Revert to the old TLS API, but keep certs as mg_str for DER

cesanta · Sep 19, 2023 · 3f0366a · 3f0366a · gvanem · Sep 25, 2023
1 parent 7ecbbc5
commit 3f0366a
Show file tree

Hide file tree

Showing 31 changed files with 526 additions and 776 deletions.
diff --git a/examples/device-dashboard/net.c b/examples/device-dashboard/net.c
@@ -261,7 +261,14 @@ static void handle_sys_reset(struct mg_connection *c) {
 
 // HTTP request handler function
 static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
-  if (ev == MG_EV_HTTP_MSG) {
+  if (ev == MG_EV_ACCEPT) {
+    if (fn_data != NULL) {  // TLS listener!
+      struct mg_tls_opts opts = {0};
+      opts.cert = mg_unpacked("/certs/server_cert.pem");
+      opts.key = mg_unpacked("/certs/server_key.pem");
+      mg_tls_init(c, &opts);
+    }
+  } else if (ev == MG_EV_HTTP_MSG) {
     struct mg_http_message *hm = (struct mg_http_message *) ev_data;
     struct user *u = authenticate(hm);
 
@@ -306,20 +313,12 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
               hm->method.ptr, (int) hm->uri.len, hm->uri.ptr, (int) 3,
               &c->send.buf[9]));
   }
-  (void) fn_data;
 }
 
 void web_init(struct mg_mgr *mgr) {
-  struct mg_tls_opts opts = {0};
-  opts.server_cert = mg_unpacked("/certs/server_cert.pem");
-  opts.server_key = mg_unpacked("/certs/server_key.pem");
-  mg_tls_ctx_init(mgr, &opts);
-
   s_settings.device_name = strdup("My Device");
-
   mg_http_listen(mgr, HTTP_URL, fn, NULL);
-  mg_http_listen(mgr, HTTPS_URL, fn, NULL);
-
+  mg_http_listen(mgr, HTTPS_URL, fn, (void *) 1);
   mg_timer_add(mgr, 3600 * 1000, MG_TIMER_RUN_NOW | MG_TIMER_REPEAT,
                timer_sntp_fn, mgr);
 }
diff --git a/examples/http-client/certs/client_ca.pem → examples/http-client/certs/ca.pem b/examples/http-client/certs/client_ca.pem → examples/http-client/certs/ca.pem
diff --git a/examples/http-client/main.c b/examples/http-client/main.c
@@ -28,6 +28,12 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
     // Connected to server. Extract host name from URL
     struct mg_str host = mg_url_host(s_url);
 
+    if (mg_url_is_ssl(s_url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = mg_url_host(s_url)};
+      mg_tls_init(c, &opts);
+    }
+
     // Send request
     int content_length = s_post_data ? strlen(s_post_data) : 0;
     mg_printf(c,
@@ -59,8 +65,6 @@ int main(int argc, char *argv[]) {
   if (argc > 1) s_url = argv[1];  // Use URL provided in the command line
   mg_log_set(atoi(log_level));    // Set to 0 to disable debug
   mg_mgr_init(&mgr);              // Initialise event manager
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_http_connect(&mgr, s_url, fn, &done);  // Create client connection
   while (!done) mg_mgr_poll(&mgr, 50);      // Event manager loops until 'done'
   mg_mgr_free(&mgr);                        // Free resources

diff --git a/examples/http-client/packed_fs.c b/examples/http-client/packed_fs.c
@@ -2556,7 +2556,7 @@ static const struct packed_file {
   size_t size;
   time_t mtime;
 } packed_files[] = {
-  {"/certs/client_ca.pem", v1, sizeof(v1), 1694016785},
+  {"/certs/ca.pem", v1, sizeof(v1), 1694162397},
   {NULL, NULL, 0, 0}
 };
 

diff --git a/examples/http-proxy-client/Makefile b/examples/http-proxy-client/Makefile
@@ -7,7 +7,7 @@ CFLAGS = -W -Wall -Wextra -g -I.  # Build options
 # Mongoose build options. See https://mongoose.ws/documentation/#build-options
 CFLAGS_MONGOOSE += -DMG_ENABLE_LINES=1 -DMG_ENABLE_PACKED_FS=1
 
