x

Author: lws-team

.sai.json

@@ -262,14 +262,15 @@
 			"platforms":	"none, coverity/x86_64/gcc",
 			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
 			"branches":	"coverity"
-		},
-		# awkward, we also want to test mbedtls, but coverity blocks on SSL build needing manual intervention
-		"coverity-mbedtls": {
-			"cmake":	"-DLWS_WITH_MBEDTLS=1 -DLWS_WITHOUT_EXTENSIONS=0 -DLWS_WITH_CGI=1 -DLWS_IPV6=1 -DLWS_WITH_HTTP_PROXY=1 -DLWS_WITH_RANGES=1 -DLWS_WITH_THREADPOOL=1 -DLWS_WITH_CBOR=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_COSE=1 -DLWS_WITH_SYS_DHCP_CLIENT=1 -DLWS_WITH_FTS=1 -DLWS_WITH_STRUCT_SQLITE3=1 -DLWS_ROLE_DBUS=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_ASYNC_DNS_DNSSEC=1 -DLWS_WITH_WEBRTC=1 -DLWS_WITH_DHT=1  -DLWS_WITH_ASYNC_QUEUE=1 -DLWS_WITH_SYS_FAULT_INJECTION=1 -DLWS_WITH_TLS_JIT_TRUST=1 -DLWS_ROLE_MQTT=1 -DLWS_ROLE_RAW_PROXY=1 -DLWS_WITH_EVENT_LIBS=1 -DLWS_WITH_LIBUV=1 -DLWS_WITH_STRUCT_JSON=1 -DLWS_WITH_LWS_DSH=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1",
-			"platforms":	"none, coverity/x86_64/gcc",
-			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
-			"branches":	"coverity"
 		}
+#		,
+		# awkward, we also want to test mbedtls, but coverity blocks on SSL build needing manual intervention
+#		"coverity-mbedtls": {
+#			"cmake":	"-DLWS_WITH_MBEDTLS=1 -DLWS_WITHOUT_EXTENSIONS=0 -DLWS_WITH_CGI=1 -DLWS_IPV6=1 -DLWS_WITH_HTTP_PROXY=1 -DLWS_WITH_RANGES=1 -DLWS_WITH_THREADPOOL=1 -DLWS_WITH_CBOR=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_COSE=1 -DLWS_WITH_SYS_DHCP_CLIENT=1 -DLWS_WITH_FTS=1 -DLWS_WITH_STRUCT_SQLITE3=1 -DLWS_ROLE_DBUS=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_ASYNC_DNS_DNSSEC=1 -DLWS_WITH_WEBRTC=1 -DLWS_WITH_DHT=1  -DLWS_WITH_ASYNC_QUEUE=1 -DLWS_WITH_SYS_FAULT_INJECTION=1 -DLWS_WITH_TLS_JIT_TRUST=1 -DLWS_ROLE_MQTT=1 -DLWS_ROLE_RAW_PROXY=1 -DLWS_WITH_EVENT_LIBS=1 -DLWS_WITH_LIBUV=1 -DLWS_WITH_STRUCT_JSON=1 -DLWS_WITH_LWS_DSH=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1",
+#			"platforms":	"none, coverity/x86_64/gcc",
+#			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
+#			"branches":	"coverity"
+#		}
 
 	}
 }

cmake/lws_config.h.in

@@ -67,6 +67,7 @@
 #cmakedefine LWS_HAVE_MALLOC_TRIM
 #cmakedefine LWS_HAVE_MALLOC_USABLE_SIZE
 #cmakedefine LWS_HAVE_mbedtls_md_setup
+#cmakedefine LWS_HAVE_mbedtls_ssl_export_keying_material
 #cmakedefine LWS_HAVE_mbedtls_net_init
 #cmakedefine LWS_HAVE_mbedtls_rsa_complete
 #cmakedefine LWS_HAVE_mbedtls_internal_aes_encrypt

lib/CMakeLists.txt

@@ -144,8 +144,6 @@ list(APPEND LWS_LIB_BUILD_INC_PATHS_TEMP ${CMAKE_CURRENT_SOURCE_DIR}/system)
 list(APPEND LWS_LIB_BUILD_INC_PATHS_TEMP ${CMAKE_CURRENT_SOURCE_DIR}/media)
 add_subdirectory(core)
 add_subdirectory(misc)
-add_subdirectory(media)
-
 if (LWS_WITH_TRANSCODE)
 	set_source_files_properties(media/transcode/transcode.c PROPERTIES COMPILE_FLAGS "-Wno-conversion -Wno-sign-conversion")
 endif()
@@ -240,6 +238,8 @@ endif()
 list(APPEND LWS_LIB_BUILD_INC_PATHS_TEMP ${CMAKE_CURRENT_SOURCE_DIR}/secure-streams/serialized/client)
 add_subdirectory(secure-streams/serialized/client)
 
