| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
This also provides an implementation for getting ALT names, although
nothing uses that yet. We plan to provide a new certificate API to
replace these with a nicer API, as obtaining the full list of certs
may be unreasonable.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running nng tests in CI under nix on Linux, I would see
`nng_dialer_start` fail with `NNG_EAGAIN` when invoked with `flags = 0`
and a URL of `tcp://999.888.777.666:8080` (this is in a test that is
supposed to check that dialing that gives you `NNG_EINVAL` or
`NNG_EADDRINVAL`).
This can happen if `nni_resolv_ip` in `posix_resolv_gai.c` gets
`EAI_AGAIN` from `getaddrinfo`, which the man pages suggest _can_ happen
due to "a temporary failure in name resolution". In the nix case, this
is due to the nix build sandbox, but it can also arise simply due to DNS
overload or misconfiguration.
In either case, nng should not bubble up `EAI_AGAIN` `as `NNG_EAGAIN`
from `nng_dialer_start`, as `NNG_EAGAIN` has a different semantic
meaning. `NNG_EAGAIN` is more equivalent to "would block", and should
only be generated through calls with the `NONBLOCK` flag. We don't have
a perfect mapping for `EAI_AGAIN`, but the closest is probably
`NNG_ADDRINVAL` to indicate that we failed to resolve the given address
(even if it's temporary). Another option would be to introduce another
error variant like `NNG_ENAMELOOKUP`, but that felt excessive to cover
this case.
|
| | |
|
| | |
|
| |
|
|
|
| |
This was responsible for breaking DTLS, and likely other things we
never noticed, if the pointer passed in was not already a uint8_t *.
|
| |
|
|
|
|
| |
Once a DTLS client is started and has reasonably resolved things, it
will restart message connections; this way we can restart after a
failed connection attempt (e.g. if the CERT was bad or something.)
|
| |
|
|
| |
This is occurs normally on socket close and the error messages were alarming.
|
| |
|
|
| |
Warning level was just too noisy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This simplifies the code to just use a precompiled static list.
This should be lighter weight, and provably free from leaks.
|
| |
|
|
| |
The ECONNREFUSED result was causing consternation for some consumers.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
It is a bit of a mystery how we were passing CI/CD with all these problems.
Probably we were falling back to select/poll instead of using ports.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Modify the unmatched brackets in the sample code
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This may resolve a surprising NULL pointer dereference.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This saves some atomic lookups, and avoids possible races when the
engine is not yet initialized or being torn down.
|
| |
|
|
|
| |
We never use or test this code, and its better to not have it if
nobody is using it.
|
| | |
|
| |
|
|
| |
platform.h was removed with 7cdba96
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This work is inspired by the DTLS work, and harmonizes the UDP implementation
with DTLS somewhat.
This should make it more resilient to failures, although there is no longer any
attempt to guard against sequencing (reorders, dupes) errors. Applications that
need such protection should either add it themselves, or use a transport which
provides that guarantee (such as TCP). Note that with devices and and such in
the way, such guarantees have never been perfect with SP anyway.
The UDP transport header sizes for this are now just 8 bytes (beyond the UDP header
itself.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An explicit call to `mbedtls_ssl_set_hostname(NULL)` is now required if the hostname should not be verified in handshake. From the mbedtls changelog:
```
= Mbed TLS 3.6.3 branch released 2025-03-24
Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname, or
enable the new compile-time option MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
```
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a new experimental transport for DTLS, that
provides encryption over UDP. It has a simpler protocol than
the current UDP SP protocol (but we intend to fix that by making
the UDP transport simpler in a follow up!)
There are a few other fixes in the TLS layer itself, and in
the build, that were needed to accomplish this work.
Also there was an endianness bug in the UDP protocol handling, which
is fixed here.
|
| |
|
|
|
| |
These are intended for new transports. Right now they are not
documented, but that will be addressed soon.
|
| | |
|
| | |
|
| | |
|
| | |
|
