fixes ncurl() 26 crypto error for secure sites using SNI

Author: shikokuchuo

NEWS.md

@@ -12,6 +12,7 @@
 * 'libmbedtls' is now built from source upon install so the package always has TLS support and uses the latest v3.2.1 release. Windows binaries also updated to include TLS support.
 * `nng_version()` now returns the 'Mbed TLS' library version number.
 * `device()` gains a confirmation prompt when running interactively for more safety.
+* Fixes issue with `ncurl()` that caused a 26 cryptography error with certain secure sites using SNI.
 
 # nanonext 0.5.3
 

README.md

@@ -384,7 +384,7 @@ aio
 #> < recvAio >
 #>  - $data for message data
 aio$data |> str()
-#>  num [1:100000000] 1.531 0.167 -0.689 -0.619 1.451 ...
+#>  num [1:100000000] -1.531 1.139 -0.256 -0.362 0.17 ...
 ```
 
 As `call_aio()` is blocking and will wait for completion, an alternative
@@ -537,11 +537,11 @@ ncurl("https://httpbin.org/headers")
 #>   [1] 7b 0a 20 20 22 68 65 61 64 65 72 73 22 3a 20 7b 0a 20 20 20 20 22 48 6f 73
 #>  [26] 74 22 3a 20 22 68 74 74 70 62 69 6e 2e 6f 72 67 22 2c 20 0a 20 20 20 20 22
 #>  [51] 58 2d 41 6d 7a 6e 2d 54 72 61 63 65 2d 49 64 22 3a 20 22 52 6f 6f 74 3d 31
-#>  [76] 2d 36 33 30 65 38 33 36 38 2d 36 33 64 35 66 65 30 31 32 33 65 32 33 36 34
-#> [101] 32 34 37 30 35 62 35 63 30 22 0a 20 20 7d 0a 7d 0a
+#>  [76] 2d 36 33 30 66 36 62 39 63 2d 30 39 35 66 35 66 35 31 37 66 38 32 37 61 35
+#> [101] 35 36 36 32 31 38 35 31 37 22 0a 20 20 7d 0a 7d 0a
 #> 
 #> $data
-#> [1] "{\n  \"headers\": {\n    \"Host\": \"httpbin.org\", \n    \"X-Amzn-Trace-Id\": \"Root=1-630e8368-63d5fe0123e236424705b5c0\"\n  }\n}\n"
+#> [1] "{\n  \"headers\": {\n    \"Host\": \"httpbin.org\", \n    \"X-Amzn-Trace-Id\": \"Root=1-630f6b9c-095f5f517f827a5566218517\"\n  }\n}\n"
 ```
 
 For advanced use, supports additional HTTP methods such as POST or PUT.
@@ -556,7 +556,7 @@ res
 #>  - $raw for raw message
 
 call_aio(res)$data
-#> [1] "{\n  \"args\": {}, \n  \"data\": \"{\\\"key\\\": \\\"value\\\"}\", \n  \"files\": {}, \n  \"form\": {}, \n  \"headers\": {\n    \"Authorization\": \"Bearer APIKEY\", \n    \"Content-Length\": \"16\", \n    \"Content-Type\": \"application/json\", \n    \"Host\": \"httpbin.org\", \n    \"X-Amzn-Trace-Id\": \"Root=1-630e8369-6dadfb4917077d153d623f45\"\n  }, \n  \"json\": {\n    \"key\": \"value\"\n  }, \n  \"origin\": \"185.225.45.49\", \n  \"url\": \"http://httpbin.org/post\"\n}\n"
+#> [1] "{\n  \"args\": {}, \n  \"data\": \"{\\\"key\\\": \\\"value\\\"}\", \n  \"files\": {}, \n  \"form\": {}, \n  \"headers\": {\n    \"Authorization\": \"Bearer APIKEY\", \n    \"Content-Length\": \"16\", \n    \"Content-Type\": \"application/json\", \n    \"Host\": \"httpbin.org\", \n    \"X-Amzn-Trace-Id\": \"Root=1-630f6b9c-0b5c391a11ad759e225b0401\"\n  }, \n  \"json\": {\n    \"key\": \"value\"\n  }, \n  \"origin\": \"79.173.129.2\", \n  \"url\": \"http://httpbin.org/post\"\n}\n"
 ```
 
 In this respect, it may be used as a performant and lightweight method
@@ -599,10 +599,10 @@ s |> send('{"action": "subscribe", "symbols": "EURUSD"}')
 #> [26] 73 79 6d 62 6f 6c 73 22 3a 20 22 45 55 52 55 53 44 22 7d 00
 
 s |> recv(keep.raw = FALSE)
-#> [1] "{\"s\":\"EURUSD\",\"a\":1.0017,\"b\":1.0014,\"dc\":\"0.0639\",\"dd\":\"0.0006\",\"ppms\":false,\"t\":1661895535000}"
+#> [1] "{\"s\":\"EURUSD\",\"a\":1.00133,\"b\":1.00131,\"dc\":\"-0.1009\",\"dd\":\"-0.0010\",\"ppms\":false,\"t\":1661954973000}"
 
 s |> recv(keep.raw = FALSE)
-#> [1] "{\"s\":\"EURUSD\",\"a\":1.0018,\"b\":1.0015,\"dc\":\"0.0739\",\"dd\":\"0.0007\",\"ppms\":false,\"t\":1661895540000}"
+#> [1] "{\"s\":\"EURUSD\",\"a\":1.00131,\"b\":1.00129,\"dc\":\"-0.1029\",\"dd\":\"-0.0010\",\"ppms\":false,\"t\":1661954974000}"
 
 close(s)
 ```