+add_subdirectory(media)
+
 if (LWS_WITH_STATIC)
     if (LWS_STATIC_PIC)
         set(CMAKE_POSITION_INDEPENDENT_CODE ON)

lib/tls/CMakeLists.txt

@@ -473,6 +473,7 @@ if (LWS_WITH_MBEDTLS)
 		set(LWS_HAVE_mbedtls_md_setup 1 CACHE BOOL x) # not on xenial 2.2
 		set(LWS_HAVE_mbedtls_rsa_complete 1 CACHE BOOL x) # not on xenial 2.2
 		set(LWS_HAVE_mbedtls_internal_aes_encrypt 1 CACHE BOOL x) # not on xenial 2.2
+		set(LWS_HAVE_mbedtls_ssl_export_keying_material 1 CACHE BOOL x)
 	else()
 		CHECK_C_SOURCE_COMPILES("#include <mbedtls/x509_crt.h>\nint main(void) { struct mbedtls_x509_crt c; c.authority_key_id.keyIdentifier.tag = MBEDTLS_ASN1_OCTET_STRING; return c.authority_key_id.keyIdentifier.tag; }\n" LWS_HAVE_MBEDTLS_AUTH_KEY_ID)
 		CHECK_C_SOURCE_COMPILES("#include <mbedtls/ssl.h>\nint main(void) { void *v = (void *)mbedtls_ssl_set_verify; return !!v; }\n" LWS_HAVE_mbedtls_ssl_set_verify)
@@ -489,6 +490,7 @@ if (LWS_WITH_MBEDTLS)
 		CHECK_FUNCTION_EXISTS(mbedtls_md_setup LWS_HAVE_mbedtls_md_setup PARENT_SCOPE) # not on xenial 2.2
 		CHECK_FUNCTION_EXISTS(mbedtls_rsa_complete LWS_HAVE_mbedtls_rsa_complete PARENT_SCOPE) # not on xenial 2.2
 		CHECK_FUNCTION_EXISTS(mbedtls_internal_aes_encrypt LWS_HAVE_mbedtls_internal_aes_encrypt PARENT_SCOPE) # not on xenial 2.2
+		CHECK_FUNCTION_EXISTS(mbedtls_ssl_export_keying_material LWS_HAVE_mbedtls_ssl_export_keying_material PARENT_SCOPE)
 	endif()
 else()
 CHECK_FUNCTION_EXISTS(${VARIA}TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD PARENT_SCOPE)

lib/tls/mbedtls/lws-gendtls.c

@@ -226,7 +226,11 @@ lws_gendtls_create(struct lws_gendtls_ctx *ctx,
 int
 lws_gendtls_handshake_done(struct lws_gendtls_ctx *ctx)
 {
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000
 	return mbedtls_ssl_is_handshake_over(&ctx->ssl);
+#else
+	return ctx->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER;
+#endif
 }
 
 void
@@ -263,8 +267,11 @@ lws_gendtls_set_key_mem(struct lws_gendtls_ctx *ctx, const uint8_t *key, size_t
 	int ret;
 
 	if ((ret = mbedtls_pk_parse_key(&ctx->pkey, (const unsigned char *)key, len,
-				 NULL, 0,
-				 mbedtls_ctr_drbg_random, &ctx->ctr_drbg)) != 0) {
+				 NULL, 0
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000
+				 , mbedtls_ctr_drbg_random, &ctx->ctr_drbg
+#endif
+	)) != 0) {
 		printf("mbedtls_pk_parse_key failed: -0x%x\n", -ret);
 		return -1;
 	}
@@ -367,6 +374,7 @@ lws_gendtls_export_keying_material(struct lws_gendtls_ctx *ctx, const char *labe
 				   size_t label_len, const uint8_t *context,
 				   size_t context_len, uint8_t *out, size_t out_len)
 {
+#if defined(LWS_HAVE_mbedtls_ssl_export_keying_material)
 	int use_context = (context != NULL);
 
 	if (mbedtls_ssl_export_keying_material(&ctx->ssl, out, out_len,
@@ -376,6 +384,18 @@ lws_gendtls_export_keying_material(struct lws_gendtls_ctx *ctx, const char *labe
 		return -1;
 
 	return 0;
+#else
+	(void)ctx;
+	(void)label;
+	(void)label_len;
+	(void)context;
+	(void)context_len;
+	(void)out;
+	(void)out_len;
+
+	lwsl_err("%s: requires MBEDTLS_SSL_EXPORT_KEYS\n", __func__);
+	return -1;
+#endif
 }
 
 int

lib/tls/mbedtls/lws-genhash.c

@@ -278,14 +278,16 @@ lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type,
 	if (!ctx->hmac)
 		return -1;
 
-#if !defined(LWS_HAVE_mbedtls_md_setup)
-	if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac))
+#if defined(LWS_HAVE_mbedtls_md_setup) || \
+    (defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000)
+	if (mbedtls_md_setup(&ctx->ctx, ctx->hmac, 1))
 		return -1;
 #else
-	if (mbedtls_md_setup(&ctx->ctx, ctx->hmac, 1))
+	if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac))
 		return -1;
 #endif
 
+
 	if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len)) {
 		mbedtls_md_free(&ctx->ctx);
 		ctx->hmac = NULL;