Ioto 3.0.0 Major Release

I’m pleased to announce a major feature release of Ioto 3.0.0.

This release adds HTTP Basic and Digest authentication, client-side cache control, event-driven non-blocking I/O for 10x connection scalability, and pre-compressed content serving. It also includes significant performance optimizations, security hardening from fuzzing campaigns, and new runtime APIs for enhanced fiber and socket control.

Major Features

Web Server Authentication

• HTTP Basic Authentication - Username/password with configurable TLS enforcement (defaults to required) and SHA-256 password hashing
• HTTP Digest Authentication - Challenge-response authentication with MD5/SHA-256 algorithms, HMAC-SHA256 nonce generation, and replay protection
• Password Tool - New password command for generating hashed passwords
• Flexible User Management - webAddUser() allows null password for custom auth schemes

Event-Driven Non-Blocking I/O

• 10x Connection Scalability - Frees fibers during keep-alive idle periods, saving 64-256KB per idle connection
• Zero performance impact on active request processing
• Full backward compatibility with no API changes required

Client-Side Cache Control

• Route-based Cache-Control, Expires, and Pragma headers
• Extension-based filtering (e.g., cache only .css, .js, .png files)
• Natural time string parsing (e.g., 1week, 5mins, 1day)

Pre-Compressed Content Serving

• Automatic .gz and .br file serving based on Accept-Encoding
• Content negotiation with Brotli priority over gzip

Growable Fiber Stacks

• Guard Page Auto-Growing Stacks - Uses virtual memory guard pages for automatic stack growth
• Reserves large virtual address space but commits memory on demand
• Configurable via limits.fiberStack* properties

Web Server Exception Handling

• Fiber Exception Blocks - Optional crash recovery for web request handlers
• Enable via web.fiberBlocks configuration
• Catches SIGSEGV, SIGFPE, SIGBUS, SIGILL and Windows exceptions

Other Features

• Standalone web server mode - Run web program without full Ioto agent
• Flexible Builder endpoint configuration with SERVICES_REGISTER
• New runtime APIs for socket/fiber control, time operations, and URL authentication

Comprehensive Test Framework

This release significantly extends the test framework with specialized test suites:

• Unit Test Suite - Extensive unit tests covering all modules with the TestMe framework
• Leak Test Suite - Memory and resource leak detection tests that verify proper cleanup of allocations, file descriptors, and other resources in long-running scenarios
• Fuzz Test Suite - Security fuzzing tests for vulnerability discovery using malformed inputs, boundary conditions, and protocol edge cases. Several security fixes in this release were discovered through this comprehensive fuzzing campaign
• Benchmark Test Suite - Performance benchmarking tests measuring throughput, latency, and concurrency under various workloads to validate optimization improvements

Performance Optimizations

• Optimized socket accept path with R_WAIT_MAIN_FIBER flag
• Zero-copy body reading via webReadDirect()
• Dynamic buffer growth with rGrowBufSize()
• Static response optimization with webWriteResponseString()
• Dynamic poll table growth for Windows/WSAPoll

Security Fixes

• Fixed invalid reference in JSON parser (discovered via fuzzing)
• Fixed null dereference in HTTP method parsing (discovered via fuzzing)
• HMAC-SHA256 nonce generation for Digest authentication
• Constant-time comparison for timing-attack resistance
• URL client header injection defense

Bug Fixes

• Fixed hang in webSendFile when sending large files
• Fixed upload forms multipart form-data handling
• Fixed keep-alive timeout behavior
• Fixed file descriptor leak in putFile operation
• Fixed fiber exhaustion handling
• Fixed IPv4/IPv6 dual-stack listening
• Fixed macOS socket connection and dual-stack localhost issues
• Fixed Windows pollFds clearing in rFreeWait

FreeRTOS and ESP32

• ESP32-C6 Support - Added support for RISC-V based ESP32-C6 devices
• FreeRTOS Fiber Implementation - Semaphore-based synchronization
• FreeRTOS Demo App - New apps/demo/freertos/ with complete integration example
• OS Type Constants - Added ME_OS_* constants for compile-time OS detection

Breaking Changes

• rParseIsoDate() now returns -1 on error (previously returned 0)
• URL command --count renamed to --iterations
• limits.stack deprecated in favor of limits.fiberStack

Upgrading

1. Backup your current configuration and state directory
2. Review authentication configuration if adding auth
3. Update to v3.0.0 source code
4. Rebuild with your application configuration
5. Test authentication flows, dual-stack networking, file uploads

Users with web services exposed to untrusted input should upgrade promptly to benefit from the security improvements.

Download

Go to the Builder and navigate to the Product List to download. Select a product using “Ioto” as the device agent and click the Download icon.

Documentation

Full documentation available at: https://www.embedthis.com/doc/

Ongoing Maintenance

If you have questions, please contact us at: sales@embedthis.com.