From 06d6d80f8c92ef1d3bd7c00c919e10a411183cb3 Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Sun, 5 Oct 2025 16:51:15 -0700 Subject: fixes #2173 New TLS cert API - replaces the properties for CN and ALTNAMES. This will replace the NNG_OPT_TLS_PEER_ALTNAMES and NNG_OPT_TLS_PEER_CN properties, and gives a bit more access to the certificate, as well as direct access to the raw DER form, which should allow use in other APIs. --- src/core/defs.h | 2 +- src/core/pipe.c | 9 +++++++++ src/core/pipe.h | 3 +++ src/core/sockfd.h | 2 +- src/core/stream.c | 20 +++++++++++++++----- src/core/stream.h | 1 + src/core/tcp.h | 2 +- 7 files changed, 31 insertions(+), 8 deletions(-) (limited to 'src/core') diff --git a/src/core/defs.h b/src/core/defs.h index 64a43a04..23c17d8b 100644 --- a/src/core/defs.h +++ b/src/core/defs.h @@ -14,7 +14,7 @@ #include #include -#include +#include "nng/nng.h" // C compilers may get unhappy when named arguments are not used. While // there are things like __attribute__((unused)) which are arguably diff --git a/src/core/pipe.c b/src/core/pipe.c index bfc272b3..db2c4d41 100644 --- a/src/core/pipe.c +++ b/src/core/pipe.c @@ -430,3 +430,12 @@ nni_pipe_peer_addr(nni_pipe *p, char buf[NNG_MAXADDRSTRLEN]) nng_str_sockaddr(&sa, buf, NNG_MAXADDRSTRLEN); return (buf); } + +nng_err +nni_pipe_peer_cert(nni_pipe *p, nng_tls_cert **certp) +{ + if (p->p_tran_ops.p_peer_cert == NULL) { + return (NNG_ENOTSUP); + } + return (p->p_tran_ops.p_peer_cert(p->p_tran_data, certp)); +} diff --git a/src/core/pipe.h b/src/core/pipe.h index b9a13a68..4ed61660 100644 --- a/src/core/pipe.h +++ b/src/core/pipe.h @@ -39,6 +39,9 @@ extern uint16_t nni_pipe_peer(nni_pipe *); extern nng_err nni_pipe_getopt( nni_pipe *, const char *, void *, size_t *, nni_opt_type); +// nni_pipe_peer_cert obtains the peer TLS certificate, if available. +extern nng_err nni_pipe_peer_cert(nni_pipe *, nng_tls_cert **); + // nni_pipe_find finds a pipe given its ID. It places a hold on the // pipe, which must be released by the caller when it is done. extern nng_err nni_pipe_find(nni_pipe **, uint32_t); diff --git a/src/core/sockfd.h b/src/core/sockfd.h index 8985c009..3b39ee60 100644 --- a/src/core/sockfd.h +++ b/src/core/sockfd.h @@ -10,7 +10,7 @@ #ifndef CORE_FDC_H #define CORE_FDC_H -#include "core/nng_impl.h" +#include "nng/nng.h" // the nni_sfd_conn struct is provided by platform code to wrap // an arbitrary byte stream file descriptor (UNIX) or handle (Windows) diff --git a/src/core/stream.c b/src/core/stream.c index e0da3582..61a8a3ba 100644 --- a/src/core/stream.c +++ b/src/core/stream.c @@ -12,12 +12,13 @@ #include -#include "core/nng_impl.h" +#include "nng_impl.h" -#include "core/sockfd.h" -#include "core/tcp.h" -#include "supplemental/tls/tls_api.h" -#include "supplemental/websocket/websocket.h" +#include "sockfd.h" +#include "tcp.h" + +#include "../supplemental/tls/tls_api.h" +#include "../supplemental/websocket/websocket.h" static struct { const char *scheme; @@ -384,6 +385,15 @@ nng_stream_get_addr(nng_stream *s, const char *n, nng_sockaddr *v) return (nni_stream_get(s, n, v, NULL, NNI_TYPE_SOCKADDR)); } +nng_err +nng_stream_peer_cert(nng_stream *s, nng_tls_cert **certp) +{ + if (s->s_peer_cert == NULL) { + return (NNG_ENOTSUP); + } + return (s->s_peer_cert(s, certp)); +} + nng_err nng_stream_dialer_get_int(nng_stream_dialer *d, const char *n, int *v) { diff --git a/src/core/stream.h b/src/core/stream.h index 83c121cd..a9a17ec1 100644 --- a/src/core/stream.h +++ b/src/core/stream.h @@ -50,6 +50,7 @@ struct nng_stream { void (*s_send)(void *, nng_aio *); nng_err (*s_get)(void *, const char *, void *, size_t *, nni_type); nng_err (*s_set)(void *, const char *, const void *, size_t, nni_type); + nng_err (*s_peer_cert)(void *, nng_tls_cert **); }; // Dialer implementation. Stream dialers create streams. diff --git a/src/core/tcp.h b/src/core/tcp.h index cc41dfac..58cac45a 100644 --- a/src/core/tcp.h +++ b/src/core/tcp.h @@ -10,7 +10,7 @@ #ifndef CORE_TCP_H #define CORE_TCP_H -#include "core/nng_impl.h" +#include "nng/nng.h" // These are interfaces we use for TCP internally. These are not exposed // to the public API. -- cgit v1.2.3-70-g09d2