fixes #206 Want NNG_OPT_TLS_VERIFIED option

It is useful to have support for validating that a peer *was*
verified, especially in the presence of optional validation.
We have added a property that does this, NNG_OPT_TLS_VERIFIED.

Further, all the old NNG_OPT_WSS_TLS_* property names have also been
renamed to generic NNG_OPT_TLS property names, which have been
moved to nng.h to facilitate reuse and sharing, with the comments
moved and corrected as well.

Finally, the man pages have been updated, with substantial
improvements to the nng_ws man page in particular.

2 files changed, 26 insertions, 0 deletions

diff --git a/src/supplemental/http/http.c b/src/supplemental/http/http.c
index 229a4a99..43db1d15 100644
--- a/src/supplemental/http/http.c
+++ b/src/supplemental/http/http.c
@@ -40,6 +40,7 @@ typedef struct nni_http_tran {
 	void (*h_write)(void *, nni_aio *);
 	int (*h_sock_addr)(void *, nni_sockaddr *);
 	int (*h_peer_addr)(void *, nni_sockaddr *);
+	bool (*h_verified)(void *);
 	void (*h_close)(void *);
 	void (*h_fini)(void *);
 } nni_http_tran;
@@ -55,6 +56,7 @@ struct nni_http {
 	void (*wr)(void *, nni_aio *);
 	int (*sock_addr)(void *, nni_sockaddr *);
 	int (*peer_addr)(void *, nni_sockaddr *);
+	bool (*verified)(void *);
 	void (*close)(void *);
 	void (*fini)(void *);
 
@@ -610,6 +612,17 @@ nni_http_peer_addr(nni_http *http, nni_sockaddr *sa)
 	return (rv);
 }
 
+bool
+nni_http_tls_verified(nni_http *http)
+{
+	bool rv;
+
+	nni_mtx_lock(&http->mtx);
+	rv = http->closed ? false : http->verified(http->sock);
+	nni_mtx_unlock(&http->mtx);
+	return (rv);
+}
+
 void
 nni_http_fini(nni_http *http)
 {
@@ -655,6 +668,7 @@ http_init(nni_http **httpp, nni_http_tran *tran, void *data)
 	http->fini      = tran->h_fini;
 	http->sock_addr = tran->h_sock_addr;
 	http->peer_addr = tran->h_peer_addr;
+	http->verified  = tran->h_verified;
 
 	if (((rv = nni_aio_init(&http->wr_aio, http_wr_cb, http)) != 0) ||
 	    ((rv = nni_aio_init(&http->rd_aio, http_rd_cb, http)) != 0)) {
@@ -667,6 +681,13 @@ http_init(nni_http **httpp, nni_http_tran *tran, void *data)
 	return (0);
 }
 
+static bool
+nni_http_verified_tcp(void *arg)
+{
+	NNI_ARG_UNUSED(arg);
+	return (false);
+}
+
 static nni_http_tran http_tcp_ops = {
 	.h_read      = (void *) nni_plat_tcp_pipe_recv,
 	.h_write     = (void *) nni_plat_tcp_pipe_send,
@@ -674,6 +695,7 @@ static nni_http_tran http_tcp_ops = {
 	.h_fini      = (void *) nni_plat_tcp_pipe_fini,
 	.h_sock_addr = (void *) nni_plat_tcp_pipe_sockname,
 	.h_peer_addr = (void *) nni_plat_tcp_pipe_peername,
+	.h_verified  = nni_http_verified_tcp,
 };
 
 int
@@ -690,6 +712,7 @@ static nni_http_tran http_tls_ops = {
 	.h_fini      = (void *) nni_tls_fini,
 	.h_sock_addr = (void *) nni_tls_sockname,
 	.h_peer_addr = (void *) nni_tls_peername,
+	.h_verified  = (void *) nni_tls_verified,
 };
 
 int
diff --git a/src/supplemental/http/http.h b/src/supplemental/http/http.h
index 06394fdd..47c8d654 100644
--- a/src/supplemental/http/http.h
+++ b/src/supplemental/http/http.h
@@ -156,6 +156,9 @@ extern void nni_http_write_full(nni_http *, nni_aio *);
 extern int  nni_http_sock_addr(nni_http *, nni_sockaddr *);
 extern int  nni_http_peer_addr(nni_http *, nni_sockaddr *);
 
+// nni_tls_http_verified returns true if the peer has been verified using TLS.
+extern bool nni_http_tls_verified(nni_http *);
+
 typedef struct nni_http_server nni_http_server;
 
 typedef struct {