tls: Remove the individual TLS configuration options

This is a breaking change. TLS configuration changes are to be made using TLS configuration objects, and then set on a listener or dialer with NNG_OPT_TLS_CONFIG. This should be a bit less racy, and allows for simpler code.
nanomsg · Oct 28, 2024 · cbd8c55 · cbd8c55
1 parent ef1cf27
commit cbd8c55
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 282 deletions.
diff --git a/docs/man/nng_tls.7.adoc b/docs/man/nng_tls.7.adoc
@@ -107,9 +107,6 @@ Note that setting these must be done before the transport is started.
 * xref:nng_options.5.adoc#NNG_OPT_REMADDR[`NNG_OPT_REMADDR`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_KEEPALIVE[`NNG_OPT_TCP_KEEPALIVE`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_NODELAY[`NNG_OPT_TCP_NODELAY`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_AUTH_MODE[`NNG_OPT_TLS_AUTH_MODE`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CA_FILE[`NNG_OPT_TLS_CA_FILE`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CERT_KEY_FILE[`NNG_OPT_TLS_CERT_KEY_FILE`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CONFIG[`NNG_OPT_TLS_CONFIG`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_VERIFIED[`NNG_OPT_TLS_VERIFIED_`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_PEER_CN[`NNG_OPT_TLS_PEER_CN`]

diff --git a/docs/man/nng_tls_options.5.adoc b/docs/man/nng_tls_options.5.adoc
@@ -20,11 +20,7 @@ nng_tls_options - TLS-specific options
 ----
 #include <nng/nng.h>
 
-#define NNG_OPT_TLS_AUTH_MODE      "tls-authmode"
-#define NNG_OPT_TLS_CA_FILE        "tls-ca-file"
-#define NNG_OPT_TLS_CERT_KEY_FILE  "tls-cert-key-file"
 #define NNG_OPT_TLS_CONFIG         "tls-config"
-#define NNG_OPT_TLS_SERVER_NAME    "tls-server-name"
 #define NNG_OPT_TLS_VERIFIED       "tls-verified"
 #define NNG_OPT_TLS_PEER_CN        "tls-peer-cn"
 #define NNG_OPT_TLS_PEER_ALT_NAMES "tls-peer-alt-names"
@@ -47,25 +43,6 @@ description of the option.
 
 === TLS Options
 
-[[NNG_OPT_TLS_AUTH_MODE]]((`NNG_OPT_TLS_AUTH_MODE`))::
-(`int`)
-Write-only option used to configure the authentication mode used.
-See xref:nng_tls_config_auth_mode.3tls.adoc[`nng_tls_config_auth_mode()`] for
-more details.
-
-[[NNG_OPT_TLS_CA_FILE]]((`NNG_OPT_TLS_CA_FILE`))::
-(string) Write-only option naming a file containing certificates to
-use for peer validation.
-See xref:nng_tls_config_ca_file.3tls.adoc[`nng_tls_config_ca_file()`] for more
-information.
-
-[[NNG_OPT_TLS_CERT_KEY_FILE]]((`NNG_OPT_TLS_CERT_KEY_FILE`))::
-(string) Write-only option naming a file containing the local certificate and
-associated private key.
-The private key used must be unencrypted.
-See xref:nng_tls_config_own_cert.3tls.adoc[`nng_tls_config_own_cert()`] for more
-information.
-
 [[NNG_OPT_TLS_CONFIG]]((`NNG_OPT_TLS_CONFIG`))::
 (`nng_tls_config *`)
 This option references the underlying
@@ -79,14 +56,6 @@ longer needs the TLS configuration object.
 +
 TIP: Use this option when more advanced TLS configuration is required.
 
-[[NNG_OPT_TLS_SERVER_NAME]]((`NNG_OPT_TLS_SERVER_NAME`))::
-(string)
-This write-only option is used to specify the name of the server.
-When used with a dialer, this potentially configures SNI (server name
-indication, which is used as a hint by a multihosting server to choose the
-appropriate certificate to provide) and also is used to validate the
-name presented in the server's x509 certificate.
-
 [[NNG_OPT_TLS_VERIFIED]]((`NNG_OPT_TLS_VERIFIED`))::
 (`bool`)
 This read-only option indicates whether the remote peer has been properly verified using TLS

diff --git a/docs/man/nng_ws.7.adoc b/docs/man/nng_ws.7.adoc
@@ -157,24 +157,6 @@ longer needs the TLS configuration.
 
