From 0aeed90d9a85eaf6f00e81c6f5f69a7ed9fec8c6 Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Sat, 20 Jul 2024 16:47:25 -0700 Subject: fixes #1846 Add support for TLS PSK This also adds an SP layer transport test for TLS, based on the TCP test but with some additions; this test does not cover all the edge cases for TLS, but it does at least show how to use it. --- include/nng/supplemental/tls/engine.h | 13 ++++++++++--- include/nng/supplemental/tls/tls.h | 12 +++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/nng/supplemental/tls/engine.h b/include/nng/supplemental/tls/engine.h index 309d83c5..5bfe339d 100644 --- a/include/nng/supplemental/tls/engine.h +++ b/include/nng/supplemental/tls/engine.h @@ -1,5 +1,5 @@ // -// Copyright 2020 Staysail Systems, Inc. +// Copyright 2024 Staysail Systems, Inc. // // This software is supplied under the terms of the MIT License, a // copy of which should be located in the distribution where this @@ -150,6 +150,12 @@ typedef struct nng_tls_engine_config_ops_s { int (*own_cert)( nng_tls_engine_config *, const char *, const char *, const char *); + // psk configures a PSK identity and key. This can be called + // once for clients, or multiple times for servers. However, not all + // implementations support multiple PSKs for a server. + int (*psk)( + nng_tls_engine_config *, const char *, const uint8_t *, size_t); + // version configures the minimum and maximum TLS versions. The // engine should default to supporting TLS1.0 through 1.2, and // optionally 1.3 if it can. The engine should restrict the @@ -163,8 +169,9 @@ typedef struct nng_tls_engine_config_ops_s { typedef enum nng_tls_engine_version_e { NNG_TLS_ENGINE_V0 = 0, - NNG_TLS_ENGINE_V1 = 1, - NNG_TLS_ENGINE_VERSION = NNG_TLS_ENGINE_V1, + NNG_TLS_ENGINE_V1 = 1, // adds FIPS, TLS 1.3 support + NNG_TLS_ENGINE_V2 = 2, // adds PSK support + NNG_TLS_ENGINE_VERSION = NNG_TLS_ENGINE_V2, } nng_tls_engine_version; typedef struct nng_tls_engine_s { diff --git a/include/nng/supplemental/tls/tls.h b/include/nng/supplemental/tls/tls.h index e547f8ee..e66f5a32 100644 --- a/include/nng/supplemental/tls/tls.h +++ b/include/nng/supplemental/tls/tls.h @@ -1,5 +1,5 @@ // -// Copyright 2020 Staysail Systems, Inc. +// Copyright 2024 Staysail Systems, Inc. // Copyright 2018 Capitar IT Group BV // // This software is supplied under the terms of the MIT License, a @@ -18,6 +18,8 @@ extern "C" { #include #include +#include + // Note that TLS functions may be stubbed out if TLS is not enabled in // the build. @@ -116,6 +118,14 @@ NNG_DECL int nng_tls_config_ca_file(nng_tls_config *, const char *); NNG_DECL int nng_tls_config_cert_key_file( nng_tls_config *, const char *, const char *); +// nng_tls_config_psk_identity is used to pass TLS PSK parameters. The +// identity, and an associated key. Clients can only do this once. +// Servers can do it multiple times, potentially, to provide for different +// keys for different client identities. There is no way to remove these +// from a configuration. +NNG_DECL int nng_tls_config_psk( + nng_tls_config *, const char *, const uint8_t *, size_t); + // Configure supported TLS version. By default we usually restrict // ourselves to TLS 1.2 and newer. We do not support older versions. // If the implementation cannot support any version (for example if -- cgit v1.2.3-70-g09d2