROLE_MQTT)
305 
306  struct {
307  const char *topic; /* stream sends on this topic */
308  const char *subscribe; /* stream subscribes to this topic */
309 
310  const char *will_topic;
311  const char *will_message;
312 
313  uint16_t keep_alive;
314  uint8_t qos;
315  uint8_t clean_start;
316  uint8_t will_qos;
317  uint8_t will_retain;
318  uint8_t aws_iot;
319 
320  } mqtt;
321 
322 #endif
323 
324  /* details for non-http related protocols... */
325  } u;
326 
327 #if defined(LWS_WITH_SSPLUGINS)
328  const
329  struct lws_ss_plugin *plugins[2];
330  const void *plugins_info[2];
331 #endif
332 
333 #if defined(LWS_WITH_SECURE_STREAMS_AUTH_SIGV4)
334  /* directly point to the metadata name, no need to expand */
335  const char *aws_region;
336  const char *aws_service;
337 #endif
338  /*
339  * We're either a client connection policy that wants a trust store,
340  * or we're a server policy that wants a mem cert and key... Hold
341  * these mutually-exclusive things in a union.
342  */
343 
344  union {
345  const lws_ss_trust_store_t *store;
348  struct {
349  const lws_ss_x509_t *cert;
351  const lws_ss_x509_t *key;
353  } server;
354  } trust;
355 
356  const lws_retry_bo_t *retry_bo;
358  uint32_t proxy_buflen;
359  uint32_t proxy_buflen_rxflow_on_above;
360  uint32_t proxy_buflen_rxflow_off_below;
361 
362  uint32_t client_buflen;
363  uint32_t client_buflen_rxflow_on_above;
364  uint32_t client_buflen_rxflow_off_below;
365 
366 
367  uint32_t timeout_ms;
369  uint32_t flags;
371  uint16_t port;
373  uint8_t metadata_count;
374  uint8_t protocol;
375  uint8_t client_cert;
377  uint8_t priority; /* 0 = normal, 6 = max normal,
378  * 7 = network management */
379 } lws_ss_policy_t;
380 
381 #if !defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
382 
383 /*
384  * These only exist / have meaning if there's a dynamic JSON policy enabled
385  */
386 
387 LWS_VISIBLE LWS_EXTERN int
388 lws_ss_policy_parse_begin(struct lws_context *context, int overlay);
389 
390 LWS_VISIBLE LWS_EXTERN int
391 lws_ss_policy_parse_abandon(struct lws_context *context);
392 
393 LWS_VISIBLE LWS_EXTERN int
394 lws_ss_policy_parse(struct lws_context *context, const uint8_t *buf, size_t len);
395 
396 LWS_VISIBLE LWS_EXTERN int
397 lws_ss_policy_overlay(struct lws_context *context, const char *overlay);
398 
399 /*
400  * You almost certainly don't want these, they return the first policy or auth
401  * object in a linked-list of objects created by lws_ss_policy_parse above,
402  * they are exported to generate static policy with
403  */
404 LWS_VISIBLE LWS_EXTERN const lws_ss_policy_t *
405 lws_ss_policy_get(struct lws_context *context);
406 
407 LWS_VISIBLE LWS_EXTERN const lws_ss_auth_t *
408 lws_ss_auth_get(struct lws_context *context);
409 
410 #endif
lws_metric_policy
Definition: lws-secure-streams-policy.h:82
lws_metric_policy::us_decay_unit
uint32_t us_decay_unit
Definition: lws-secure-streams-policy.h:93
lws_metric_policy::min_contributors
uint8_t min_contributors
Definition: lws-secure-streams-policy.h:95
lws_metric_policy::us_schedule
uint64_t us_schedule
Definition: lws-secure-streams-policy.h:90
lws_metric_policy::report
const char * report
Definition: lws-secure-streams-policy.h:87
lws_retry_bo
Definition: lws-retry.h:25
lws_ss_auth
Definition: lws-secure-streams-policy.h:225
lws_ss_http_respmap
Definition: lws-secure-streams-policy.h:214
lws_ss_metadata
Definition: lws-secure-streams-policy.h:197
lws_ss_policy
Definition: lws-secure-streams-policy.h:247
lws_ss_policy::flags
uint32_t flags
Definition: lws-secure-streams-policy.h:369
lws_ss_policy::metadata_count
uint8_t metadata_count
Definition: lws-secure-streams-policy.h:373
lws_ss_policy::timeout_ms
uint32_t timeout_ms
Definition: lws-secure-streams-policy.h:367
lws_ss_policy::cert
const lws_ss_x509_t * cert
Definition: lws-secure-streams-policy.h:349
lws_ss_policy::streamtype
const char * streamtype
Definition: lws-secure-streams-policy.h:249
lws_ss_policy::rideshare_streamtype
const char * rideshare_streamtype
Definition: lws-secure-streams-policy.h:252
lws_ss_policy::client_cert
uint8_t client_cert
Definition: lws-secure-streams-policy.h:375
lws_ss_policy::endpoint
const char * endpoint
Definition: lws-secure-streams-policy.h:251
lws_ss_policy::store
const lws_ss_trust_store_t * store
Definition: lws-secure-streams-policy.h:345
lws_ss_policy::retry_bo
const lws_retry_bo_t * retry_bo
Definition: lws-secure-streams-policy.h:356
lws_ss_policy::port
uint16_t port
Definition: lws-secure-streams-policy.h:371
lws_ss_policy::protocol
uint8_t protocol
Definition: lws-secure-streams-policy.h:374
lws_ss_policy::client_buflen
uint32_t client_buflen
Definition: lws-secure-streams-policy.h:362
lws_ss_policy::key
const lws_ss_x509_t * key
Definition: lws-secure-streams-policy.h:351
lws_ss_policy::proxy_buflen
uint32_t proxy_buflen
Definition: lws-secure-streams-policy.h:358
lws_ss_trust_store
Definition: lws-secure-streams-policy.h:168
lws_ss_x509
Definition: lws-secure-streams-policy.h:99
lws_ss_x509::keep
uint8_t keep
Definition: lws-secure-streams-policy.h:104
lws_ss_x509::ca_der_len
size_t ca_der_len
Definition: lws-secure-streams-policy.h:103
lws_ss_x509::ca_der
const uint8_t * ca_der
Definition: lws-secure-streams-policy.h:102
lws_ss_x509::vhost_name
const char * vhost_name
Definition: lws-secure-streams-policy.h:101