-// see tutorial at https://mongoose.ws/tutorials/http-proxy-client/
+# See tutorial at https://mongoose.ws/tutorials/http-proxy-client/
 ARGS ?= 167.235.63.238:3128 http://info.cern.ch/	# default call arguments
 
 ifeq ($(OS),Windows_NT)   # Windows settings. Assume MinGW compiler. To use VC: make CC=cl CFLAGS=/MD OUT=/Feprog.exe

diff --git a/examples/http-proxy-client/main.c b/examples/http-proxy-client/main.c
@@ -20,6 +20,13 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
   } else if (ev == MG_EV_CONNECT) {
     // Proxy TCP connection established. Send CONNECT request
     struct mg_str host = mg_url_host(url);
+
+    if (mg_url_is_ssl(url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = host};
+      mg_tls_init(c, &opts);
+    }
+
     // c->is_hexdumping = 1;
     mg_printf(c, "CONNECT %.*s:%hu HTTP/1.1\r\nHost: %.*s:%hu\r\n\r\n",
               (int) host.len, host.ptr, mg_url_port(url), (int) host.len,
@@ -35,10 +42,11 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
           ("Connected to proxy, status: %.*s", (int) hm.uri.len, hm.uri.ptr));
       mg_iobuf_del(&c->recv, 0, n);
       // Send request to the target server
-      mg_printf(c, "GET %s HTTP/1.0\r\n"
-                   "Host: %.*s\r\n"
-                   "\r\n",
-                   mg_url_uri(url), (int) host.len, host.ptr);
+      mg_printf(c,
+                "GET %s HTTP/1.0\r\n"
+                "Host: %.*s\r\n"
+                "\r\n",
+                mg_url_uri(url), (int) host.len, host.ptr);
     }
   }
 }
@@ -52,8 +60,6 @@ int main(int argc, char *argv[]) {
   }
 
   mg_mgr_init(&mgr);                            // Initialise event manager
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_http_connect(&mgr, argv[1], fn, argv[2]);  // Connect to the proxy
   for (;;) mg_mgr_poll(&mgr, 1000);             // Event loop
   mg_mgr_free(&mgr);

diff --git a/examples/http-restful-server/main.c b/examples/http-restful-server/main.c
@@ -57,6 +57,15 @@ static const char *s_tls_key =
 // We use the same event handler function for HTTP and HTTPS connections
 // fn_data is NULL for plain HTTP, and non-NULL for HTTPS
 static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
+  if (ev == MG_EV_ACCEPT && fn_data != NULL) {
+    struct mg_tls_opts opts = {
+#ifdef TLS_TWOWAY
+        .ca = mg_str(s_tls_ca),
+#endif
+        .cert = mg_str(s_tls_cert),
+        .key = mg_str(s_tls_key)};
+    mg_tls_init(c, &opts);
+  }
   if (ev == MG_EV_HTTP_MSG) {
     struct mg_http_message *hm = (struct mg_http_message *) ev_data;
     if (mg_http_match_uri(hm, "/api/stats")) {
@@ -87,13 +96,6 @@ int main(void) {
   struct mg_mgr mgr;                            // Event manager
   mg_log_set(MG_LL_DEBUG);                      // Set log level
   mg_mgr_init(&mgr);                            // Initialise event manager
-  struct mg_tls_opts opts = {
-#ifdef TLS_TWOWAY
-                             .client_ca = mg_str(s_tls_ca),
-#endif
-                             .server_cert = mg_str(s_tls_cert),
-                             .server_key = mg_str(s_tls_key)};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_http_listen(&mgr, s_http_addr, fn, NULL);  // Create HTTP listener
   mg_http_listen(&mgr, s_https_addr, fn, (void *) 1);  // HTTPS listener
   for (;;) mg_mgr_poll(&mgr, 1000);                    // Infinite event loop

