TLS configuration changed to use discret _set_tls and _get_tls functi…

…ons. This is simpler, and more reliable than using socket options.
nanomsg · Nov 10, 2024 · 0058b76 · 0058b76
1 parent 150d80c
commit 0058b76
Show file tree

Hide file tree

Showing 25 changed files with 525 additions and 294 deletions.
diff --git a/docs/man/nng_tls.7.adoc b/docs/man/nng_tls.7.adoc
@@ -107,7 +107,6 @@ Note that setting these must be done before the transport is started.
 * xref:nng_options.5.adoc#NNG_OPT_REMADDR[`NNG_OPT_REMADDR`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_KEEPALIVE[`NNG_OPT_TCP_KEEPALIVE`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_NODELAY[`NNG_OPT_TCP_NODELAY`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CONFIG[`NNG_OPT_TLS_CONFIG`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_VERIFIED[`NNG_OPT_TLS_VERIFIED_`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_PEER_CN[`NNG_OPT_TLS_PEER_CN`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_PEER_ALT_NAMES[`NNG_OPT_TLS_PEER_ALT_NAMES`]

diff --git a/docs/man/nng_tls_options.5.adoc b/docs/man/nng_tls_options.5.adoc
@@ -20,7 +20,6 @@ nng_tls_options - TLS-specific options
 ----
 #include <nng/nng.h>
 
-#define NNG_OPT_TLS_CONFIG         "tls-config"
 #define NNG_OPT_TLS_VERIFIED       "tls-verified"
 #define NNG_OPT_TLS_PEER_CN        "tls-peer-cn"
 #define NNG_OPT_TLS_PEER_ALT_NAMES "tls-peer-alt-names"
@@ -43,18 +42,18 @@ description of the option.
 
 === TLS Options
 
-[[NNG_OPT_TLS_CONFIG]]((`NNG_OPT_TLS_CONFIG`))::
-(`nng_tls_config *`)
-This option references the underlying
-xref:nng_tls_config.5.adoc[TLS configuration object].
-A hold is placed on the underlying
-configuration object before returning it.
-+
-NOTE: The caller should release the hold with
-xref:nng_tls_config_free.3tls.adoc[`nng_tls_config_free()`] when it no
-longer needs the TLS configuration object.
-+
-TIP: Use this option when more advanced TLS configuration is required.
+// [[NNG_OPT_TLS_CONFIG]]((`NNG_OPT_TLS_CONFIG`))::
+// (`nng_tls_config *`)
+// This option references the underlying
+// xref:nng_tls_config.5.adoc[TLS configuration object].
+// A hold is placed on the underlying
+// configuration object before returning it.
+// +
+// NOTE: The caller should release the hold with
+// xref:nng_tls_config_free.3tls.adoc[`nng_tls_config_free()`] when it no
+// longer needs the TLS configuration object.
+// +
+// TIP: Use this option when more advanced TLS configuration is required.
 
 [[NNG_OPT_TLS_VERIFIED]]((`NNG_OPT_TLS_VERIFIED`))::
 (`bool`)

diff --git a/docs/man/nng_ws.7.adoc b/docs/man/nng_ws.7.adoc
@@ -145,17 +145,17 @@ When set, the stream will send TEXT frames instead of BINARY frames.
 NOTE: NNG does not check the frame data, and will attempt to send whatever the client requests.
 Peers that are compliant with RFC 6455 will discard TEXT frames (and break the connection) if they do not contain valid UTF-8.
 
-((`NNG_OPT_TLS_CONFIG`))::
+// ((`NNG_OPT_TLS_CONFIG`))::
 
-(`nng_tls_config *`) The underlying TLS
-configuration object for `wss://` endpoints.
-A hold is placed on the underlying
-configuration object before returning it.
-The caller should release the object with
-xref:nng_tls_config_free.3tls.adoc[`nng_tls_config_free()`] when it no
-longer needs the TLS configuration.
+// (`nng_tls_config *`) The underlying TLS
+// configuration object for `wss://` endpoints.
+// A hold is placed on the underlying
+// configuration object before returning it.
+// The caller should release the object with
+// xref:nng_tls_config_free.3tls.adoc[`nng_tls_config_free()`] when it no
+// longer needs the TLS configuration.
 
-TIP: Use this option when advanced TLS configuration is required.
+// TIP: Use this option when advanced TLS configuration is required.
 
 `NNG_OPT_TLS_VERIFIED`::
 (`bool`) Whether the remote peer has been properly verified using TLS

diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
@@ -33,14 +33,21 @@ The `NNG_OPT_WSS_REQUEST_HEADERS` and `NNG_OPT_WSS_RESPONSE_HEADERS` aliases for
 Just convert any use of them to `NNG_OPT_WS_REQUEST_HEADERS` or
 `NNG_OPT_WS_RESPONSE_HEADERS` as appropriate.
 