 TIP: Use this option when advanced TLS configuration is required.
 
-((`NNG_OPT_TLS_CA_FILE`))::
-(string) Write-only option naming a file containing certificates to
-use for peer validation.
-See xref:nng_tls_config_ca_file.3tls.adoc[`nng_tls_config_ca_file()`] for more
-information.
-
-((`NNG_OPT_TLS_CERT_KEY_FILE`))::
-(string) Write-only option naming a file containing the local certificate and
-associated private key.
-The private key used must be unencrypted.
-See xref:nng_tls_config_own_cert.3tls.adoc[`nng_tls_config_own_cert()`] for more
-information.
-
-((`NNG_OPT_TLS_AUTH_MODE`))::
-(`int`) Write-only option used to configure the authentication mode used.
-See xref:nng_tls_config_auth_mode.3tls.adoc[`nng_tls_config_auth_mode()`] for
-more details.
-
 `NNG_OPT_TLS_VERIFIED`::
 (`bool`) Whether the remote peer has been properly verified using TLS
 authentication.

diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
@@ -33,6 +33,13 @@ The `NNG_OPT_WSS_REQUEST_HEADERS` and `NNG_OPT_WSS_RESPONSE_HEADERS` aliases for
 Just convert any use of them to `NNG_OPT_WS_REQUEST_HEADERS` or
 `NNG_OPT_WS_RESPONSE_HEADERS` as appropriate.
 
+## TLS Options
+
+The support for configuring TLS via `NNG_TLS_AUTH_MODE`, `NNG_OPT_TLS_CA_FILE`, `NNG_OPT_TLS_SERVER_NAME`,
+and similar has been removed. Instead configuration must be performed by allocating
+a `nng_tls_config` object, and then setting fields on it using the appropriate functions,
+after which it may be configured on a listener or dialer using the `NNG_OPT_TLS_CONFIG` option.
+
 ## Option Functions
 
 The previously deprecated `nng_pipe_getopt_xxx` family of functions is removed.

diff --git a/include/nng/nng.h b/include/nng/nng.h
@@ -741,37 +741,6 @@ NNG_DECL nng_listener nng_pipe_listener(nng_pipe);
 // after the endpoint it is associated with is closed.
 #define NNG_OPT_TLS_CONFIG "tls-config"
 
-// NNG_OPT_TLS_AUTH_MODE is a write-only integer (int) option that specifies
-// whether peer authentication is needed.  The option can take one of the
-// values of NNG_TLS_AUTH_MODE_NONE, NNG_TLS_AUTH_MODE_OPTIONAL, or
-// NNG_TLS_AUTH_MODE_REQUIRED.  The default is typically NNG_TLS_AUTH_MODE_NONE
-// for listeners, and NNG_TLS_AUTH_MODE_REQUIRED for dialers. If set to
-// REQUIRED, then connections will be rejected if the peer cannot be verified.
-// If set to OPTIONAL, then a verification step takes place, but the connection
-// is still permitted.  (The result can be checked with NNG_OPT_TLS_VERIFIED).
-#define NNG_OPT_TLS_AUTH_MODE "tls-authmode"
-
-// NNG_OPT_TLS_CERT_KEY_FILE names a single file that contains a certificate
-// and key identifying the endpoint.  This is a write-only value.  This can be
-// set multiple times for different keys/certs corresponding to
-// different algorithms on listeners, whereas dialers only support one.  The
-// file must contain both cert and key as PEM blocks, and the key must
-// not be encrypted.  (If more flexibility is needed, use the TLS configuration
-// directly, via NNG_OPT_TLS_CONFIG.)
-#define NNG_OPT_TLS_CERT_KEY_FILE "tls-cert-key-file"
-
-// NNG_OPT_TLS_CA_FILE names a single file that contains certificate(s) for a
-// CA, and optionally CRLs, which are used to validate the peer's certificate.
-// This is a write-only value, but multiple CAs can be loaded by setting this
-// multiple times.
-#define NNG_OPT_TLS_CA_FILE "tls-ca-file"
-
-// NNG_OPT_TLS_SERVER_NAME is a write-only string that can typically be
-// set on dialers to check the CN of the server for a match.  This
-// can also affect SNI (server name indication).  It usually has no effect
-// on listeners.
-#define NNG_OPT_TLS_SERVER_NAME "tls-server-name"
-
 // NNG_OPT_TLS_VERIFIED returns a boolean indicating whether the peer has
 // been verified (true) or not (false). Typically, this is read-only, and
 // only available for pipes. This option may return incorrect results if

