[Libwebsockets] HMAC functions not exported

Andy Green andy at warmcat.com
Thu Aug 30 00:22:20 CEST 2018



On 08/29/2018 07:13 PM, Gerard Juijn wrote:
> Hi all,
> 
> I’m new to libwebsockets. First of all, thanks for a wonderful library! 
> I’m glad I found it and have been able to work with it for some weeks now.
> 
> I do have a question about the HMAC functions in lws-genhash.h. For some 
> reason they are not decorated with LWS_VISIBLE LWS_EXTERN.

Right... it's an oversight... the user for those in lws is the JSON Web 
Signature stuff for ACME, which is part of the lws build and doesn't 
require them externally VISIBLE.

I pushed patches on master + v3.0-stable fixing this... they're in the 
public API headers because they are meant to be usable externally.

> Is there a reason for this? The next problem I found that if I hack in 
> the decorations the functions actually throw an error from OpenSSL.

Well... "I got an error from OpenSSL" is not very actionable.  It can be 
(and often is, if it's related to build) about the exact version of OpenSSL.

If you configure lws with

cmake .. -DLWS_WITH_GENHASH=1 -DLWS_WITH_SELFTESTS=1 -DLWS_WITH_JWS=1

when you run eg the test server, at context creation time it will run 
the built-in lws RFC7515 selftest that uses JWK / genrsa, genhash and 
genhmac with RFC-defined inputs checked against a defined output.

https://libwebsockets.org/git/libwebsockets/tree/lib/misc/jws/jws.c#n514-642

$ libwebsockets-test-server
[2018/08/30 06:10:18:2990] NOTICE: libwebsockets test server - license 
LGPL2.1+SLE
[2018/08/30 06:10:18:2990] NOTICE: (C) Copyright 2010-2018 Andy Green 
<andy at warmcat.com>
Using resource path "/usr/local/share/libwebsockets-test-server"
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw
[2018/08/30 06:10:18:3037] NOTICE: lws_jws_selftest: selftest OK  <<<---
...

This is using Fedora 28 openssl-1.1.0h package.

If something different is coming for you, please paste what it is, 
openssl version etc.

> I ended up writing my own function using OpenSSL directly, but it would 
> be nice to just rely on libwebsockets API, as it contains everything 
> else I need!

The genhash / genhmac / genrsa stuff is especially useful because it all 
works the same with OpenSSL or mbedTLS backend transparently... if you 
ever port to a very resource-constrained device that will come in handy.

-Andy

> Thanks,
> 
> Gerard
> 
> 
> 
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> https://libwebsockets.org/mailman/listinfo/libwebsockets
> 



More information about the Libwebsockets mailing list