-## TLS Options
+## TLS Configuration
 
-The support for configuring TLS via `NNG_TLS_AUTH_MODE`, `NNG_OPT_TLS_CA_FILE`, `NNG_OPT_TLS_SERVER_NAME`,
-and similar has been removed. Instead configuration must be performed by allocating
+The support for configuring TLS via `NNG_OPT_TLS_CONFIG`, `NNG_TLS_AUTH_MODE`, `NNG_OPT_TLS_CA_FILE`,
+`NNG_OPT_TLS_SERVER_NAME`, and similar has been removed.
+
+Instead configuration must be performed by allocating
 a `nng_tls_config` object, and then setting fields on it using the appropriate functions,
-after which it may be configured on a listener or dialer using the `NNG_OPT_TLS_CONFIG` option.
+after which it may be configured on a listener or dialer using the [`nng_listener_set_tls`]
+or [`nng_dialer_set_tls`] functions.
+
+Likewise, when using the streams API, use the [`nng_stream_listener_set_tls`] or
+[`nng_stream_dialer_set_tls`] functions.
 
-Note that TLS configuration is now available in `<nng/nng.h>`, rather than the supplemental header.
+Note that the declarations needed for TLS configuration are now available in `<nng/nng.h>`,
+rather than the supplemental header.
 
 ## Option Functions
 

diff --git a/docs/ref/xref.md b/docs/ref/xref.md
@@ -78,6 +78,14 @@
 [`nng_sub0_ctx_unsubscribe`]: /TODO.md
 [`nng_sub0_socket_subscribe`]: /TODO.md
 [`nng_sub0_socket_unsubscribe`]: /TODO.md
+[`nng_dialer_set_tls`]: /TODO.md
+[`nng_dialer_get_tls`]: /TODO.md
+[`nng_listener_set_tls`]: /TODO.md
+[`nng_listener_get_tls`]: /TODO.md
+[`nng_stream_dialer_set_tls`]: /TODO.md
+[`nng_stream_dialer_get_tls`]: /TODO.md
+[`nng_stream_listener_set_tls`]: /TODO.md
+[`nng_stream_listener_get_tls`]: /TODO.md
 [`nng_opts_parse`]: /api/cmd_opts.md#parse-command-line-options
 [`nng_aio_begin`]: /TODO.md
 [`nng_aio_defer`]: /TODO.md

diff --git a/include/nng/nng.h b/include/nng/nng.h
@@ -357,6 +357,7 @@ NNG_DECL int nng_dialer_set_ptr(nng_dialer, const char *, void *);
 NNG_DECL int nng_dialer_set_ms(nng_dialer, const char *, nng_duration);
 NNG_DECL int nng_dialer_set_addr(
     nng_dialer, const char *, const nng_sockaddr *);
+NNG_DECL int nng_dialer_set_tls(nng_dialer, nng_tls_config *);
 
 NNG_DECL int nng_dialer_get_bool(nng_dialer, const char *, bool *);
 NNG_DECL int nng_dialer_get_int(nng_dialer, const char *, int *);
@@ -366,6 +367,7 @@ NNG_DECL int nng_dialer_get_string(nng_dialer, const char *, char **);
 NNG_DECL int nng_dialer_get_ptr(nng_dialer, const char *, void **);
 NNG_DECL int nng_dialer_get_ms(nng_dialer, const char *, nng_duration *);
 NNG_DECL int nng_dialer_get_addr(nng_dialer, const char *, nng_sockaddr *);
+NNG_DECL int nng_dialer_get_tls(nng_dialer, nng_tls_config **);
 
 NNG_DECL int nng_listener_set_bool(nng_listener, const char *, bool);
 NNG_DECL int nng_listener_set_int(nng_listener, const char *, int);
@@ -376,6 +378,7 @@ NNG_DECL int nng_listener_set_ptr(nng_listener, const char *, void *);
 NNG_DECL int nng_listener_set_ms(nng_listener, const char *, nng_duration);
 NNG_DECL int nng_listener_set_addr(
     nng_listener, const char *, const nng_sockaddr *);
+NNG_DECL int nng_listener_set_tls(nng_listener, nng_tls_config *);
 
 NNG_DECL int nng_listener_get_bool(nng_listener, const char *, bool *);
 NNG_DECL int nng_listener_get_int(nng_listener, const char *, int *);
@@ -385,6 +388,7 @@ NNG_DECL int nng_listener_get_string(nng_listener, const char *, char **);
 NNG_DECL int nng_listener_get_ptr(nng_listener, const char *, void **);
 NNG_DECL int nng_listener_get_ms(nng_listener, const char *, nng_duration *);
 NNG_DECL int nng_listener_get_addr(nng_listener, const char *, nng_sockaddr *);
+NNG_DECL int nng_listener_get_tls(nng_listener, nng_tls_config **);
 
 // nng_strerror returns a human-readable string associated with the error
 // code supplied.
@@ -735,15 +739,6 @@ NNG_DECL nng_listener nng_pipe_listener(nng_pipe);
 
 // TLS options are only used when the underlying transport supports TLS.
 