diff --git a/src/sp/transport/tls/tls.c b/src/sp/transport/tls/tls.c
@@ -61,7 +61,6 @@ struct tlstran_ep {
 	bool                 closed;
 	bool                 fini;
 	int                  refcnt;
-	int                  authmode;
 	nni_url             *url;
 	nni_list             pipes;
 	nni_reap_node        reap;
@@ -911,7 +910,6 @@ tlstran_ep_init_dialer(void **dp, nni_url *url, nni_dialer *ndialer)
 	    ((rv = nni_aio_alloc(&ep->connaio, tlstran_dial_cb, ep)) != 0)) {
 		return (rv);
 	}
-	ep->authmode = NNG_TLS_AUTH_MODE_REQUIRED;
 
 	if ((rv != 0) ||
 	    ((rv = nng_stream_dialer_alloc_url(&ep->dialer, &myurl)) != 0)) {
@@ -967,8 +965,6 @@ tlstran_ep_init_listener(void **lp, nni_url *url, nni_listener *nlistener)
 		return (rv);
 	}
 
-	ep->authmode = NNG_TLS_AUTH_MODE_NONE;
-
 	if (strlen(host) == 0) {
 		host = NULL;
 	}
@@ -989,10 +985,7 @@ tlstran_ep_init_listener(void **lp, nni_url *url, nni_listener *nlistener)
 	nni_aio_free(aio);
 
 	if ((rv != 0) ||
-	    ((rv = nng_stream_listener_alloc_url(&ep->listener, url)) != 0) ||
-	    ((rv = nni_stream_listener_set(ep->listener, NNG_OPT_TLS_AUTH_MODE,
-	          &ep->authmode, sizeof(ep->authmode), NNI_TYPE_INT32)) !=
-	        0)) {
+	    ((rv = nng_stream_listener_alloc_url(&ep->listener, url)) != 0)) {
 		tlstran_ep_fini(ep);
 		return (rv);
 	}

diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c
@@ -190,23 +190,6 @@ tls_dialer_dial(void *arg, nng_aio *aio)
 	nng_stream_dialer_dial(d->d, &conn->conn_aio);
 }
 
-static int
-tls_check_string(const void *v, size_t sz, nni_opt_type t)
-{
-	switch (t) {
-	case NNI_TYPE_OPAQUE:
-		if (nni_strnlen(v, sz) >= sz) {
-			return (NNG_EINVAL);
-		}
-		return (0);
-	case NNI_TYPE_STRING:
-		// Caller is assumed to pass a good string.
-		return (0);
-	default:
-		return (NNG_EBADTYPE);
-	}
-}
-
 static int
 tls_dialer_set_config(void *arg, const void *buf, size_t sz, nni_type t)
 {
@@ -249,87 +232,12 @@ tls_dialer_get_config(void *arg, void *buf, size_t *szp, nni_type t)
 	return (rv);
 }
 
