diff options
| author | Garrett D'Amore <garrett@damore.org> | 2017-12-29 14:21:20 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2017-12-30 19:05:41 -0800 |
| commit | 6a50035b242b972c1d9b659ba63e037a0a8afe71 (patch) | |
| tree | fe2600235a01e72d1e7bd5fad1d5e2ea62aada2e /src/nng.h | |
| parent | a0364185784895c4bc748a6e6453a132d618c96c (diff) | |
| download | nng-6a50035b242b972c1d9b659ba63e037a0a8afe71.tar.gz nng-6a50035b242b972c1d9b659ba63e037a0a8afe71.tar.bz2 nng-6a50035b242b972c1d9b659ba63e037a0a8afe71.zip | |
fixes #166 Websocket TLS mapping
This introduces the wss:// scheme, which is available and works like
the ws:// scheme if TLS is enabled in the library.
The library modularization is refactored somewhat, to make it easier
to use. There is now a single NNG_ENABLE_TLS that enables TLS support
under the hood.
This also adds a new option for the TLS transport, NNG_OPT_TLS_CONFIG
(and a similar one for WSS, NNG_OPT_TLS_WSS_CONFIG) that offer access
to the underlying TLS configuration object, which now has a public API
to go with it as well.
Note that it is also possible to use pure HTTPS using the *private*
API, which will be exposed in a public form soon.
Diffstat (limited to 'src/nng.h')
| -rw-r--r-- | src/nng.h | 73 |
1 files changed, 73 insertions, 0 deletions
@@ -21,6 +21,7 @@ extern "C" { #endif +#include <stdbool.h> #include <stddef.h> #include <stdint.h> @@ -90,6 +91,7 @@ NNG_DECL int nng_getopt_int(nng_socket, const char *, int *); NNG_DECL int nng_getopt_ms(nng_socket, const char *, nng_duration *); NNG_DECL int nng_getopt_size(nng_socket, const char *, size_t *); NNG_DECL int nng_getopt_uint64(nng_socket, const char *, uint64_t *); +NNG_DECL int nng_getopt_ptr(nng_socket, const char *, void **); // nng_listen creates a listening endpoint with no special options, // and starts it listening. It is functionally equivalent to the legacy @@ -138,6 +140,7 @@ NNG_DECL int nng_dialer_setopt_int(nng_dialer, const char *, int); NNG_DECL int nng_dialer_setopt_ms(nng_dialer, const char *, nng_duration); NNG_DECL int nng_dialer_setopt_size(nng_dialer, const char *, size_t); NNG_DECL int nng_dialer_setopt_uint64(nng_dialer, const char *, uint64_t); +NNG_DECL int nng_dialer_setopt_ptr(nng_dialer, const char *, void *); // nng_dialer_getopt obtains the option for a dialer. This will // fail for options that a particular dialer is not interested in, @@ -147,6 +150,7 @@ NNG_DECL int nng_dialer_getopt_int(nng_dialer, const char *, int *); NNG_DECL int nng_dialer_getopt_ms(nng_dialer, const char *, nng_duration *); NNG_DECL int nng_dialer_getopt_size(nng_dialer, const char *, size_t *); NNG_DECL int nng_dialer_getopt_uint64(nng_dialer, const char *, uint64_t *); +NNG_DECL int nng_dialer_getopt_ptr(nng_dialer, const char *, void **); // nng_listener_setopt sets an option for a dialer. This value is // not stored in the socket. Subsequent setopts on the socket may @@ -158,6 +162,7 @@ NNG_DECL int nng_listener_setopt_int(nng_listener, const char *, int); NNG_DECL int nng_listener_setopt_ms(nng_listener, const char *, nng_duration); NNG_DECL int nng_listener_setopt_size(nng_listener, const char *, size_t); NNG_DECL int nng_listener_setopt_uint64(nng_listener, const char *, uint64_t); +NNG_DECL int nng_listener_setopt_ptr(nng_listener, const char *, void *); // nng_listener_getopt obtains the option for a listener. This will // fail for options that a particular listener is not interested in, @@ -169,6 +174,7 @@ NNG_DECL int nng_listener_getopt_ms( NNG_DECL int nng_listener_getopt_size(nng_listener, const