From 6dddc0bfcb79615b8be470a5e16918360d57cadb Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Tue, 9 Jan 2018 18:42:28 -0800 Subject: fixes #186 Suggested API changes for nng TLS certs --- src/transport/tls/tls.c | 113 ------------------------------------------------ src/transport/tls/tls.h | 38 ++-------------- 2 files changed, 4 insertions(+), 147 deletions(-) (limited to 'src/transport') diff --git a/src/transport/tls/tls.c b/src/transport/tls/tls.c index 31426a78..408ff50c 100644 --- a/src/transport/tls/tls.c +++ b/src/transport/tls/tls.c @@ -842,93 +842,6 @@ tls_getopt_config(void *arg, void *v, size_t *szp) return (nni_getopt_ptr(ep->cfg, v, szp)); } -static int -tls_setopt_ca_cert(void *arg, const void *data, size_t sz) -{ - nni_tls_ep *ep = arg; - - if (ep == NULL) { - return (0); - } - return (nng_tls_config_ca_cert(ep->cfg, data, sz)); -} - -static int -tls_setopt_cert(void *arg, const void *data, size_t sz) -{ - nni_tls_ep *ep = arg; - - if (ep == NULL) { - return (0); - } - return (nng_tls_config_cert(ep->cfg, data, sz)); -} - -static int -tls_setopt_private_key(void *arg, const void *data, size_t sz) -{ - nni_tls_ep *ep = arg; - - if (ep == NULL) { - return (0); - } - return (nng_tls_config_key(ep->cfg, data, sz)); -} - -static int -tls_setopt_pass(void *arg, const void *data, size_t sz) -{ - nni_tls_ep *ep = arg; - size_t len; - - len = nni_strnlen(data, sz); - if (len >= sz) { - return (NNG_EINVAL); - } - - if (ep == NULL) { - return (0); - } - return (nng_tls_config_pass(ep->cfg, data)); -} - -static int -tls_getopt_auth_mode(void *arg, void *v, size_t *szp) -{ - nni_tls_ep *ep = arg; - return (nni_getopt_int(ep->authmode, v, szp)); -} - -static int -tls_setopt_auth_mode(void *arg, const void *data, size_t sz) -{ - nni_tls_ep *ep = arg; - int mode; - int rv; - - rv = nni_setopt_int(&mode, data, sz, -100, 100); - if (rv == 0) { - switch (mode) { - case NNG_TLS_AUTH_MODE_NONE: - case NNG_TLS_AUTH_MODE_OPTIONAL: - case NNG_TLS_AUTH_MODE_REQUIRED: - break; - default: - rv = NNG_EINVAL; - break; - } - } - - if ((ep == NULL) || (rv != 0)) { - return (rv); - } - - if ((rv = nng_tls_config_auth_mode(ep->cfg, mode)) == 0) { - ep->authmode = mode; - } - return (rv); -} - static int tls_getopt_verified(void *arg, void *v, size_t *szp) { @@ -973,32 +886,6 @@ static nni_tran_ep_option nni_tls_ep_options[] = { .eo_getopt = tls_getopt_config, .eo_setopt = tls_setopt_config, }, - { - .eo_name = NNG_OPT_TLS_CA_CERT, - .eo_getopt = NULL, - .eo_setopt = tls_setopt_ca_cert, - }, - { - .eo_name = NNG_OPT_TLS_CERT, - .eo_getopt = NULL, - .eo_setopt = tls_setopt_cert, - }, - { - .eo_name = NNG_OPT_TLS_PRIVATE_KEY, - .eo_getopt = NULL, - .eo_setopt = tls_setopt_private_key, - }, - { - .eo_name = NNG_OPT_TLS_PRIVATE_KEY_PASSWORD, - .eo_getopt = NULL, - .eo_setopt = tls_setopt_pass, - }, - { - .eo_name = NNG_OPT_TLS_AUTH_MODE, - .eo_getopt = tls_getopt_auth_mode, - .eo_setopt = tls_setopt_auth_mode, - }, - // terminate list { NULL, NULL, NULL }, }; diff --git a/src/transport/tls/tls.h b/src/transport/tls/tls.h index b36ee774..25edfa3a 100644 --- a/src/transport/tls/tls.h +++ b/src/transport/tls/tls.h @@ -1,6 +1,6 @@ // -// Copyright 2017 Staysail Systems, Inc. -// Copyright 2017 Capitar IT Group BV +// Copyright 2018 Staysail Systems, Inc. +// Copyright 2018 Capitar IT Group BV // // This software is supplied under the terms of the MIT License, a // copy of which should be located in the distribution where this @@ -19,42 +19,12 @@ NNG_DECL int nng_tls_register(void); // started. Once started, it is no longer possible to alter the TLS // configuration. -// NNG_OPT_TLS_CA_CERT is a string with one or more X.509 certificates, -// representing the entire CA chain. The content may be either PEM or DER -// encoded. -#define NNG_OPT_TLS_CA_CERT "tls:ca-cert" - -// NNG_OPT_TLS_CRL is a PEM encoded CRL (revocation list). Multiple lists -// may be loaded by using this option multiple times. -#define NNG_OPT_TLS_CRL "tls:crl" - -// NNG_OPT_TLS_CERT is used to specify our own certificate. At present -// only one certificate may be supplied. (In the future it may be -// possible to call this multiple times, for servers that select different -// certificates depending upon client capabilities.) -#define NNG_OPT_TLS_CERT "tls:cert" - -// NNG_OPT_TLS_PRIVATE_KEY is used to specify the private key used -// with the given certificate. This should be called after setting -// the certificate. The private key may be in PEM or DER format. -// If in PEM encoded, a terminating ZERO byte should be included. -#define NNG_OPT_TLS_PRIVATE_KEY "tls:private-key" - -// NNG_OPT_TLS_PRIVATE_KEY_PASSWORD is used to specify a password -// used for the private key. The value is an ASCIIZ string. -#define NNG_OPT_TLS_PRIVATE_KEY_PASSWORD "tls:private-key-password" - -// NNG_OPT_TLS_AUTH_MODE is an integer indicating whether our -// peer should be verified or not. It is required on clients/dialers, -// and off on servers/listeners, by default. -#define NNG_OPT_TLS_AUTH_MODE "tls:auth-mode" - // NNG_OPT_TLS_AUTH_VERIFIED is a boolean that can be read on pipes, // indicating whether the peer certificate is verified. #define NNG_OPT_TLS_AUTH_VERIFIED "tls:auth-verified" +// NNG_OPT_TLS_CONFIG is used to access the underlying configuration +// (an nng_tls_config *). #define NNG_OPT_TLS_CONFIG "tls:config" -// XXX: TBD: Ciphersuite selection and reporting. Session reuse? - #endif // NNG_TRANSPORT_TLS_TLS_H -- cgit v1.2.3-70-g09d2