From 02178a8b5843a2c5a59fb7b104e4f9f5df1ff5ee Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Thu, 9 Nov 2017 14:09:14 -0800 Subject: fixes #3 TLS transport This introduces a new transport (compatible with the TLS transport from mangos), using TLS v1.2. To use the new transport, you must have the mbed TLS library available on your system (Xenial libmbedtls-dev). You can use version 2.x or newer -- 1.3.x and PolarSSL versions are not supported. You enable the TLS transport with -DNNG_TRANSPORT_TLS=ON in the CMake configuration. You must configure the server certificate by default, and this can only be done using nng options. See the nng_tls man page for details. This work is experimental, and was made possible by Capitar IT Group BV, and Staysail Systems, Inc. --- src/supplemental/mbedtls/CMakeLists.txt | 54 +++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 src/supplemental/mbedtls/CMakeLists.txt (limited to 'src/supplemental/mbedtls/CMakeLists.txt') diff --git a/src/supplemental/mbedtls/CMakeLists.txt b/src/supplemental/mbedtls/CMakeLists.txt new file mode 100644 index 00000000..5c2de10b --- /dev/null +++ b/src/supplemental/mbedtls/CMakeLists.txt @@ -0,0 +1,54 @@ +# +# Copyright 2017 Garrett D'Amore +# Copyright 2017 Capitar IT Group BV +# +# This software is supplied under the terms of the MIT License, a +# copy of which should be located in the distribution where this +# file was obtained (LICENSE.txt). A copy of the license may also be +# found online at https://opensource.org/licenses/MIT. +# + +# MBEDTLS library + +# This requires the mbedTLS library be installed somewhere. You can +# point this at a suitable installation of mbedTLS by setting +# MBEDTLS_ROOT_DIR to point at the root of the installation (prefix). + +# It is possible to minimize the mbedTLS library quite a bit. We do +# not require legacy algorithms, the net_sockets layer, the filesystem +# I/O, as well as various other tidbits. We provide an entropy source, +# so you can disable that in mbedTLS too. You may disable fallback support, +# as we only support TLS v1.2 at present. (You may also therefore remove +# code to support older versions of TLS/SSL.) You may also remove DTLS, +# since we're not using it now (nor are we likely to in the near feature). +# Also you may remove support for ZLIB compression, we don't use it either +# (and it would be insecure to do so.) PEM and X509 writing (encoding) +# is not needed (but parse support is!) You may also remove session support, +# as we don't use that either. +# +# (Look for a sample config.h in this directory, if you want to build +# a minimized version just for nng.) + +# What we do require is support for TLSv1.2 + +if (NNG_MBEDTLS_ENABLE) + set(SUPP_SOURCES supplemental/mbedtls/tls.c supplemental/tls.h) + Find_Package(mbedTLS REQUIRED) + + # If it isn't already in the link list, add the TLS libraries there. + # or something, so we take care not to duplicate it). + list(FIND NNG_REQUIRED_LIBRARIES ${MBEDTLS_TLS_LIBRARY} _index) + if (_index EQUAL -1) + set(NNG_REQUIRED_LIBRARIES ${NNG_REQUIRED_LIBRARIES} ${MBEDTLS_LIBRARIES}) + set(NNG_REQUIRED_LIBRARIES ${NNG_REQUIRED_LIBRARIES} PARENT_SCOPE) + endif() + + # Likewise for the include search path. + list(FIND NNG_REQUIRED_INCLUDES ${MBEDTLS_INCLUDE_DIR} _index) + if (_index EQUAL -1) + set(NNG_REQUIRED_INCLUDES ${NNG_REQUIRED_INCLUDES} ${MBEDTLS_INCLUDE_DIR}) + set(NNG_REQUIRED_INCLUDES ${NNG_REQUIRED_INCLUDES} PARENT_SCOPE) + endif() +endif() + +set(NNG_SOURCES ${NNG_SOURCES} ${SUPP_SOURCES} PARENT_SCOPE) -- cgit v1.2.3-70-g09d2