aboutsummaryrefslogtreecommitdiff
path: root/src/supplemental/tls
Commit message (Collapse)AuthorAge
* TLS: eliminate more runtime ops vectorsGarrett D'Amore2025-06-30
|
* TLS: Configuration does not need to keep a reference to the engine.Garrett D'Amore2025-06-29
| | | | This may resolve a surprising NULL pointer dereference.
* TLS: fixes for test coverage and improved identification logging.Garrett D'Amore2025-06-22
|
* TLS: Remove support for dynamic engine initialization.Garrett D'Amore2025-06-21
| | | | | This saves some atomic lookups, and avoids possible races when the engine is not yet initialized or being torn down.
* Drop mbedtls CTR_DRBG pseudo-random number generator.Garrett D'Amore2025-06-21
| | | | | We never use or test this code, and its better to not have it if nobody is using it.
* tls: false is not a numberGarrett D'Amore2025-06-21
|
* fixes mbedtls 3.6.3 handshake with NULL server nameelijahr2025-06-02
| | | | | | | | | | | | | | | | An explicit call to `mbedtls_ssl_set_hostname(NULL)` is now required if the hostname should not be verified in handshake. From the mbedtls changelog: ``` = Mbed TLS 3.6.3 branch released 2025-03-24 Default behavior changes * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted. This is because authenticating a server without knowing what name to expect is usually insecure. To restore the old behavior, either call mbedtls_ssl_set_hostname() with NULL as the hostname, or enable the new compile-time option MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. ```
* Introduce DTLS transport for NNG.Garrett D'Amore2025-06-01
| | | | | | | | | | | | | This introduces a new experimental transport for DTLS, that provides encryption over UDP. It has a simpler protocol than the current UDP SP protocol (but we intend to fix that by making the UDP transport simpler in a follow up!) There are a few other fixes in the TLS layer itself, and in the build, that were needed to accomplish this work. Also there was an endianness bug in the UDP protocol handling, which is fixed here.
* Converted property functions to use nng_err.Garrett D'Amore2025-04-27
|
* Transport listen: use nng_errGarrett D'Amore2025-04-27
|
* More nng_err -- this time for dialer and listener allocations.Garrett D'Amore2025-04-27
|
* AIO: Use nng_err for cancellation callback instead of int.Garrett D'Amore2025-04-27
| | | | | | This is part of our work to improve type safety/awareness, and also improve debugger support, for NNG error codes. There are still quite a few more but this should help.
* TLS: break up the TLS layer a bit to refactor for DTLS.Garrett D'Amore2025-04-27
| | | | | | | | | | | This allows us to break the assumption that the bottom half is TCP, or even an nng_stream, since the DTLS layer will use a totally different layer. Only nng_stream neeeds to support dial and listen. Also: UDP: Make the sockaddr arguments to open const. Also: Align the IPv6 address in the sockaddr (this allows for efficient 64-bit or even 128-bit operations on these values.)
* Fix typo in NNG_TLS_MAX_RECV_SIZEGarrett D'Amore2025-04-13
|
* Liberally apply some UWYI (use what you include) to header filesGarrett D'Amore2025-01-05
|
* api: fold TLS supplemental headers into nng.hGarrett D'Amore2025-01-04
|
* cmake: ensure that MbedTLS and WolfSSL can be found properly as subprojectsGarrett D'Amore2025-01-01
| | | | | Using nng_find_package as the helper fixes this, by ensuring that the dependency gets properly added to incorporating projects.
* tls: use nni_aio_beginGarrett D'Amore2024-12-26
|
* streams: add explicit stop functionsGarrett D'Amore2024-12-12
| | | | | | | | | | | | This allows us to explicitly stop streams, dialers, and listeners, before we start tearing down things. This hopefully will be useful in resolving use-after-free bugs in http, tls, and websockets. The new functions are not yet documented, but they are nng_stream_stop, nng_stream_dialer_stop, and nng_stream_listener_stop. They should be called after close, and before free. The close functions now close without blocking, but the stop function is allowed to block.
* Remove all the get_ptr option accessors.Garrett D'Amore2024-11-24
| | | | | Temporarily we have removed access to the peer alt names, but that was never used and was not tested (it also didn't work with WolfSSL.)
* tls: add a mutual authentication testGarrett D'Amore2024-11-23
| | | | | | | | Also, make it clearer that TLS keys and certificates can only be set once on a configuration. (mbedTLS makes this confusing!) This mutual test is only fully validated on mbed, because wolfSSL seems to not properly validate this in many configurations.
* tls: include error code from mbed in log messagesGarrett D'Amore2024-11-23
| | | | Also add a test case for mismatch verify.
* tls: add ecdsa test caseGarrett D'Amore2024-11-17
|
* tls: remove support for TLS 1.0 and 1.1.Garrett D'Amore2024-11-16
| | | | | Those old algorithms are not used anywhere, and are not recommended. TLS 1.2 support has been prevalent for over a decade.