diff --git a/examples/http-reverse-proxy/main.c b/examples/http-reverse-proxy/main.c
@@ -37,7 +37,7 @@ static void forward_request(struct mg_http_message *hm,
 }
 
 static void fn2(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
-  struct mg_connection *c2 = (struct mg_connection *)fn_data;
+  struct mg_connection *c2 = (struct mg_connection *) fn_data;
   if (ev == MG_EV_READ) {
     // All incoming data from the backend, forward to the client
     if (c2 != NULL) mg_send(c2, c->recv.buf, c->recv.len);
@@ -58,9 +58,14 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
     if (c2 == NULL) {
       mg_error(c, "Cannot create backend connection");
     } else {
+      if (mg_url_is_ssl(s_backend_url)) {
+        struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                   .name = mg_url_host(s_backend_url)};
+        mg_tls_init(c2, &opts);
+      }
       c->fn_data = c2;
       forward_request(hm, c2);
-      c->is_resp = 0; // process further msgs in keep-alive connection
+      c->is_resp = 0;  // process further msgs in keep-alive connection
       c2->is_hexdumping = 1;
     }
   } else if (ev == MG_EV_CLOSE) {
@@ -74,8 +79,6 @@ int main(void) {
 
   mg_log_set(MG_LL_DEBUG);                       // Set log level
   mg_mgr_init(&mgr);                             // Initialise event manager
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_http_listen(&mgr, s_listen_url, fn, NULL);  // Start proxy
   for (;;) mg_mgr_poll(&mgr, 1000);              // Event loop
   mg_mgr_free(&mgr);

diff --git a/examples/http-streaming-client/main.c b/examples/http-streaming-client/main.c
@@ -21,6 +21,13 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
   if (ev == MG_EV_CONNECT) {
     // Connected to server. Extract host name from URL
     struct mg_str host = mg_url_host(s_url);
+
+    if (mg_url_is_ssl(s_url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = host};
+      mg_tls_init(c, &opts);
+    }
+
     // Send request
     mg_printf(c,
               "GET %s HTTP/1.1\r\n"
@@ -56,9 +63,6 @@ int main(int argc, char *argv[]) {
   mg_log_set(atoi(log_level));             // Set to 0 to disable debug log
   if (argc > 1) s_url = argv[1];           // Use URL from command line
 
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
-
   mg_http_connect(&mgr, s_url, fn, &done);  // Create client connection
   while (!done) mg_mgr_poll(&mgr, 1000);    // Infinite event loop
   mg_mgr_free(&mgr);                        // Free resources

diff --git a/examples/mqtt-client-aws-iot/main.c b/examples/mqtt-client-aws-iot/main.c
@@ -29,8 +29,8 @@ static const char *s_url =
 // 3. From the dialog box that appears, download:
 //      xxx-certificate.pem.crt as cert.pem to the example directory
 //      xxx-private.pem.key as key.pem to the example directory
-//static const char *s_cert = "cert.pem";
-//static const char *s_key = "key.pem";
+// static const char *s_cert = "cert.pem";
+// static const char *s_key = "key.pem";
 
 static const char *s_rx_topic = "d/rx";
 static const char *s_tx_topic = "d/tx";
@@ -41,6 +41,12 @@ static int s_qos = 1;
 static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
   if (ev == MG_EV_OPEN) {
     // c->is_hexdumping = 1;
+  } else if (ev == MG_EV_CONNECT) {
+    if (mg_url_is_ssl(s_url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = mg_url_host(s_url)};
+      mg_tls_init(c, &opts);
+    }
   } else if (ev == MG_EV_ERROR) {
     // On error, log error message
     MG_ERROR(("%p %s", c->fd, (char *) ev_data));
@@ -87,9 +93,6 @@ int main(void) {
   struct mg_mqtt_opts opts = {.clean = true};
   bool done = false;
   mg_mgr_init(&mgr);                               // Initialise event manager
-  struct mg_tls_opts topts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-//TODO() 2-way auth and certificate loading
-  mg_tls_ctx_init(&mgr, &topts);
   MG_INFO(("Connecting to %s", s_url));            // Inform that we're starting
   mg_mqtt_connect(&mgr, s_url, &opts, fn, &done);  // Create client connection
   while (!done) mg_mgr_poll(&mgr, 1000);           // Loop until done