-// NNG_OPT_TLS_CONFIG is a pointer to a nng_tls_config object.  Generally
-// this can be used with endpoints, although once an endpoint is started, or
-// once a configuration is used, the value becomes read-only. Note that
-// when configuring the object, a hold is placed on the TLS configuration,
-// using a reference count.  When retrieving the object, no such hold is
-// placed, and so the caller must take care not to use the associated object
-// after the endpoint it is associated with is closed.
-#define NNG_OPT_TLS_CONFIG "tls-config"
-
 // NNG_OPT_TLS_VERIFIED returns a boolean indicating whether the peer has
 // been verified (true) or not (false). Typically, this is read-only, and
 // only available for pipes. This option may return incorrect results if
@@ -1188,6 +1183,13 @@ NNG_DECL int nng_stream_dialer_set_ptr(
 NNG_DECL int nng_stream_dialer_set_addr(
     nng_stream_dialer *, const char *, const nng_sockaddr *);
 
+// Note that when configuring the object, a hold is placed on the TLS
+// configuration, using a reference count.  When retrieving the object, no such
+// hold is placed, and so the caller must take care not to use the associated
+// object after the endpoint it is associated with is closed.
+NNG_DECL int nng_stream_dialer_get_tls(nng_stream_dialer *, nng_tls_config **);
+NNG_DECL int nng_stream_dialer_set_tls(nng_stream_dialer *, nng_tls_config *);
+
 NNG_DECL int nng_stream_listener_alloc(nng_stream_listener **, const char *);
 NNG_DECL int nng_stream_listener_alloc_url(
     nng_stream_listener **, const nng_url *);
@@ -1228,6 +1230,11 @@ NNG_DECL int nng_stream_listener_set_ptr(
 NNG_DECL int nng_stream_listener_set_addr(
     nng_stream_listener *, const char *, const nng_sockaddr *);
 
+NNG_DECL int nng_stream_listener_get_tls(
+    nng_stream_listener *, nng_tls_config **);
+NNG_DECL int nng_stream_listener_set_tls(
+    nng_stream_listener *, nng_tls_config *);
+
 // UDP operations.  These are provided for convenience,
 // and should be considered somewhat experimental.
 

diff --git a/src/core/dialer.c b/src/core/dialer.c
@@ -558,6 +558,24 @@ nni_dialer_getopt(
 	return (nni_sock_getopt(d->d_sock, name, valp, szp, t));
 }
 
+int
+nni_dialer_get_tls(nni_dialer *d, nng_tls_config **cfgp)
+{
+	if (d->d_ops.d_get_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (d->d_ops.d_get_tls(d->d_data, cfgp));
+}
+
+int
+nni_dialer_set_tls(nni_dialer *d, nng_tls_config *cfg)
+{
+	if (d->d_ops.d_set_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (d->d_ops.d_set_tls(d->d_data, cfg));
+}
+
 void
 nni_dialer_add_stat(nni_dialer *d, nni_stat_item *item)
 {

diff --git a/src/core/dialer.h b/src/core/dialer.h
@@ -1,5 +1,5 @@
 //
-// Copyright 2021 Staysail Systems, Inc. <[email protected]>
+// Copyright 2024 Staysail Systems, Inc. <[email protected]>
 // Copyright 2018 Capitar IT Group BV <[email protected]>
 // Copyright 2018 Devolutions <[email protected]>
 //
@@ -25,6 +25,8 @@ extern int nni_dialer_setopt(
     nni_dialer *, const char *, const void *, size_t, nni_type);
 extern int nni_dialer_getopt(
     nni_dialer *, const char *, void *, size_t *, nni_type);
+extern int  nni_dialer_get_tls(nni_dialer *, nng_tls_config **);
+extern int  nni_dialer_set_tls(nni_dialer *, nng_tls_config *);
 extern void nni_dialer_add_stat(nni_dialer *, nni_stat_item *);
 extern void nni_dialer_bump_error(nni_dialer *, int);
 

diff --git a/src/core/listener.c b/src/core/listener.c
@@ -9,6 +9,7 @@
 // found online at https://opensource.org/licenses/MIT.
 //
 
