| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
The protocol here needs to know and respect message boundaries.
|
| |
|
|
|
|
|
|
|
|
|
| |
More direct access methods are provided instead.
This results in much lower friction when using, and is a step on the path
to removing NNG_OPT_LOCADDR as well.
We need to figure a solution for NNG_OPT_LOCADDR for dialers; for
listeners there is little use in it either, and it will be removed.
(Dialers will probably get a new NNG_OPT_BIND_IP option.)
|
| |
|
|
|
|
|
|
|
|
| |
This is easier and agnostic about the underlying L3 protocol.
We plan to remove direct NNG_OPT_LOCADDR support from listeners
(and probably both NNG_OPT_LOCADDR and NNG_OPT_REMADDR have numbered
days left in their lifetime. They will be replaced with more direct
typed access functions as has been done for pipes already.)
While here fixed some include for IWYU in the POSIX platform.
|
| |
|
|
| |
These functions can no longer fail.
|
| |
|
|
|
|
|
|
| |
This is going to be used to facilitate debugging, and eliminate some
inconveniences around these things. We plan to move the pipe functions
to use these directly, hopefully moving away from the pipe_getopt hack.
(The transport API will need to grow these. For now this is just the
streams.)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We are *only* supporting 3.5 (or newer 3.x releases) as its the newest LTS version of OpenSSL.
This supports the full set of TLS features with NNG, including DTLS, PSK, TLS 1.3, etc.
Future work will explore making using of the QUIC support in OpenSSL.
Note that this OpenSSL work sits on top of NNG's TCP streams, so it cannot benefit from
Linux in-kernel TLS or other features such as TCP fast open at this time.
|
| |
|
|
|
|
| |
This will replace the NNG_OPT_TLS_PEER_ALTNAMES and NNG_OPT_TLS_PEER_CN
properties, and gives a bit more access to the certificate, as well as
direct access to the raw DER form, which should allow use in other APIs.
|
| |
|
|
|
|
| |
Also, some instances nni_aio are changed to nng_aio. We think we want to harmonize
some of these types going forward as it will reduce the need to include headers
hopefully letting us get away with just "defs.h" in more places.
|
| |
|
|
|
|
|
| |
This also provides an implementation for getting ALT names, although
nothing uses that yet. We plan to provide a new certificate API to
replace these with a nicer API, as obtaining the full list of certs
may be unreasonable.
|
| |
|
|
| |
Warning level was just too noisy.
|
| |
|
|
| |
The ECONNREFUSED result was causing consternation for some consumers.
|
| | |
|
| |
|
|
| |
This may resolve a surprising NULL pointer dereference.
|
| | |
|
| |
|
|
|
| |
This saves some atomic lookups, and avoids possible races when the
engine is not yet initialized or being torn down.
|
| |
|
|
|
| |
We never use or test this code, and its better to not have it if
nobody is using it.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An explicit call to `mbedtls_ssl_set_hostname(NULL)` is now required if the hostname should not be verified in handshake. From the mbedtls changelog:
```
= Mbed TLS 3.6.3 branch released 2025-03-24
Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname, or
enable the new compile-time option MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a new experimental transport for DTLS, that
provides encryption over UDP. It has a simpler protocol than
the current UDP SP protocol (but we intend to fix that by making
the UDP transport simpler in a follow up!)
There are a few other fixes in the TLS layer itself, and in
the build, that were needed to accomplish this work.
Also there was an endianness bug in the UDP protocol handling, which
is fixed here.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This is part of our work to improve type safety/awareness, and also
improve debugger support, for NNG error codes. There are still quite
a few more but this should help.
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows us to break the assumption that the bottom half is
TCP, or even an nng_stream, since the DTLS layer will use a totally
different layer. Only nng_stream neeeds to support dial and listen.
Also: UDP: Make the sockaddr arguments to open const.
Also: Align the IPv6 address in the sockaddr (this allows for
efficient 64-bit or even 128-bit operations on these values.)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Using nng_find_package as the helper fixes this, by ensuring that the
dependency gets properly added to incorporating projects.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows us to explicitly stop streams, dialers, and listeners,
before we start tearing down things. This hopefully will be useful
in resolving use-after-free bugs in http, tls, and websockets.
The new functions are not yet documented, but they are
nng_stream_stop, nng_stream_dialer_stop, and nng_stream_listener_stop.
They should be called after close, and before free. The close
functions now close without blocking, but the stop function is
allowed to block.
|
| |
|
|
|
| |
Temporarily we have removed access to the peer alt names, but
that was never used and was not tested (it also didn't work with WolfSSL.)
|
| |
|
|
|
|
|
|
| |
Also, make it clearer that TLS keys and certificates can only
be set once on a configuration. (mbedTLS makes this confusing!)
This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.
|
| |
|
|
| |
Also add a test case for mismatch verify.
|
| | |
|
| |
|
|
|
| |
Those old algorithms are not used anywhere, and are not recommended.
TLS 1.2 support has been prevalent for over a decade.
|
| |
|
|
|
|
|
|
|
| |
Applications must now call nng_init(), but they can supply
a set of parameters optionally. The code is now safe for
multiple libraries to do this concurrently, meaning nng_fini
no longer can race against another instance starting up.
The nni_init checks on all public APIs are removed now.
|
| |
|
|
| |
This also covers a few test cases that we were missing.
|
| |
|
|
| |
This is simpler, and more reliable than using socket options.
|
| |
|
|
| |
This was not really used or useful.
|
| |
|
|
|
|
|
|
| |
This is a breaking change.
TLS configuration changes are to be made using TLS configuration
objects, and then set on a listener or dialer with NNG_OPT_TLS_CONFIG.
This should be a bit less racy, and allows for simpler code.
|
| |
|
|
|
| |
This requires using a supporting version of Mbed TLS.
We have to use PSA crypto for TLS 1.3.
|
| |
|
|
| |
as NNG and add PSK
|
| |
|
|
| |
This is in preparation for the wolfSSL integration.
|
| |
|
|
|
| |
Also, while here, prepare for PSK support to be conditional -- it is not
necessarily on by default in all future engines (e.g. WolfSSL.)
|
| | |
|
| |
|
|
|
|
| |
This also adds an SP layer transport test for TLS, based on the TCP
test but with some additions; this test does not cover all the edge
cases for TLS, but it does at least show how to use it.
|
| | |
|
| |
|
|
|
| |
This isn't complete, but it should go much further in assisting
debugging TLS related errors.
|