diff --git a/examples/mqtt-client/main.c b/examples/mqtt-client/main.c
@@ -28,6 +28,12 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
   if (ev == MG_EV_OPEN) {
     MG_INFO(("%lu CREATED", c->id));
     // c->is_hexdumping = 1;
+  } else if (ev == MG_EV_CONNECT) {
+    if (mg_url_is_ssl(s_url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = mg_url_host(s_url)};
+      mg_tls_init(c, &opts);
+    }
   } else if (ev == MG_EV_ERROR) {
     // On error, log error message
     MG_ERROR(("%lu ERROR %s", c->id, (char *) ev_data));
@@ -101,9 +107,6 @@ int main(int argc, char *argv[]) {
   signal(SIGTERM, signal_handler);  // manager loop on SIGINT and SIGTERM
 
   mg_mgr_init(&mgr);
-
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_timer_add(&mgr, 3000, MG_TIMER_REPEAT | MG_TIMER_RUN_NOW, timer_fn, &mgr);
   while (s_signo == 0) mg_mgr_poll(&mgr, 1000);  // Event loop, 1s timeout
   mg_mgr_free(&mgr);                             // Finished, cleanup

diff --git a/examples/mqtt-over-ws-client/main.c b/examples/mqtt-over-ws-client/main.c
@@ -11,11 +11,11 @@
 
 #include "mongoose.h"
 
-static const char *s_url = 
+static const char *s_url =
 #if MG_TLS
-  "wss://broker.hivemq.com:8884/mqtt";
+    "wss://broker.hivemq.com:8884/mqtt";
 #else
-  "ws://broker.hivemq.com:8000/mqtt";
+    "ws://broker.hivemq.com:8000/mqtt";
 #endif
 
 static const char *s_topic = "mg/test";
@@ -24,12 +24,17 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
   if (ev == MG_EV_ERROR) {
     // On error, log error message
     MG_ERROR(("%p %s", c->fd, (char *) ev_data));
+  } else if (ev == MG_EV_CONNECT) {
+    if (mg_url_is_ssl(s_url)) {
+      struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                 .name = mg_url_host(s_url)};
+      mg_tls_init(c, &opts);
+    }
   } else if (ev == MG_EV_WS_OPEN) {
     // WS connection established. Perform MQTT login
     MG_INFO(("Connected to WS. Logging in to MQTT..."));
-    struct mg_mqtt_opts opts = {.qos = 1,
-                                .topic = mg_str(s_topic),
-                                .message = mg_str("goodbye")};
+    struct mg_mqtt_opts opts = {
+        .qos = 1, .topic = mg_str(s_topic), .message = mg_str("goodbye")};
     size_t len = c->send.len;
     mg_mqtt_login(c, &opts);
     mg_ws_wrap(c, c->send.len - len, WEBSOCKET_OP_BINARY);
@@ -92,8 +97,6 @@ int main(void) {
   struct mg_mgr mgr;        // Event manager
   bool done = false;        // Event handler flips it to true when done
   mg_mgr_init(&mgr);        // Initialise event manager
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
   mg_log_set(MG_LL_DEBUG);  // Set log level
   mg_ws_connect(&mgr, s_url, fn, &done, NULL);    // Create client connection
   while (done == false) mg_mgr_poll(&mgr, 1000);  // Event loop