char *, size_t *); NNG_DECL int nng_listener_getopt_uint64( nng_listener, const char *, uint64_t *); +NNG_DECL int nng_listener_getopt_ptr(nng_listener, const char *, void **); // nng_strerror returns a human readable string associated with the error // code supplied. @@ -574,6 +580,73 @@ enum nng_sockaddr_family { NNG_AF_ZT = 5, // ZeroTier }; +// For some transports, we need TLS configuration. This +// section lets us work with TLS configurations. Note +// that these symbols are only actually present at link time +// if TLS support is enabled in your build. Note also that +// a TLS configuration cannot be changed once it is in use. +typedef struct nng_tls_config nng_tls_config; + +typedef enum nng_tls_mode { + NNG_TLS_MODE_CLIENT = 0, + NNG_TLS_MODE_SERVER = 1, +} nng_tls_mode; + +typedef enum nng_tls_auth_mode { + NNG_TLS_AUTH_MODE_NONE = 0, // No verification is performed + NNG_TLS_AUTH_MODE_OPTIONAL = 1, // Verify cert if presented + NNG_TLS_AUTH_MODE_REQUIRED = 2, // Verify cert, close if invalid +} nng_tls_auth_mode; + +// nng_tls_config init creates a TLS configuration using +// reasonable defaults. This configuration can be shared +// with multiple pipes or services/servers. +NNG_DECL int nng_tls_config_init(nng_tls_config **, nng_tls_mode); + +NNG_DECL void nng_tls_config_fini(nng_tls_config *); + +// nng_tls_config_server_name sets the server name. This is +// called by clients to set the name that the server supplied +// certificate should be matched against. This can also cause +// the SNI to be sent to the server to tell it which cert to +// use if it supports more than one. +NNG_DECL int nng_tls_config_server_name(nng_tls_config *, const char *); + +// nng_tls_config_ca_cert configures one or more CAs used for validation +// of peer certificates. Multiple CAs (and their chains) may be configured +// by either calling this multiple times, or by specifying a list of +// certificates as concatenated data. The certs may be in PEM or DER +// format. +NNG_DECL int nng_tls_config_ca_cert(nng_tls_config *, const uint8_t *, size_t); + +// nng_tls_config_clr loads a certificate revocation list. Again, these +// are in X.509 format (either PEM or DER). +NNG_DECL int nng_tls_config_crl(nng_tls_config *, const uint8_t *, size_t); + +// nng_tls_config_cert is used to load our own certificate. For servers, +// this may be called more than once to configure multiple different keys, +// for example with different algorithms depending on what the peer supports. +// On the client, only a single option is available. +NNG_DECL int nng_tls_config_cert(nng_tls_config *, const uint8_t *, size_t); + +// nng_tls_config_key is used to pass our own private key. +NNG_DECL int nng_tls_config_key(nng_tls_config *, const uint8_t *, size_t); + +// nng_tls_config_pass is used to pass a password used to decrypt +// private keys that are encrypted. +NNG_DECL int nng_tls_config_pass(nng_tls_config *, const char *); + +// nng_tls_config_validate_peer is used to enable validation of the peer +// and it's certificate. If disabled, the peer's certificate will still +// be available, but may not be valid. +NNG_DECL int nng_tls_config_validate_peer(nng_tls_config *, bool); + +// nng_tls_config_auth_mode is used to configure the authentication mode use. +// The default is that servers have this off (i.e. no client authentication) +// and clients have it on (they verify the server), which matches typical +// practice. +NNG_DECL int nng_tls_config_auth_mode(nng_tls_config *, nng_tls_auth_mode); + #ifdef __cplusplus } #endif |