nng icon indicating copy to clipboard operation
nng copied to clipboard

Published 20 hours ago verified publisher icon nanomsg

Support schannel on windows

Open nothrow opened this issue 7 years ago • 6 comments

On windows, standard TLS API is called 'schannel' (or secure channel). It can be used as always-available replacement for mbedTLS.

Also, windows has own (FIPS certified) implementation of another security primitives, namely SHA1 and RNG.

nothrow avatar Sep 16 '18 14:09 nothrow

I have proof of concept implementation for TLS clients -> https://github.com/nothrow/nng/tree/stunnel_support. It needs some polishing (and server support), I can work on it, if using native API wherever available is the way nng wants to go.

nothrow avatar Sep 16 '18 14:09 nothrow

This looks pretty awesome. Yes, I would love to see this polished and integrated.

It appears that your nni_tls_start_handshake() code needs to be changed to support the server side. Is Windows schannel client only, or is this just stuff you haven't gotten to yet?

You clearly did borrow / adapt my original code, so you should preserve the original copyright, and just add yours to it. Having said that, maybe once you eliminate the commented out code, there won't be any of my old code left.... (I think there might still be a few pieces here and there though.)

Part of the cleanup will mean running this through clang-format, and there are a few other things that need minor touch up as well (e.g. return values are always parenthesized in NNG style).

Generally speaking yes, I'd like to use native APIs whenever we reasonably can. This eliminates the need to bring in a third party crypto library, and can gain other benefits (as you noted -- FIPS validation, etc.)

Btw, I'm pretty sure that I'm using the native and preferred Windows API as the backing entropy source for nni_random(). But feel free to call it directly -- it may help someone else evaluating this code for conformance in the future.

gdamore avatar Sep 17 '18 18:09 gdamore

Btw, we might need to have this something that is selectable for Windows. It would appear schannel support for TLS 1.2 is missing in Windows Vista, and is not enabled by default on Windows 7. (See for example https://support.cybersource.com/s/article/How-do-I-enable-TLS-1-2-on-Windows-7)

What I'm thinking is that we use and assume the use of schannel on Windows 8 and newer (or maybe even all the time?) but still offer to honor and use mbedTLS as a CMake option.

gdamore avatar Sep 17 '18 18:09 gdamore

Please, accept my apology for missing copyright. I initially started from scratch, then added chunks of your code, and forgot to copy the copyright. It is already fixed.

Schannel is both client/server, I just never had chance to write server side before, so I need to study how does it work with certificates. This was meant as proof of concept, that schannel can be integrated, so I have some reasonable proposal to come up with.

I know that support of various algorithms is problematic on various Windows versions.

Do you have some minimal version constraints? Or are you aiming for maximum compatibility here? I can suggest being able to compile both with schannel and mbedTLS (now, -DNNG_SUPP_TLS_MBEDTLS=ON should override the schannel), and determine at runtime which one to select.

Point taken on clang-format. I will definitely format the code according to project standards before creating PR.

nothrow avatar Sep 17 '18 21:09 nothrow

Ad nni_random -> I see, I missed that one.

nothrow avatar Sep 17 '18 21:09 nothrow

No sweat on the copyright, thanks for fixing it.

I think the CMAKE flag you propose is good -- we will want to disable it by default on Windows 8 and newer. We are still trying to support back to Vista, but I'm not support XP or older stuff than that. (Its already pretty ancient.) This makes some people sad, because they want XP, but I'm just uninterested in support ancient stuff from 15+ years ago.

gdamore avatar Sep 17 '18 21:09 gdamore