diff --git a/examples/smtp-client/main.c b/examples/smtp-client/main.c
@@ -28,8 +28,9 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
         mg_printf(c, "STARTTLS\r\n");
         *state = STARTTLS_WAIT;
       } else if (*state == STARTTLS_WAIT) {
-        struct mg_str host = mg_url_host(server);
-        mg_tls_init(c, host);
+        struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
+                                   .name = mg_url_host(server)};
+        mg_tls_init(c, &opts);
         *state = AUTH;
       } else if (*state == AUTH) {
         char a[100], b[300] = "";
@@ -74,10 +75,6 @@ static void fn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
 int main(void) {
   struct mg_mgr mgr;
   mg_mgr_init(&mgr);
-
-  struct mg_tls_opts opts = {.client_ca = mg_unpacked("/certs/client_ca.pem")};
-  mg_tls_ctx_init(&mgr, &opts);
-
   mg_log_set(MG_LL_DEBUG);
   mg_connect(&mgr, server, fn, NULL);
   while (s_quit == false) mg_mgr_poll(&mgr, 1000);

diff --git a/examples/tcp/main.c b/examples/tcp/main.c
@@ -54,10 +54,12 @@ static void cfn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
     MG_INFO(("CLIENT has been initialized"));
   } else if (ev == MG_EV_CONNECT) {
     MG_INFO(("CLIENT connected"));
-#if MG_TLS
-    struct mg_str host = mg_url_host(s_conn);
-    mg_tls_init(c, host);
-#endif
+    if (mg_url_is_ssl(s_conn)) {
+      struct mg_tls_opts opts = {.ca = mg_str(s_tls_ca),
+                                 .cert = mg_str(s_tls_cert),
+                                 .key = mg_str(s_tls_key)};
+      mg_tls_init(c, &opts);
+    }
     *i = 1;  // do something
   } else if (ev == MG_EV_READ) {
     struct mg_iobuf *r = &c->recv;
@@ -89,9 +91,12 @@ static void sfn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
     MG_INFO(("SERVER is listening"));
   } else if (ev == MG_EV_ACCEPT) {
     MG_INFO(("SERVER accepted a connection"));
-#if MG_TLS
-    mg_tls_init(c, mg_str(""));
-#endif
+    if (mg_url_is_ssl(s_lsn)) {
+      struct mg_tls_opts opts = {.ca = mg_str(s_tls_ca),
+                                 .cert = mg_str(s_tls_cert),
+                                 .key = mg_str(s_tls_key)};
+      mg_tls_init(c, &opts);
+    }
   } else if (ev == MG_EV_READ) {
     struct mg_iobuf *r = &c->recv;
     MG_INFO(("SERVER got data: %.*s", r->len, r->buf));
@@ -109,13 +114,9 @@ static void sfn(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
 static void timer_fn(void *arg) {
   struct mg_mgr *mgr = (struct mg_mgr *) arg;
   if (c_res.c == NULL) {
-    // connect
     c_res.i = 0;
     c_res.c = mg_connect(mgr, s_conn, cfn, &c_res);
-    if (c_res.c == NULL)
-      MG_INFO(("CLIENT cant' open a connection"));
-    else
-      MG_INFO(("CLIENT is connecting"));
+    MG_INFO(("CLIENT %s", c_res.c ? "connecting" : "failed"));
   }
 }
 
@@ -126,11 +127,6 @@ int main(void) {
   mg_log_set(MG_LL_INFO);  // Set log level
   mg_mgr_init(&mgr);       // Initialize event manager
 
-  struct mg_tls_opts opts = {.client_ca = mg_str(s_tls_ca),
-                             .server_cert = mg_str(s_tls_cert),
-                             .server_key = mg_str(s_tls_key)};
-  mg_tls_ctx_init(&mgr, &opts);
-
   mg_timer_add(&mgr, 15000, MG_TIMER_REPEAT | MG_TIMER_RUN_NOW, timer_fn, &mgr);
   c = mg_listen(&mgr, s_lsn, sfn, NULL);  // Create server connection
   if (c == NULL) {