-static int
-tls_dialer_set_server_name(void *arg, const void *buf, size_t sz, nni_type t)
-{
-	tls_dialer *d = arg;
-	int         rv;
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&d->lk);
-		rv = nng_tls_config_server_name(d->cfg, buf);
-		nni_mtx_unlock(&d->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_dialer_set_auth_mode(void *arg, const void *buf, size_t sz, nni_type t)
-{
-	int         mode;
-	int         rv;
-	tls_dialer *d = arg;
-
-	rv = nni_copyin_int(&mode, buf, sz, NNG_TLS_AUTH_MODE_NONE,
-	    NNG_TLS_AUTH_MODE_REQUIRED, t);
-	if (rv == 0) {
-		nni_mtx_lock(&d->lk);
-		rv = nng_tls_config_auth_mode(d->cfg, mode);
-		nni_mtx_unlock(&d->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_dialer_set_ca_file(void *arg, const void *buf, size_t sz, nni_opt_type t)
-{
-	tls_dialer *d = arg;
-	int         rv;
-
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&d->lk);
-		rv = nng_tls_config_ca_file(d->cfg, buf);
-		nni_mtx_unlock(&d->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_dialer_set_cert_key_file(
-    void *arg, const void *buf, size_t sz, nni_opt_type t)
-{
-	tls_dialer *d = arg;
-	int         rv;
-
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&d->lk);
-		rv = nng_tls_config_cert_key_file(d->cfg, buf, NULL);
-		nni_mtx_unlock(&d->lk);
-	}
-	return (rv);
-}
-
 static const nni_option tls_dialer_opts[] = {
 	{
 	    .o_name = NNG_OPT_TLS_CONFIG,
 	    .o_get  = tls_dialer_get_config,
 	    .o_set  = tls_dialer_set_config,
 	},
-	{
-	    .o_name = NNG_OPT_TLS_SERVER_NAME,
-	    .o_set  = tls_dialer_set_server_name,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_CA_FILE,
-	    .o_set  = tls_dialer_set_ca_file,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_CERT_KEY_FILE,
-	    .o_set  = tls_dialer_set_cert_key_file,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_AUTH_MODE,
-	    .o_set  = tls_dialer_set_auth_mode,
-	},
 	{
 	    .o_name = NULL,
 	},
@@ -508,87 +416,12 @@ tls_listener_get_config(void *arg, void *buf, size_t *szp, nni_type t)
 	return (rv);
 }
 
-static int
-tls_listener_set_server_name(void *arg, const void *buf, size_t sz, nni_type t)
-{
-	tls_listener *l = arg;
-	int           rv;
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&l->lk);
-		rv = nng_tls_config_server_name(l->cfg, buf);
-		nni_mtx_unlock(&l->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_listener_set_auth_mode(void *arg, const void *buf, size_t sz, nni_type t)
-{
-	int           mode;
-	int           rv;
-	tls_listener *l = arg;
-
-	rv = nni_copyin_int(&mode, buf, sz, NNG_TLS_AUTH_MODE_NONE,
-	    NNG_TLS_AUTH_MODE_REQUIRED, t);
-	if (rv == 0) {
-		nni_mtx_lock(&l->lk);
-		rv = nng_tls_config_auth_mode(l->cfg, mode);
-		nni_mtx_unlock(&l->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_listener_set_ca_file(void *arg, const void *buf, size_t sz, nni_opt_type t)
-{
-	tls_listener *l = arg;
-	int           rv;
-
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&l->lk);
-		rv = nng_tls_config_ca_file(l->cfg, buf);
-		nni_mtx_unlock(&l->lk);
-	}
-	return (rv);
-}
-
-static int
-tls_listener_set_cert_key_file(
-    void *arg, const void *buf, size_t sz, nni_opt_type t)
-{
-	tls_listener *l = arg;
-	int           rv;
-
-	if ((rv = tls_check_string(buf, sz, t)) == 0) {
-		nni_mtx_lock(&l->lk);
-		rv = nng_tls_config_cert_key_file(l->cfg, buf, NULL);
-		nni_mtx_unlock(&l->lk);
-	}
-	return (rv);
-}
-
 static const nni_option tls_listener_opts[] = {
 	{
 	    .o_name = NNG_OPT_TLS_CONFIG,
 	    .o_get  = tls_listener_get_config,
 	    .o_set  = tls_listener_set_config,
 	},
-	{
-	    .o_name = NNG_OPT_TLS_SERVER_NAME,
-	    .o_set  = tls_listener_set_server_name,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_CA_FILE,
-	    .o_set  = tls_listener_set_ca_file,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_CERT_KEY_FILE,
-	    .o_set  = tls_listener_set_cert_key_file,
-	},
-	{
-	    .o_name = NNG_OPT_TLS_AUTH_MODE,
-	    .o_set  = tls_listener_set_auth_mode,
-	},
 	{
 	    .o_name = NULL,
 	},