src/aio.c

@@ -675,7 +675,8 @@ SEXP rnng_ncurl_aio(SEXP http, SEXP method, SEXP headers, SEXP data, SEXP ca_fil
       return mk_error(xc);
     }
     if (ca_file == R_NilValue) {
-      if ((xc = nng_tls_config_auth_mode(handle->cfg, NNG_TLS_AUTH_MODE_NONE)) ||
+      if ((xc = nng_tls_config_server_name(handle->cfg, handle->url->u_hostname)) ||
+          (xc = nng_tls_config_auth_mode(handle->cfg, NNG_TLS_AUTH_MODE_NONE)) ||
           (xc = nng_http_client_set_tls(handle->cli, handle->cfg))) {
         nng_tls_config_free(handle->cfg);
         nng_aio_free(haio->aio);
@@ -688,8 +689,9 @@ SEXP rnng_ncurl_aio(SEXP http, SEXP method, SEXP headers, SEXP data, SEXP ca_fil
         return mk_error(xc);
       }
     } else {
-      if ((xc = nng_tls_config_auth_mode(handle->cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
+      if ((xc = nng_tls_config_server_name(handle->cfg, handle->url->u_hostname)) ||
           (xc = nng_tls_config_ca_file(handle->cfg, CHAR(STRING_ELT(ca_file, 0)))) ||
+          (xc = nng_tls_config_auth_mode(handle->cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
           (xc = nng_http_client_set_tls(handle->cli, handle->cfg))) {
         nng_tls_config_free(handle->cfg);
         nng_aio_free(haio->aio);

src/utils.c

@@ -222,7 +222,8 @@ SEXP rnng_ncurl(SEXP http, SEXP method, SEXP headers, SEXP data, SEXP ca_file) {
     }
 
     if (ca_file == R_NilValue) {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
+      if ((xc = nng_tls_config_server_name(cfg, url->u_hostname)) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
           (xc = nng_http_client_set_tls(client, cfg))) {
         nng_tls_config_free(cfg);
         nng_aio_free(aio);
@@ -233,8 +234,9 @@ SEXP rnng_ncurl(SEXP http, SEXP method, SEXP headers, SEXP data, SEXP ca_file) {
         return mk_error(xc);
       }
     } else {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
+      if ((xc = nng_tls_config_server_name(cfg, url->u_hostname)) ||
           (xc = nng_tls_config_ca_file(cfg, CHAR(STRING_ELT(ca_file, 0)))) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
           (xc = nng_http_client_set_tls(client, cfg))) {
         nng_tls_config_free(cfg);
         nng_aio_free(aio);
@@ -340,16 +342,18 @@ SEXP rnng_stream_dial(SEXP url, SEXP textframes, SEXP ca_file) {
     }
 
     if (ca_file == R_NilValue) {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
+      if ((xc = nng_tls_config_server_name(cfg, up->u_hostname)) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
           (xc = nng_stream_dialer_set_ptr(dp, NNG_OPT_TLS_CONFIG, cfg))) {
         nng_tls_config_free(cfg);
         nng_stream_dialer_free(dp);
         nng_url_free(up);
         return mk_error(xc);
       }
     } else {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
+      if ((xc = nng_tls_config_server_name(cfg, up->u_hostname)) ||
           (xc = nng_tls_config_ca_file(cfg, CHAR(STRING_ELT(ca_file, 0)))) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
           (xc = nng_stream_dialer_set_ptr(dp, NNG_OPT_TLS_CONFIG, cfg))) {
         nng_tls_config_free(cfg);
         nng_stream_dialer_free(dp);
@@ -446,16 +450,18 @@ SEXP rnng_stream_listen(SEXP url, SEXP textframes, SEXP ca_file) {
       return mk_error(xc);
     }
     if (ca_file == R_NilValue) {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
+      if ((xc = nng_tls_config_server_name(cfg, up->u_hostname)) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_NONE)) ||
           (xc = nng_stream_listener_set_ptr(lp, "tls-config", cfg))) {
         nng_tls_config_free(cfg);
         nng_stream_listener_free(lp);
         nng_url_free(up);
         return mk_error(xc);
       }
     } else {
-      if ((xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
+      if ((xc = nng_tls_config_server_name(cfg, up->u_hostname)) ||
           (xc = nng_tls_config_ca_file(cfg, CHAR(STRING_ELT(ca_file, 0)))) ||
+          (xc = nng_tls_config_auth_mode(cfg, NNG_TLS_AUTH_MODE_REQUIRED)) ||
           (xc = nng_stream_listener_set_ptr(lp, "tls-config", cfg))) {
         nng_tls_config_free(cfg);
         nng_stream_listener_free(lp);