+#include "core/defs.h"
 #include "core/nng_impl.h"
 #include "core/strs.h"
 #include "nng/nng.h"
@@ -507,6 +508,24 @@ nni_listener_getopt(
 	return (nni_sock_getopt(l->l_sock, name, val, szp, t));
 }
 
+int
+nni_listener_get_tls(nni_listener *l, nng_tls_config **cfgp)
+{
+	if (l->l_ops.l_get_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (l->l_ops.l_get_tls(l->l_data, cfgp));
+}
+
+int
+nni_listener_set_tls(nni_listener *l, nng_tls_config *cfg)
+{
+	if (l->l_ops.l_set_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (l->l_ops.l_set_tls(l->l_data, cfg));
+}
+
 void
 nni_listener_add_stat(nni_listener *l, nni_stat_item *item)
 {

diff --git a/src/core/listener.h b/src/core/listener.h
@@ -25,6 +25,8 @@ extern int nni_listener_setopt(
     nni_listener *, const char *, const void *, size_t, nni_type);
 extern int nni_listener_getopt(
     nni_listener *, const char *, void *, size_t *, nni_type);
+extern int  nni_listener_get_tls(nni_listener *, nng_tls_config **);
+extern int  nni_listener_set_tls(nni_listener *, nng_tls_config *);
 extern void nni_listener_add_stat(nni_listener *, nni_stat_item *);
 extern void nni_listener_bump_error(nni_listener *, int);
 

diff --git a/src/core/stream.c b/src/core/stream.c
@@ -214,6 +214,24 @@ nni_stream_dialer_set(nng_stream_dialer *d, const char *nm, const void *data,
 	return (d->sd_set(d, nm, data, sz, t));
 }
 
+int
+nni_stream_dialer_get_tls(nng_stream_dialer *d, nng_tls_config **cfgp)
+{
+	if (d->sd_get_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (d->sd_get_tls(d, cfgp));
+}
+
+int
+nni_stream_dialer_set_tls(nng_stream_dialer *d, nng_tls_config *cfg)
+{
+	if (d->sd_set_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (d->sd_set_tls(d, cfg));
+}
+
 void
 nng_stream_listener_close(nng_stream_listener *l)
 {
@@ -252,6 +270,24 @@ nni_stream_listener_set(nng_stream_listener *l, const char *nm,
 	return (l->sl_set(l, nm, data, sz, t));
 }
 
+int
+nni_stream_listener_get_tls(nng_stream_listener *l, nng_tls_config **cfgp)
+{
+	if (l->sl_get_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (l->sl_get_tls(l, cfgp));
+}
+
+int
+nni_stream_listener_set_tls(nng_stream_listener *l, nng_tls_config *cfg)
+{
+	if (l->sl_set_tls == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (l->sl_set_tls(l, cfg));
+}
+
 int
 nng_stream_listener_alloc_url(nng_stream_listener **lp, const nng_url *url)
 {
@@ -386,6 +422,12 @@ nng_stream_dialer_get_addr(
 	return (nni_stream_dialer_get(d, n, v, NULL, NNI_TYPE_SOCKADDR));
 }
 
+int
+nng_stream_dialer_get_tls(nng_stream_dialer *d, nng_tls_config **cfgp)
+{
+	return (nni_stream_dialer_get_tls(d, cfgp));
+}
+
 int
 nng_stream_listener_get_int(nng_stream_listener *l, const char *n, int *v)
 {
@@ -437,6 +479,12 @@ nng_stream_listener_get_addr(
 	return (nni_stream_listener_get(l, n, v, NULL, NNI_TYPE_SOCKADDR));
 }
 
+int
+nng_stream_listener_get_tls(nng_stream_listener *l, nng_tls_config **cfgp)
+{
+	return (nni_stream_listener_get_tls(l, cfgp));
+}
+
 int
 nng_stream_dialer_set_int(nng_stream_dialer *d, const char *n, int v)
 {
@@ -488,6 +536,12 @@ nng_stream_dialer_set_addr(
 	return (nni_stream_dialer_set(d, n, v, sizeof(*v), NNI_TYPE_SOCKADDR));
 }
 
+int
+nng_stream_dialer_set_tls(nng_stream_dialer *d, nng_tls_config *cfg)
+{
+	return (nni_stream_dialer_set_tls(d, cfg));
+}
+
 int
 nng_stream_listener_set_int(nng_stream_listener *l, const char *n, int v)
 {
@@ -543,3 +597,9 @@ nng_stream_listener_set_addr(
 	return (
 	    nni_stream_listener_set(l, n, v, sizeof(*v), NNI_TYPE_SOCKADDR));
 }
+
+int
+nng_stream_listener_set_tls(nng_stream_listener *l, nng_tls_config *cfg)
+{
+	return (nni_stream_listener_set_tls(l, cfg));
+}