diff options
| author | Garrett D'Amore <garrett@damore.org> | 2018-01-11 14:58:09 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2018-01-16 08:45:11 -0800 |
| commit | bbf012364d9f1482b16c97b8bfd2fd07130446ca (patch) | |
| tree | 2cb45903b0d5aa756d44f27b39a99c318a99a9a2 /src/nng.h | |
| parent | 18229bbb69423d64d0a1b98bcf4bf3e24fba3aa4 (diff) | |
| download | nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.tar.gz nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.tar.bz2 nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.zip | |
fixes #201 TLS configuration should support files for certificates and keys
This adds support for configuration of TLS websockets using the files
for keys, certificates, and CRLs. Significant changes to the websocket,
TLS, and HTTP layers were made here. We now expect TLS configuration to
be tied to the HTTP layer, and the HTTP code creates default configuration
objects based on the URL supplied. (HTTP dialers and listeners are now
created with a URL rather than a sockaddr, giving them access to the scheme
as well.)
We fixed several bugs affecting TLS validation, and added a test suite
that confirms that validation works as it should. We also fixed an orphaned
socket during HTTP negotiation, responsible for an occasional assertion
error if the http handshake does not complete successfully. Finally several
use-after-free races were closed.
TLS layer changes include reporting of handshake failures using newly
created "standard" error codes for peer authentication and cryptographic
failures.
The use of the '*' wild card in URLs at bind time is no longer supported
for websocket at least.
Documentation updates for all this are in place as well.
Diffstat (limited to 'src/nng.h')
| -rw-r--r-- | src/nng.h | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -84,6 +84,7 @@ NNG_DECL int nng_setopt_int(nng_socket, const char *, int); NNG_DECL int nng_setopt_ms(nng_socket, const char *, nng_duration); NNG_DECL int nng_setopt_size(nng_socket, const char *, size_t); NNG_DECL int nng_setopt_uint64(nng_socket, const char *, uint64_t); +NNG_DECL int nng_setopt_string(nng_socket, const char *, const char *); // nng_socket_getopt obtains the option for a socket. NNG_DECL int nng_getopt(nng_socket, const char *, void *, size_t *); @@ -141,6 +142,7 @@ NNG_DECL int nng_dialer_setopt_ms(nng_dialer, const char *, nng_duration); NNG_DECL int nng_dialer_setopt_size(nng_dialer, const char *, size_t); NNG_DECL int nng_dialer_setopt_uint64(nng_dialer, const char *, uint64_t); NNG_DECL int nng_dialer_setopt_ptr(nng_dialer, const char *, void *); +NNG_DECL int nng_dialer_setopt_string(nng_dialer, const char *, const char *); // nng_dialer_getopt obtains the option for a dialer. This will // fail for options that a particular dialer is not interested in, @@ -163,6 +165,8 @@ NNG_DECL int nng_listener_setopt_ms(nng_listener, const char *, nng_duration); NNG_DECL int nng_listener_setopt_size(nng_listener, const char *, size_t); NNG_DECL int nng_listener_setopt_uint64(nng_listener, const char *, uint64_t); NNG_DECL int nng_listener_setopt_ptr(nng_listener, const char *, void *); +NNG_DECL int nng_listener_setopt_string( + nng_listener, const char *, const char *); // nng_listener_getopt obtains the option for a listener. This will // fail for options that a particular listener is not interested in, @@ -507,6 +511,8 @@ enum nng_errno_enum { NNG_EEXIST = 23, NNG_EREADONLY = 24, NNG_EWRITEONLY = 25, + NNG_ECRYPTO = 26, + NNG_EPEERAUTH = 27, NNG_EINTERNAL = 1000, NNG_ESYSERR = 0x10000000, NNG_ETRANERR = 0x20000000, @@ -640,6 +646,22 @@ NNG_DECL int nng_tls_config_pass(nng_tls_config *, const char *); // practice. NNG_DECL int nng_tls_config_auth_mode(nng_tls_config *, nng_tls_auth_mode); +// nng_tls_config_ca_file is used to pass a CA chain and optional CRL +// via the filesystem. If CRL data is present, it must be contained +// in the file, along with the CA certificate data. The format is PEM. +// The path name must be a legal file name. +NNG_DECL int nng_tls_config_ca_file(nng_tls_config *, const char *); + +// nng_tls_config_cert_key_file is used to pass our own certificate and +// private key data via the filesystem. Both the key and certificate +// must be present as PEM blocks in the same file. A password is used to +// decrypt the private key if it is encrypted and the password supplied is not +// NULL. This may be called multiple times on servers, but only once on a +// client. (Servers can support multiple different certificates and keys for +// different cryptographic algorithms. Clients only get one.) +NNG_DECL int nng_tls_config_cert_key_file( + nng_tls_config *, const char *, const char *); + #ifdef __cplusplus } #endif |