* refactor initialization/finalizationGarrett D'Amore2024-11-11
| | | | | | | | | Applications must now call nng_init(), but they can supply a set of parameters optionally. The code is now safe for multiple libraries to do this concurrently, meaning nng_fini no longer can race against another instance starting up. The nni_init checks on all public APIs are removed now.
* websocket: Do not allow a listener or dialer to change TLS while runningGarrett D'Amore2024-11-09
| | | | This also covers a few test cases that we were missing.
* TLS configuration changed to use discret _set_tls and _get_tls functions.Garrett D'Amore2024-11-09
| | | | This is simpler, and more reliable than using socket options.
* Remove nng_stream_set function family.Garrett D'Amore2024-10-28
| | | | This was not really used or useful.
* tls: Remove the individual TLS configuration optionsGarrett D'Amore2024-10-28
| | | | | | | | This is a breaking change. TLS configuration changes are to be made using TLS configuration objects, and then set on a listener or dialer with NNG_OPT_TLS_CONFIG. This should be a bit less racy, and allows for simpler code.
* TLS: enable TLS 1.3 for Mbed TLS.Garrett D'Amore2024-08-14
| | | | | This requires using a supporting version of Mbed TLS. We have to use PSA crypto for TLS 1.3.
* fixes #1849 merge wolfSSL support inline, and relicense it under same terms ↵Garrett D'Amore2024-07-22
| | | | as NNG and add PSK
* TLS: make some tests conditional.Garrett D'Amore2024-07-22
| | | | This is in preparation for the wolfSSL integration.
* TLS: Stop making the licensing message a warning - notice is sufficient.Garrett D'Amore2024-07-22
| | | | | Also, while here, prepare for PSK support to be conditional -- it is not necessarily on by default in all future engines (e.g. WolfSSL.)
* TLS: announce which engine we are using (in anticipation of newer TLS engines)Garrett D'Amore2024-07-22
|
* fixes #1846 Add support for TLS PSKGarrett D'Amore2024-07-21
| | | | | | This also adds an SP layer transport test for TLS, based on the TCP test but with some additions; this test does not cover all the edge cases for TLS, but it does at least show how to use it.
* [tls_common] finish conn lock in tls_reapMoi Ran2024-04-14
|
* fixes #1588 TLS should log errorsGarrett D'Amore2024-04-14
| | | | | This isn't complete, but it should go much further in assisting debugging TLS related errors.
* Add missing `nng_tls_config_hold` stub functionMarc Lasch2024-04-13
| | | | | | | | | | | Add the missing stub function implementation for `nng_tls_config_hold`. Fixes an error when loading the library and expecting to have this symbol available. The availability of the symbol can be checked with nm: ``` nm -D cmake-build-release/libnng.so.1.7.3 | grep nng_tls_config_hold ```
* fixes #1771 cmake: respect CMAKE_FIND_PACKAGE_PREFER_CONFIG if presentGarrett D'Amore2024-02-28
|
* fix typo in test for CMAKE_FIND_PACKAGE_PREFER_CONFIGGarrett D'Amore2024-02-17
|
* tls: fix cast to integer warningGarrett D'Amore2024-01-27
|
* Mbed TLS CMake improvements.Garrett D'Amore2024-01-27
| | | | | Try to use the Mbed TLS cmake configuration data if present, and refactor our FindModule to adhere to the same basic API.
* fixes #1673 High CPU usage with TLSGarrett D'Amore2023-12-16
| | | | | | The aio for connections was meant to have an infinite sleep (no timeout), but was getting an initial value of zero, so we were spinning on accept.
* Get common name and subject alternative names of peer certificate (#1617)Christian Fischbach2023-02-08
| | | Co-authored-by: Christian Fischbach <cfischbach@mac.com>
* Fill NNG_PKGS to request nng dependencies from installed location. (#1641)Garrett D'Amore2023-02-05
| | | | Signed-off-by: Andrey Vostrikov <andrey.vostrikov@cogentembedded.com> Co-authored-by: Andrey Vostrikov <andrey.vostrikov@cogentembedded.com>
* Use static initialization for lists and mutexes.Garrett D'Amore2021-12-05
| | | | | | This eliminates some run-time initialization, moving it to compile time. Additional follow up work will expand on this to simplify initialization and reduce the need for certain locks.
* Provide atomic pointer support.Garrett D'Amore2021-12-05
| | | | | This is initially used for TLS to make loading the engine pointer faster, eliminating a much more expensive lock operation.
* fixes #1478 mbedTLS 3.0 is not API compatible with 2.xGarrett D'Amore2021-08-09
|
* fixes #1471 Use of strdup instead of nni_strdup in mbedtls/tls.cGarrett D'Amore2021-07-22
|
* remove extraneous comment, set conn_init static (#1424)Dave Voutila2021-02-17
| | | | | | The comment is an artifact from an old tls_reap function and no longer describes the following function (conn_init). Function conn_init should be marked static.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-01-18 11:50:44 +0000